Provision users and groups using SCIM


This feature is in Public Preview.

Databricks supports SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning. SCIM lets you use an identity provider (IdP) to create users in Databricks and give them the proper level of access and remove access (deprovision them) when they leave your organization or no longer need access to Databricks. You can also invoke the SCIM API 2.0 directly to manage provisioning. Some user management, like temporary deactivation and reactivation, can only be performed using the SCIM API.


To use SCIM:

  • Your Databricks account must have the Databricks Premium Plan.

  • You must be a Databricks administrator to configure identity providers to provision users to Databricks or to invoke the Databricks SCIM API directly.

  • You can have a maximum of 10,000 users and 5,000 groups in a workspace.


When you use SCIM provisioning, user and group attributes stored in your IdP can override changes you make using the Databricks Admin Console and Groups API 2.0. For example, if a user is assigned the Allow Cluster Creation entitlement in your IdP and you remove that entitlement using the Users tab on the Databricks Admin Console, the user will be re-granted that entitlement the next time the IdP syncs with Databricks, if the IdP is configured to provision that entitlement. The same behavior applies to groups.

If you configure Google Cloud Identity to federate with an external IdP, that IdP may have built-in SCIM integrations.

Note that if you use Google Cloud Identity as your only IdP (you do not configure it to federate with an external IdP), there is no built-in SCIM integration.

Customers can also directly invoke the Databricks SCIM REST API directly to manage provisioning.

To learn how to use the Databricks SCIM API, see SCIM API 2.0.