Manage users

This article explains how to add, update, and remove Databricks users.

For an overview of the Databricks identity model, see Databricks identities.

To manage access for users, see Authentication and access control.

Overview of user management

To manage users in Databricks, you must be either an account admin or a workspace admin.

  • Account admins can add users to the account and assign them admin roles. They can also assign users to workspaces and configure data access for them across workspaces, as long as those workspaces use identity federation.

  • Workspace admins can add users to a Databricks workspace, assign them the workspace admin role, and manage access to objects and functionality in the workspace, such as the ability to create clusters or access specified persona-based environments. Adding a user to a Databricks workspace also adds them to the account.

    Workspace admins are members of the admins group in the workspace, which is a reserved group that cannot be deleted.

Important

If your account was created after March 6, 2024, identity federation is enabled on all new workspaces by default, and it cannot be disabled.

Sync users to your Databricks account from an identity provider

Account admins can sync users from your identity provider (IdP) to your Databricks account using a SCIM provisioning connector.

Important

If you already have SCIM connectors that sync identities directly to your workspaces, you must disable those SCIM connectors when the account-level SCIM connector is enabled. See Migrate workspace-level SCIM provisioning to the account level.

For instructions, see Provision identities to your Databricks account.

Manage users in your account

Account admins can add users to your Databricks account using the account console. Users in a Databricks account do not have any default access to a workspace, data, or compute resources.

Add users to your account using the account console

  1. As an account admin, log in to the account console.

  2. In the sidebar, click User management.

  3. On the Users tab, click Add User.

  4. Enter a name and email address for the user.

  5. Click Add user.

Note

A user cannot belong to more than 50 Databricks accounts.

To give users access to a workspace, you must add them to the workspace. See Manage users in your workspace.

Assign account admin roles to a user

  1. As an account admin, log in to the account console.

  2. In the sidebar, click User management.

  3. Find and click the username.

  4. On the Roles tab, turn on Account admin or Marketplace admin.

Assign a user to a workspace using the account console

To add users to a workspace using the account console, the workspace must be enabled for identity federation. Workspace admins can also assign users to workspaces using the workspace admin settings page. See Assign a user to a workspace using the workspace admin settings page.

  1. As an account admin, log in to the account console.

  2. In the sidebar, click Workspaces.

  3. Click your workspace name.

  4. On the Permissions tab, click Add permissions.

  5. Search for and select the user, assign the permission level (workspace User or Admin), and click Save.

Remove a user from a workspace using the account console

To remove users from a workspace using the account console, the workspace must be enabled for identity federation. When a user is removed from a workspace, the user can no longer access the workspace, however permissions are maintained on the user. If the user is later added back to the workspace, they regain their previous permissions.

  1. As an account admin, log in to the account console

  2. In the sidebar, click Workspaces.

  3. Click your workspace name.

  4. On the Permissions tab, find the user.

  5. Click the Kebab menu kebab menu at the far right of the user row and select Remove.

  6. On the confirmation dialog, click Remove.

Deactivate a user in your Databricks account

Account admins can deactivate users across a Databricks account. A deactivated user cannot login to the Databricks account or workspaces. However, all of the user’s permissions and workspace objects remain unchanged. When a user is deactivated the following is true:

  • The user cannot login to the account or any of their workspaces from any method.

  • Applications or scripts that use the tokens generated by the user can no longer access the Databricks API. The tokens remain but cannot be used to authenticate while a user is deactivated.

  • Notebooks owned by the user remain.

  • Clusters owned by the user remain running.

  • Scheduled jobs created by the user have to be assigned to a new owner to prevent them from failing.

When a user is reactivated, they can login to Databricks with the same permissions. Databricks recommends deactivating users from the account instead of removing them because removing a user is a destructive action.

You cannot deactivate a user using the account console. Instead, use the Account Users API. See Deactivate a user in your Databricks account using the API.

Remove users from your Databricks account

Account admins can delete users from a Databricks account. Workspace admins cannot. When you delete a user from the account, that user is also removed from their workspaces.

Important

When you remove a user from the account, that user is also removed from their workspaces, regardless of whether or not identity federation has been enabled. We recommend that you refrain from deleting account-level users unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user can no longer access Databricks APIs

  • Jobs owned by the user fail

  • Clusters owned by the user stop

  • Queries or dashboards created by the user and shared using the Run as Owner credential have to be assigned to a new owner to prevent sharing from failing

When a user is removed from an account, the user can no longer access the account or their workspaces, however permissions are maintained on the user. If the user is later added back to the account, they regain their previous permissions.

To remove a user using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. In the sidebar, click User management.

  3. Find and click the username.

  4. On the User Information tab, click the Kebab menu kebab menu in the upper-right corner and select Delete.

  5. On the confirmation dialog, click Confirm delete.

If you remove a user using the account console, you must ensure that you also remove the user using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning adds the user back the next time it syncs. See Sync users and groups from your identity provider.

To remove a user from a Databricks account using SCIM APIs, you must be an account admin. See Provision identities to your Databricks account and the Account Groups API.

Manage users in your workspace

Workspace admins can add and manage users using the workspace admin settings page.

Assign a user to a workspace using the workspace admin settings page

To add a user to a workspace using the workspace admin settings page, do the following:

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to Users, click Manage.

  5. Click Add User.

  6. Select an existing user to assign to the workspace or click Add new to create a new user.

  7. Click Add.

    Databricks sends a confirmation email. If the user does not receive the confirmation email within five minutes, ask the user to check their spam folder.

Note

If your workspace is not enabled for identity federation, you only see the option to add a new user to the workspace. If you add a user that shares a username (email address) with an existing account user, those users are merged.

Note

To enable Google ID authentication for workspace REST APIs, you can add a Google service account email address as a user for the workspace. See Authentication with Google ID tokens. The Google service account address cannot be used to log in to the web application. Adding a service account as a user is different from adding it as a Databricks service principal. If you add a Google service account email address as a user for the workspace, Databricks will not send the invite notification email.

Assign the workspace admin role to a user using the workspace admin settings page

To assign the workspace admin role using the workspace admin settings page, do the following:

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to Users, click Manage.

  5. Select the user.

  6. Click the Entitlements tab.

  7. Click the toggle next to Admin access.

To remove the workspace admin role from a workspace user, perform the same steps, but clear the Admin access toggle.

Deactivate a user in your Databricks workspace

Workspace admins can deactivate users in a Databricks workspace. A deactivated user cannot login to the workspace or access it from Databricks APIs, however all of the user’s permissions and workspace objects remain unchanged. When a user is deactivated:

  • The user cannot login to the workspaces from any method.

  • The user’s status shows as Inactive in the workspace admin setting page.

  • Applications or scripts that use the tokens generated by the user can no longer access the Databricks API. The tokens remain but cannot be used to authenticate while a user is deactivated.

  • Notebooks owned by the user remain.

  • Clusters owned by the user remain running.

  • Scheduled jobs created by the user have to be assigned to a new owner to prevent them from failing.

When a user is reactivated, they can login to the workspace with the same permissions. Databricks recommends deactivating users instead of removing them because removing a user is a destructive action. You cannot deactivate a user using the workspace admin settings page. Instead, use the Workspace Users API. See Deactivate a user in your Databricks workspace using the API.

Remove a user from a workspace using the workspace admin settings page

When a user is removed from a workspace, the user can no longer access the workspace, however permissions are maintained on the user. If the user is later added back to the workspace, they regain their previous permissions.

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

  3. Click on the Identity and access tab.

  4. Next to Users, click Manage.

  5. Find the user and Kebab menu kebab menu at the far right of the user row and select Remove.

  6. Click Delete to confirm.

Manage users using the API

Account admins and workspace admins can manage users in the Databricks account and workspaces using Databricks APIs.

Manage users in the account using the API

Admins can add and manage users in the Databricks account using the Account Users API. Account admins and workspace admins invoke the API using a different endpoint URL:

  • Account admins use {account-domain}/api/2.0/accounts/{account_id}/scim/v2/.

  • Workspace admins use {workspace-domain}/api/2.0/account/scim/v2/.

For details, see the Account Users API.

Deactivate a user in your Databricks account using the API

Account admins can change a users status to deactivate the user using the Account Users API. For example:

curl --netrc -X PATCH \
https://${DATABRICKS_HOST}/api/2.0/accounts/{account_id}/scim/v2/Users/{id} \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": [
        {
          "value": "false"
        }
      ]
    }
  ]
}

A deactivated user’s status is labeled Inactive in the account console.

When you deactivate a user from the account, that user is also deactivated from their workspaces.

Manage users in the workspace using the API

Account and workspace admins can use the Workspace Assignment API to assign users to workspaces enabled for identity federation. The Workspace Assignment API is supported through the Databricks account and workspaces.

  • Account admins use {account-domain}/api/2.0/accounts/{account_id}/workspaces/{workspace_id}/permissionassignments.

  • Workspace admins use {workspace-domain}/api/2.0/preview/permissionassignments/principals/{user_id}.

See Workspace Assignment API.

If your workspace is not enabled for identity federation, a workspace admin can use the workspace-level APIs to assign users to their workspaces. See Workspace Users API.

Deactivate a user in your Databricks workspace using the API

Workspace admins can change a users status to deactivate the user using the Workspace Users API. For example:

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Users/<user-id> \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": [
        {
          "value": "false"
        }
      ]
    }
  ]
}

A deactivated user’s status is labeled Inactive in the workspace admin settings page.