Manage users, groups, and service principals

This article introduces the Databricks identity management model and provides an overview of how to manage users and groups in Databricks.

Databricks identities and roles

There are two types of Databricks identity:

  • Users: User identities recognized by Databricks and represented by email addresses.

  • Groups: A collection of identities used by admins to manage group access to workspaces, data, and other securable objects. Users and groups can be assigned as members of groups.

There are three roles defined in Databricks: account admin, workspace admin, and workspace user.

  • Account admins can manage account configurations like workspace creation, network and storage configuration, audit logging, billing, and assignment of other account admins. The account owner is the user who initially set up the account. They add the first account admins.

  • Workspace admins can add and manage workspace users and groups, assign workspace admin role to other workspace users, manage cluster policies, and manage workspace user access to objects in the workspace.

  • Workspace users perform data science, data engineering, and data analysis tasks in workspaces.

Account admins can manage other account admins using the account console. Workspace admins can add and manage users and their access to workspace objects using the workspace admin console, a connector to an IdP provider, or workspace-level user management REST APIs.

Adding, updating, and removing identities

As a workspace admin, you can add, view, update, and remove users and groups using the Databricks admin console and the SCIM and Groups APIs. You can also use single sign-on (SSO) with Google Identity.

For details, see: