Manage users, service principals, and groups

This article introduces the Databricks identity management model and provides an overview of how to manage users, groups, and service principals in Databricks.

Databricks identities and roles

There are three types of Databricks identity:

  • Users: User identities recognized by Databricks and represented by email addresses.

  • Service principals: Identities for use with jobs, automated tools, and systems such as scripts, apps, and CI/CD platforms.

  • Groups: A collection of identities used by admins to manage group access to workspaces, data, and other securable objects. All Databricks identities can be assigned as members of groups.

There are four roles defined in Databricks:

  • Account admins can manage account configurations like workspace creation, network and storage configuration, audit logging, billing, and assignment of other account admins. The account owner is the user who initially set up the account. They add the first account admins.

  • Workspace admins can add and manage workspace users and groups, assign workspace admin role to other workspace users, manage cluster policies, and manage workspace user access to objects in the workspace.

  • Account users can use the account console to view and connect to their workspaces. Account and workspace admins can add users to the account.

  • Workspace users perform data science, data engineering, and data analysis tasks in workspaces.

Adding, updating, and removing identities

Account admins can manage users, service principals, and groups using the account console, a connector to your identity provider, or the SCIM (Account) REST API. Workspace admins can add and manage users, service principals, and groups and their access to workspace objects using the workspace admin console, a connector to an IdP provider, or workspace-level user management REST APIs.

For detailed instructions, see:

How does Databricks sync users between workspaces and the account?

Starting in September 2022 and rolling out over several weeks, all existing workspace users and service principals will be synced automatically to your account as account-level users and service principals. If the workspace user shares a username (email address) with an account-level user or admin that already exists, those users are merged.

Once the initial sync has taken place, Databricks will continue to sync users and service principals to the account whenever you add them to a workspace.

Important

If an account admin removes a user or service principal at the account level, that user is also removed from their workspaces, regardless of whether or not identity federation has been enabled. You should refrain from deleting account-level users or service principals unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user will no longer be able to access the Databricks API.

  • Jobs owned by the user will fail.

  • Clusters owned by the user will stop.

  • Queries or dashboards created by the user and shared using the Run as Owner credential will have to be assigned to a new owner to prevent sharing from failing.

Special considerations for groups

While users created at the workspace level are automatically synchronized to the account, groups created at the workspace level are not. Instead, Databricks has the concept of account groups and workspace-local groups, with special behaviors:

  • Account groups can be created only by account admins.

  • Workspace-local groups can be created only by workspace admins.

For more information on groups, see Manage groups.

Assigning admin roles

Account admins can assign other users as account admins. Both account admins and workspace admins can assign other users as workspace admins. The workspace admin role is determined by membership in the workspace admins group, which is a default group in Databricks and cannot be deleted.

See: