Sync users and groups from your identity provider

Preview

This feature is in Public Preview.

This article describes how to configure your identity provider (IdP) and Databricks to provision users and groups to Databricks using SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning.

About SCIM provisioning in Databricks

SCIM lets you use an identity provider (IdP) to create users in Databricks, give them the proper level of access, and remove access (deprovision them) when they leave your organization or no longer need access to Databricks.

You can use a SCIM provisioning connector in your IdP or invoke the SCIM APIs to manage provisioning. You can also use these APIs to manage identities in Databricks directly, without an IdP. If you configure Google Cloud Identity to federate with an external IdP, that IdP may have built-in SCIM integrations.

If you configure Google Cloud Identity to federate with an external IdP, that IdP may have built-in SCIM integrations.

Note that if you use Google Cloud Identity as your only IdP (you do not configure it to federate with an external IdP), there is no built-in SCIM integration.

Databricks workspace admins can also invoke the Databricks SCIM REST API directly to manage provisioning. To learn how to use the Databricks SCIM API to provision users and groups to a workspace, see SCIM API 2.0.

Requirements

  • Your Databricks account must have the Databricks Premium Plan.

  • To provision users to a Databricks workspace using SCIM (including the SCIM REST APIs), you must be a Databricks workspace admin.

You can have a maximum of 10,000 combined users and service principals and 5000 groups in an account. Each workspace can have a maximum of 10,000 combined users and service principals and 5000 groups.

Note

When you use SCIM provisioning, user and group attributes stored in your IdP can override changes you make using the Databricks admin console and the SCIM (Groups) API.

For example, if a user is assigned the Allow Cluster Creation entitlement in your IdP and you remove that entitlement using the Databricks Admin Console, the user will be re-granted that entitlement the next time the IdP syncs with Databricks, if the IdP is configured to provision that entitlement. The same behavior applies to groups.