Manage users

This article explains how to add, update, and remove Databricks users.

For an overview of the Databricks identity model, see Databricks identities and roles.

To learn how to manage groups, see Manage groups.

Overview of user management

There are three types of users:

  • Workspace users who perform data science, data engineering, and data analysis tasks in that workspace.

  • Workspace admins who can manage workspace users and their access to objects in the workspace.

    Workspace admins are members of the admins group.

  • Account admins who manage account-level configurations like workspace creation, network and storage configuration, audit logging, billing, and assignment of other account admins. The account owner is the user who initially set up the account. They add the first account admins.

Add users to your Databricks account

Account admins can add other account admins to your Databricks account using the account console.

Note

A user cannot belong to more than 50 Databricks accounts.

Add users to your account using the account console

To add a user to the account using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click Account Console user management icon User management.

  3. On the Users tab, click Add User.

  4. Enter a name and email address for the user.

  5. Click Send invite.

To give users access to a workspace, you must add them to the workspace. See Add users to a workspace.

Remove account admins from your Databricks account

Account admins can delete users from a Databricks account. Workspace admins cannot.

To remove a user using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click Account Console user management icon User management.

  3. Find and click the username.

  4. On the User Information tab, click the Kebab menu kebab menu at the far upper right and select Delete.

  5. On the confirmation dialog, click Confirm delete.

Add users to a workspace

A workspace admin can manage user accounts using the Databricks admin console, the SCIM API 2.0, or a SCIM-enabled identity provider like Okta or Azure Active Directory.

You can use the Users tab on the admin console to:

  • Add and remove users.

  • Grant and revoke membership in the admins group.

  • Manage a user’s entitlements:

    • Grant and revoke access to the Data Science & Engineering workspace and Databricks SQL entitlements.

    • Grant and revoke the ability to create clusters (if cluster access control has been enabled for the workspace).

You can also add users to groups. See Manage groups.

Add a user to a workspace using the workspace admin console

  1. As a workspace admin, log in to the Databricks workspace.

  2. Use the sidebar persona-switcher to select Data Science & Engineering.

  3. Click User Settings Icon Settings and select Admin Console.

  4. On the Users tab, click Add User.

  5. Enter the user email ID.

    Add user
  6. Click Send invite.

    Databricks sends a confirmation email with a URL to accept the invitation. If the user does not receive the confirmation email within five minutes, ask the user to check their spam folder.

    The user will see a Sign In With Google login screen with the prompt “Choose an account to continue to Databricks”. The user must select the email address that matches the invited email address.

Added user

Add a user to a workspace using REST APIs

A workspace admin can use the workspace-level SCIM REST APIs to add users and other identities to their workspaces. See SCIM API 2.0.

Remove a user from a workspace

Workspace admins can remove users in their workspace by using the following:

  • The workspace admin console

  • Provisioning connectors for identity providers (IdPs)

  • The workspace-level SCIM APIs

Remove a user from a workspace using the admin console

  1. As a workspace admin, log in to the Databricks workspace.

  2. Use the sidebar persona-switcher to select Data Science & Engineering.

  3. Go to the admin console.

  4. On the Users tab, find the user and click the Remove User Icon at the far right of the user row.

  5. Click Delete to confirm.

Remove a user from a workspace using REST APIs

A workspace admin can use the workspace-level SCIM REST APIs to remove users from their workspaces. See SCIM API 2.0.

Assign the workspace admin role to a user

You can assign the workspace admin role using the workspace admin console or REST APIs.

Assign the workspace admin role to a user using the workspace admin console

To assign the workspace admin role using the workspace admin console, do the following:

  1. As a workspace admin, log in to the Databricks workspace.

  2. Use the sidebar persona-switcher to select Data Science & Engineering.

  3. Go to the admin console.

  4. On the Users tab, find the user and select the Admin checkbox.

To remove the admin role from a workspace user, perform the same steps, but clear the Admin checkbox.

Assign the workspace admin role to a user using the REST APIs

A workspace admin can use the SCIM (Groups) REST API to assign a user to the admin group or remove them from the group.

Assign entitlements to a user

An entitlement is a property that allows a user or group to interact with Databricks in a specified way. Entitlements are assigned to users at the workspace level. The following table lists entitlements and the workspace UI and API property name that you use to manage each one. You can use the workspace admin console and workspace-level SCIM REST APIs to manage entitlements.

Entitlement name (UI)

Entitlement name (API)

Default

Description

Workspace access

workspace-access

Granted by default.

When granted to a user, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments.

Can’t be removed from workspace admins.

Databricks SQL access

databricks-sql-access

Granted by default.

When granted to a user or service principal, they can access Databricks SQL.

Allow unrestricted cluster creation

allow-cluster-create

Not granted to users by default.

When granted to a user, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from workspace admins.

Allow pool creation (not available via UI)

allow-instance-pool-create

Can’t be granted to individual users.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace admins.

New users have the Workspace access and Databricks SQL access entitlements by default.

Important

To log in and access Databricks, a user must have either the Databricks SQL access or Workspace access entitlement (or both).

The Workspace access entitlement gives the user access to the Data Science & Engineering workspace and to Databricks Machine Learning. The user inherits this entitlement as a member of the users group, which has the entitlement. To assign this entitlement on a user-by-user basis, a workspace admin must remove the entitlement from the users group and assign it individually to users on the Users tab.

For information about the Databricks SQL access entitlement, see Manage users and groups.

If cluster access control is enabled, and you don’t select the Allow unrestricted cluster creation checkbox, the user is added without the cluster creation entitlement.

If you reactivate a user who previously existed in the workspace, the user’s previous entitlements are restored.

Add or remove an entitlement for a user using the workspace admin console

As a workspace admin, do the following:

  1. Use the sidebar persona-switcher to select Data Science & Engineering.

  2. Go to the admin console.

  3. Go the row for the user.

  4. To add an entitlement, select the checkbox in the corresponding column.

  5. To remove an entitlement, deselect the checkbox in the corresponding column.

Note

Admin is not an entitlement. The Admin checkbox is a convenient way to add the user to the admins group.

To add an entitlement explicitly, you can select its corresponding checkbox. If an entitlement is inherited from a group, the entitlement checkbox is selected but greyed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.

The allow-instance-pool-create entitlement can’t be granted directly to a user. Instead, you can grant the entitlement to a group and add the user to that group.

You can also add or remove an entitlement for a group.

Add or remove an entitlement for a user using the SCIM REST APIs

You can add entitlements when you when you create or update (via PATCH or PUT) a user using the workspace-level SCIM (Users) REST API. For example, this API call adds the allow-cluster-create entitlement to the specified user.

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Users/<user-id> \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "add",
      "path": "entitlements",
      "value": [
        {
          "value": "allow-cluster-create"
        }
      ]
    }
  ]
}

For details, see the workspace-level SCIM (Users) REST API reference.