Manage users

This article explains how to add, update, and remove Databricks users.

For an overview of the Databricks identity model, see Databricks identities and roles.

To learn how to manage groups, see Manage groups.

Overview of user management

There are four types of users:

  • Workspace users who perform data science, data engineering, and data analysis tasks in that workspace.

  • Workspace admins who can manage workspace users and their access to objects in the workspace.

    Workspace admins are members of the admins group.

  • Account admins who manage account-level configurations like workspace creation, network and storage configuration, audit logging, billing, and assignment of other account admins. The account owner is the user who initially set up the account. They add the first account admins.

  • Account users can use the account console to view and connect to their workspaces. Account and workspace admins can add users to the account.

Add users to your Databricks account

Account admins can add users to your Databricks account using the account console, a provisioning connector for your IdP, or the SCIM (Account) API.

Note

A user cannot belong to more than 50 Databricks accounts.

Add users to your account using the account console

To add a user to the account using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click your username in the top bar of the account console and select User management.

  3. On the Users tab, click Add User.

  4. Enter a name and email address for the user.

  5. Click Send invite.

To give users access to a workspace, you must add them to the workspace. See Add users to a workspace.

Sync users to your Databricks account from an identity provider

Account admins can sync users from your identity provider (IdP) to your Databricks account using a SCIM provisioning connector.

For instructions, see Provision identities to your Databricks account.

Add users to your account using the SCIM APIs

Account admins can add and manage other account admins in the Databricks account using the SCIM API for Accounts.

To add a user using the SCIM APIs, do the following:

  1. Use the SCIM API 2.0 (Accounts) to determine whether the user already exists.

  2. If the user does not exist, create the user using the same API.

Assign account admin rights to a user

To assign account admin rights using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click Account Console user management icon User management.

  3. Find and click the username.

  4. On the Roles tab, turn on Account admin.

You can also assign the account admin role using the SCIM API 2.0 (Accounts).

Remove users from your Databricks account

Account admins can delete users from a Databricks account. Workspace admins cannot. When you delete a user from the account, that user is also removed from their workspaces.

Important

When you remove a user from the account, that user is also removed from their workspaces. You should refrain from deleting account-level users unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user will no longer be able to access the Databricks API

  • Jobs owned by the user will fail

  • Clusters owned by the user will stop

  • Queries or dashboards created by the user and shared using the Run as Owner credential will have to be assigned to a new owner to prevent sharing from failing

To remove a user using the account console, do the following:

  1. As an account admin, log in to the account console.

  2. Click your username in the top bar of the account console and select User management.

  3. Find and click the username.

  4. On the User Information tab, click the Kebab menu kebab menu at the far upper right and select Delete.

  5. On the confirmation dialog, click Confirm delete.

If you remove a user using the account console, you must ensure that you also remove the user using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning will simply add the user back the next time it syncs. See Sync users and groups from your identity provider.

To remove a user from a Databricks account using SCIM APIs, you must be an account admin. See Provision identities to your Databricks account and SCIM API 2.0 (Accounts).

Add users to a workspace

A workspace admin can manage user accounts using the Databricks admin console, the SCIM API 2.0, or a SCIM-enabled identity provider like Okta or Azure Active Directory.

You can use the Users tab on the admin console to:

  • Add and remove users.

  • Grant and revoke membership in the admins group.

  • Manage a user’s entitlements:

    • Grant and revoke access to the Data Science & Engineering workspace and Databricks SQL entitlements.

    • Grant and revoke the ability to create clusters (if cluster access control has been enabled for the workspace).

You can also add users to groups. See Manage groups.

Add a user to a workspace using the workspace admin console

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console.

  3. On the Users tab, click Add User.

  4. Enter the user email ID.

    Add user

    Note

    To enable Google ID authentication for workspace REST APIs, you can add a Google service account email address as a user for the workspace. See Authenticate to workspace APIs with a Google ID token. The Google service account address cannot be used to log in to the web application. Note that adding a service account as a user is not the same as a Databricks service principal.

  5. Click Send invite.

    Databricks sends a confirmation email with a URL to accept the invitation. If the user does not receive the confirmation email within five minutes, ask the user to check their spam folder.

    The user will see a Sign In With Google login screen with the prompt “Choose an account to continue to Databricks”. The user must select the email address that matches the invited email address.

    Note

    If you added a Google service account email address as a user for the workspace, Databricks does not send the invite notification email.

After you add a user, you see the list of users and their entitlements:

Added user

Add a user to a workspace using REST APIs

A workspace admin can use the workspace-level SCIM REST APIs to add users and other identities to their workspaces. See SCIM API 2.0.

Note

To enable Google ID authentication for workspace REST APIs, you can add a Google service account email address as a user for the workspace. See Authenticate to workspace APIs with a Google ID token. The Google service account address cannot be used to log in to the web application. Note that adding a service account as a user is not the same as a Databricks service principal.

Remove a user from a workspace

Workspace admins can remove users in their workspace by using the following:

  • The workspace admin console

  • Provisioning connectors for identity providers (IdPs)

  • The workspace-level SCIM APIs

Remove a user from a workspace using the admin console

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console.

  3. On the Users tab, find the user and click the Remove User Icon at the far right of the user row.

  4. Click Delete to confirm.

Remove a user from a workspace using REST APIs

A workspace admin can use the workspace-level SCIM REST APIs to remove users from their workspaces. See SCIM API 2.0.

Assign the workspace admin role to a user

You can assign the workspace admin role using the workspace admin console or REST APIs.

Assign the workspace admin role to a user using the workspace admin console

To assign the workspace admin role using the workspace admin console, do the following:

  1. As a workspace admin, log in to the Databricks workspace.

  2. Click your username in the top bar of the Databricks workspace and select Admin Console.

  3. On the Users tab, find the user and select the Admin checkbox.

To remove the admin role from a workspace user, perform the same steps, but clear the Admin checkbox.

Assign the workspace admin role to a user using the REST APIs

A workspace admin can use the SCIM (Groups) REST API to assign a user to the admin group or remove them from the group.

Assign entitlements to a user

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Entitlements are assigned to users at the workspace level. The following table lists entitlements and the workspace UI and API property name that you use to manage each one. You can use the workspace admin console and workspace-level SCIM REST APIs to manage entitlements.

Entitlement name (UI)

Entitlement name (API)

Default

Description

Workspace access

workspace-access

Granted by default.

When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments.

Can’t be removed from workspace admins.

Databricks SQL access

databricks-sql-access

Granted by default.

When granted to a user or service principal, they can access Databricks SQL.

Allow unrestricted cluster creation

allow-cluster-create

Not granted to users or service principals by default.

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from workspace admins.

Allow pool creation (not available via UI)

allow-instance-pool-create

Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace admins.

New users have the Workspace access and Databricks SQL access entitlements by default.

Important

To log in and access Databricks, a user must have either the Databricks SQL access or Workspace access entitlement (or both).

The Workspace access entitlement gives the user access to the Data Science & Engineering workspace and to Databricks Machine Learning. The user inherits this entitlement as a member of the users group, which has the entitlement. To assign this entitlement on a user-by-user basis, a workspace admin must remove the entitlement from the users group and assign it individually to users on the Users tab.

For information about the Databricks SQL access entitlement, see Grant users access to Databricks SQL.

If cluster access control is enabled, and you don’t select the Allow unrestricted cluster creation checkbox, the user is added without the cluster creation entitlement.

If you reactivate a user who previously existed in the workspace, the user’s previous entitlements are restored.

Add or remove an entitlement for a user using the workspace admin console

As a workspace admin, do the following:

  1. Click your username in the top bar of the Databricks workspace and select Admin Console.

  2. Go the row for the user.

  3. To add an entitlement, select the checkbox in the corresponding column.

  4. To remove an entitlement, deselect the checkbox in the corresponding column.

Note

Admin is not an entitlement. The Admin checkbox is a convenient way to add the user to the admins group.

To add an entitlement explicitly, you can select its corresponding checkbox. If an entitlement is inherited from a group, the entitlement checkbox is selected but greyed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.

The allow-instance-pool-create entitlement can’t be granted directly to a user. Instead, you can grant the entitlement to a group and add the user to that group.

You can also add or remove an entitlement for a group.

Add or remove an entitlement for a user using the SCIM REST APIs

You can add entitlements when you when you create or update (via PATCH or PUT) a user using the workspace-level SCIM (Users) REST API. For example, this API call adds the allow-cluster-create entitlement to the specified user.

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Users/<user-id> \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "add",
      "path": "entitlements",
      "value": [
        {
          "value": "allow-cluster-create"
        }
      ]
    }
  ]
}

For details, see the workspace-level SCIM (Users) REST API reference.