Manage users

A Databricks admin is a member of the admins group.

A Databricks admin can manage user accounts using the Databricks admin console, the SCIM API 2.0, or a SCIM-enabled identity provider like Okta or Azure Active Directory. This article discusses user management using the admin console.

You can use the Users tab on the admin console to:

  • Add and remove users.
  • Grant and revoke the ability to create clusters (if cluster access control has been enabled for the workspace).
  • Grant and revoke membership in the admins group.

You can also perform the following user management tasks in other parts of the admin console, covered in other articles:

Add a user

  1. Go to the admin console.

  2. On the Users tab, click Add User.

  3. Enter the user email ID.

    Add user
  4. Click Send invite.

    Databricks sends a confirmation email with a URL to accept the invitation. If the user does not receive the confirmation email within 5 minutes, ask the user to check their spam folder.

    The user will see a Sign In With Google login screen with the prompt “Choose an account to continue to Databricks”. The user must select the email address that matches the invited email address.

The user is added to the workspace.

The Workspace access entitlement gives the user access to the Data Science & Engineering workspace and to Databricks Machine Learning. The user inherits this entitlement as a member of the users group, which has the entitlement. To assign this entitlement on a user-by-user basis, a workspace admin must remove the entitlement from the users group and assign it individually to users on the Users tab.

For more information, see Manage user entitlements.

If cluster access control is enabled, and you don’t select the Allow cluster creation checkbox, the user is added without the cluster creation entitlement.

If the user previously existed in the workspace, the user’s previous entitlements are restored.

Tip

Another way to add users is with an integration with SCIM.

Remove a user

  1. Go to the admin console.
  2. On the Users tab, find the user and click the Remove User Icon at the far right of the user row.
  3. Click Remove User to confirm.

Manage user entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. In the following table, each entitlement’s UI and API name is shown.

Entitlement name (UI) Entitlement name (API) Default Description
Workspace access allow-workspace-access Granted by default.

When granted to a user or service principal, they can access the Data Science & Engineering workspace and Databricks Machine Learning.

Can’t be removed from workspace administrators.

Databricks SQL access databricks-sql-access Granted by default. When granted to a user or service principal, they can access Databricks SQL.
Allow cluster creation allow-cluster-create Not granted to users or service principals by default.

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from admin users.

allow-instance-pool-create allow-instance-pool-create Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace administrators.

Important

To log in and access Databricks, a user must have either the Databricks SQL access or Workspace access entitlement (or both).

Add or remove an entitlement for a user

As a workspace administrator:

  1. Go to the admin console and click the Users tab.
  2. Go to the the row for the user.
  3. To add an entitlement, select the checkbox in the corresponding column.
  4. To remove an entitlement, deselect the checkbox in the corresponding column.

Note

Admin is not an entitlement. The Admin checkbox is a convenient way to add the user to the admins group.

To add an entitlement explicitly, you can select its corresponding checkbox. If an entitlement is inherited from a group, the entitlement checkbox is selected but greyed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.

The allow-instance-pool-create entitlement can’t be granted directly to a user. Instead, you can grant the entitlement to a group and add the user to that group.

You can add or remove an entitlement for a group.