Manage groups

This article explains how admins create and manage Databricks groups. For an overview of the Databricks identity model, see Databricks identities and roles.

Overview of group management

Groups simplify identity management by making it easier to assign access to workspaces, data, and other securable objects. All Databricks identities can be assigned as members of groups.

Difference between account groups and workspace-local groups

While users and service principals created at the workspace level are automatically synchronized to the account, groups created at the workspace level are not. Instead, Databricks has the concept of account groups and workspace-local groups.

  • Account groups can only be created by account admins using the account-level interfaces.

  • Workspace-local groups can be created only by workspace admins using workspace-level interfaces.

Account admins can manage groups using the following interfaces:

Workspace admins can manage groups in their workspace using the following interfaces:

Add groups to your account

As an account admin, you can add groups to your Databricks account using the account console, a provisioning connector for your identity provider, or the SCIM (Account) API.

Add groups to your account using the account console

To add a group to the account using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click Account Console user management icon User management.

  3. On the Groups tab, click Add group.

  4. Enter a name for the group.

  5. Click Confirm.

  6. When prompted, add users, service principals, and groups to the group.

Add users, service principals, and groups to an existing group using the account console

To add users, service principals, and groups to an existing group using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click Account Console user management icon User management.

  3. On the Groups tab, select the group you want to update.

  4. Click Add members.

  5. Search for the user, group, or service principal you want to add and select it.

  6. Click Add.

Sync groups to your Databricks account from an identity provider

You can sync groups from your identity provider (IdP) to your Databricks account using a SCIM provisioning connector. For instructions, see Provision identities to your Databricks account.

Add groups to your account using the SCIM APIs

Account admins can add and manage groups in the Databricks account using the SCIM API for Accounts.

Workspace admins can’t add groups using this API, but they can list and view groups. To do this, they must invoke the API using a different endpoint URL:

  • Account admins use accounts.gcp.databricks.com/api/2.0/accounts/{account_id}/scim/v2/.

  • Workspace admins use {workspace-domain}/api/2.0/account/scim/v2/.

Workspace admins cannot create groups using the SCIM API for Accounts.

To add a group using the SCIM APIs, account admins do the following:

  1. Use the SCIM API 2.0 (Accounts) to determine whether the group already exists.

  2. If the group does not exist, create the group using the same API.

  3. Add members to the group using the same API.

For details, see SCIM API 2.0 (Accounts).

Assign the account admin role to a group

You cannot assign the account admin role to a group using the account console, but you can assign it to groups using the SCIM API for Accounts. See SCIM API 2.0 (Accounts).

Remove groups from your Databricks account

Account admins can remove groups from a Databricks account. Workspace admins cannot.

Important

When you remove a group, all users in that group are deleted from the account and lose access to any workspaces they had access to, unless they are members of another group or have been directly granted access to the account or any workspaces. You should refrain from deleting account-level groups unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user will no longer be able to access the Databricks API

  • Jobs owned by the user will fail

  • Clusters owned by the user will stop

  • Queries or dashboards created by the user and shared using the Run as Owner credential will have to be assigned to a new owner to prevent sharing from failing

To remove a group using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click Account Console user management icon User management.

  3. On the Groups tab, find the group you want to remove.

  4. Click the Kebab menu kebab menu at the far right of the user row and select Delete.

  5. In the confirmation dialog box, click Confirm delete.

If you remove a group using the account console, you must ensure that you also remove the group using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning will simply add the group and its members back the next time it syncs. See Sync users and groups from your identity provider.

To remove a group from a Databricks account using SCIM APIs, see Provision identities to your Databricks account and SCIM API 2.0 (Accounts).

Manage workspace-local groups

Workspace admins can add and manage workspace-local groups using the workspace admin console, IdP provisioning connectors, and REST APIs.

Add a workspace-local group to a workspace using the admin console

Workspace admins can add and manage workspace-local groups using the workspace admin console.

You can use the workspace admin console to do the following:

  • Add and remove workspace-local groups.

  • Grant and revoke membership in workspace-local groups, including the admins group.

  • Manage a group’s entitlements as follows:

    • Grant and revoke access to the Data Science & Engineering workspace and Databricks SQL entitlements.

    • Grant and revoke the ability to create clusters (if cluster access control has been enabled for the workspace).

To add a workspace-local group to a workspace using the admin console, do the following:

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console.

  3. On the Groups tab, click Add Group.

  4. Enter a group name and click Confirm.

    Group names must be unique. You cannot change a group name. If you want to change a group name, you must delete the group and recreate it with the new name.

Add users, service principals, and groups to a workspace-local group using the admin console

Note

You cannot add a child group to the admins group.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console.

  3. On the Groups tab, select the group you want to update.

  4. On the Members tab, click Add users, groups, or service principals.

  5. On the dialog, browse or search for the users, service principals, and groups you want to add and select them.

  6. Click Confirm.

    You might need to click the down arrow in the selector to hide the drop-down list and show the Confirm button.

Remove a user, group, or service principal from a workspace-local group

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console.

  3. Select the group you want to update.

  4. On the Members tab, find the user, group, or service principal you want to remove and click the X in the Actions column.

  5. Click Remove Member to confirm.

The user, group, or service principal loses all child group memberships and entitlements granted by virtue of membership in this group. However, the identity might retain those entitlements by virtue of membership in other groups or user-level grants.

Note

You can also remove a child workspace-local group from its parent workspace-local group by going to the Parents tab for the group you want to remove. Find the parent group you want to remove the child workspace-local group from and click the X in the Actions column.

All entitlements assigned to the parent group are removed from the members of the group. However, they might retain those entitlements by virtue of membership in other groups or user-level grants.

View parent workspace-local groups

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console.

  3. Click the Groups tab and select the group you want to view.

  4. On the Parents tab, view the parent groups for your group.

Manage a group’s workspace entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Entitlements are assigned to users at the workspace level. The following table lists entitlements and the workspace UI and API property name that you use to manage each one. You can use the workspace admin console and workspace-level SCIM REST APIs to manage entitlements.

Entitlement name (UI)

Entitlement name (API)

Default

Description

Workspace access

workspace-access

Granted by default.

When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments.

Can’t be removed from workspace admins.

Databricks SQL access

databricks-sql-access

Granted by default.

When granted to a user or service principal, they can access Databricks SQL.

Allow unrestricted cluster creation

allow-cluster-create

Not granted to users or service principals by default.

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from workspace admins.

Allow pool creation (not available via UI)

allow-instance-pool-create

Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace admins.

You manage group entitlements at the workspace level, regardless of whether the group was created in the account or is workspace-local.

Add an entitlement for a group using the admin console

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console..

  3. On the Groups tab, select the group you want to update.

  4. On the Entitlements tab, select the entitlement you want to grant to all users in the group.

Remove an entitlement for a group using the admin console

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console..

  3. On the Groups tab, select the group you want to update.

  4. On the Entitlements tab, clear the checkbox for the entitlement you want to revoke for all users in the group.

  5. On the confirmation dialog, click Remove.

Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.