Manage groups

Groups let you assign the same entitlements to multiple users. An admin user can manage groups using the admin console, the Groups API 2.0, the SCIM API 2.0, or a SCIM-enabled identity provider like Google Cloud Identity. This article discusses group management using the Databricks admin console.

Groups tab

Using the admin console, you can:

  • Add groups.
  • Add users to groups and remove them.
  • Add groups to other groups and remove them.
  • Grant and revoke the ability to create clusters for all group members (if cluster access control has been enabled for the workspace).
  • Manage administrator rights by adding users to the admins group or removing them. You can also assign a user to the admins group in the User management interface.

Add a group

  1. Go to the admin console and click the Groups tab.

  2. Click + Create Group.

  3. Enter a group name and click Confirm.

    Group names must be unique. You cannot change a group name. If you want to change a group name, you must delete the group and recreate it with the new name.

Add users and child groups to a group

Note

You cannot add a child group to the admins group.

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, click + Add users or groups.
  4. On the Add users or groups dialog, click the down arrow to display a drop-down list of users and groups, and select the ones you want to add.
  5. Click the down arrow to hide the drop-down list and click Confirm.

Manage a group’s entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. In the following table, each entitlement’s UI and API name is shown.

Entitlement name (UI) Entitlement name (API) Default Description
Workspace access allow-workspace-access Granted by default.

When granted to a user or service principal, they can access the Data Science & Engineering workspace and Databricks Machine Learning.

Can’t be removed from workspace administrators.
Databricks SQL access databricks-sql-access Granted by default. When granted to a user or service principal, they can access Databricks SQL.
Allow cluster creation allow-cluster-create Not granted to users or service principals by default.

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from admin users.
allow-instance-pool-create allow-instance-pool-create Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace administrators.

Important

To log in and access Databricks, a user must have either the Databricks SQL access or Workspace access entitlement (or both).

Add or remove an entitlement for a group

  1. Go to the admin console and click the Groups tab.
    1. Select the group you want to update.
    2. On the Entitlements tab, select the entitlement you want to grant to all users in the group.
      • Allow cluster creation: Group members are allowed to create and launch new clusters. You can restrict access to existing clusters using cluster-level permissions.
      • allow-instance-pool-create: Group members are allowed to create new instance pools.
      • Databricks SQL access: Group members are allowed to access Databricks SQL.
    3. To remove an entitlement from a group, deselect it.
    4. On the confirmation dialog, click Confirm.
  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Entitlements tab, select the entitlement you want to grant to all users in the group.
    • Allow cluster creation: Group members are allowed to create and launch new clusters. You can restrict access to existing clusters using cluster-level permissions.
  4. On the confirmation dialog, click Confirm.

View parent groups

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, view the parent groups for your group.

Remove a user or child group

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Members tab, find the user or group you want to remove and click the X in the Actions column.
  4. Click Remove Member to confirm.

The user or child group loses all child group memberships and entitlements granted by virtue of membership in this group. However, they may retain those entitlements by virtue of membership in other groups or user-level grants.

Remove an entitlement

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Entitlements tab, clear the checkbox for the entitlement you want to revoke for all users in the group.
  4. On the confirmation dialog, click Remove.

Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.

Remove a group from its parent group

  1. Go to the admin console and click the Groups tab.
  2. Select the group you want to update.
  3. On the Parents tab, find the parent group you want to secede from and click the X in the Actions column.
  4. On the confirmation dialog, click Remove parent.

All entitlements assigned to the parent group are removed from the members of the group. However they may retain those entitlements by virtue of membership in other groups or user-level grants.