Manage users

This article explains how to add, update, and remove Databricks users.

For an overview of the Databricks identity model, see Databricks identities and roles.

Overview of user management

To manage users in Databricks, you must be either an account admin or a workspace admin.

• Account admins can add users to the account and assign them admin roles. They can also assign users to workspaces and configure data access for them across workspaces, as long as those workspaces use identity federation.

• Workspace admins can add users to a Databricks workspace, assign them the workspace admin role, and manage access to objects and functionality in the workspace, such as the ability to create clusters or access specified persona-based environments.

  Workspace admins are members of the admins group in the workspace, which is a reserved group that cannot be deleted.

Add users to your Databricks account

Account admins can add users to your Databricks account using the account console, a provisioning connector for your IdP, or the SCIM (Account) API.

Note

A user cannot belong to more than 50 Databricks accounts.

Add users to your account using the account console

1. As an account admin, log in to the account console.

2. In the sidebar, click User management.

3. On the Users tab, click Add User.

4. Enter a name and email address for the user.

5. Click Send invite.

Databricks sends a confirmation email with a URL to accept the invitation. If the user does not receive the confirmation email within five minutes, ask the user to check their spam folder.

To give users access to a workspace, you must add them to the workspace. See Add users to a workspace.

Sync users to your Databricks account from an identity provider

Account admins can sync users from your identity provider (IdP) to your Databricks account using a SCIM provisioning connector.

Important

If you already have SCIM connectors that sync identities directly to your workspaces and those workspaces are enabled for identity federation, we recommend that you disable those SCIM connectors when the account-level SCIM connector is enabled. If you have workspaces that are not using identity federation, you must continue to use any SCIM connectors you have configured for those workspaces, running in parallel with the account-level SCIM connector.

For instructions, see Provision identities to your Databricks account.

Add users to your account using the SCIM APIs

Account admins can add and manage users in the Databricks account using the Account Groups API.

Workspace admins can also manage users using this API, but they must invoke the API using a different endpoint URL:

• Account admins use accounts.gcp.databricks.com/api/2.0/accounts/{account_id}/scim/v2/.

• Workspace admins use {workspace-domain}/api/2.0/account/scim/v2/.

For details, see the Account Groups API.

Assign account admin rights to a user

1. As an account admin, log in to the account console.

2. In the sidebar, click User management.

3. Find and click the username.

4. On the Roles tab, turn on Account admin.

You can also assign the account admin role using the Account Groups API.

Remove users from your Databricks account

Account admins can delete users from a Databricks account. Workspace admins cannot. When you delete a user from the account, that user is also removed from their workspaces.

Important

When you remove a user from the account, that user is also removed from their workspaces, regardless of whether or not identity federation has been enabled. We recommend that you refrain from deleting account-level users unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

• Applications or scripts that use the tokens generated by the user will no longer be able to access the Databricks API

• Jobs owned by the user will fail

• Clusters owned by the user will stop

• Queries or dashboards created by the user and shared using the Run as Owner credential will have to be assigned to a new owner to prevent sharing from failing

To remove a user using the account console, do the following:

1. As an account admin, log in to the account console.

2. In the sidebar, click User management.

3. Find and click the username.

4. On the User Information tab, click the kebab menu in the upper-right corner and select Delete.

5. On the confirmation dialog, click Confirm delete.

If you remove a user using the account console, you must ensure that you also remove the user using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning adds the user back the next time it syncs. See Sync users and groups from your identity provider.

To remove a user from a Databricks account using SCIM APIs, you must be an account admin. See Provision identities to your Databricks account and the Account Groups API.

Add users to a workspace

Account admins can add users to identity-federated workspaces using the account console and the Workspace Assignment API.

Workspace admins can manage users in their workspace using the workspace admin settings page, Workspace Assignment API (if the workspace is enabled for identity federation), and workspace-level SCIM APIs.

Note

To enable Google ID authentication for workspace REST APIs, you can add a Google service account email address as a user for the workspace. See Authentication with Google ID tokens. The Google service account address cannot be used to log in to the web application. Adding a service account as a user is different from adding it as a Databricks service principal. If you add a Google service account email address as a user for the workspace, Databricks will not send the invite notification email.

Assign a user to a workspace using the account console

To add users to a workspace using the account console, the workspace must be enabled for identity federation.

1. As an account admin, log in to the account console.

2. In the sidebar, click Workspaces.

3. On the Permissions tab, click Add permissions.

4. Search for and select the user, assign the permission level (workspace User or Admin), and click Save.

Assign a user to a workspace using the workspace admin settings page

Workspace admins can add and manage users using the workspace admin settings page.

To add a user to a workspace using the workspace admin settings page, do the following:

1. As a workspace admin, log in to the Databricks workspace.

2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

3. On the Users tab, click Add User.

4. Select an existing user to assign to the workspace or create a new one.

   

   To create a new user, click the drop-down arrow in the search box and then click + Add new user.

5. Click Add.

   Databricks sends a confirmation email. If the user does not receive the confirmation email within five minutes, ask the user to check their spam folder.

After you add a user, you see the list of users and their entitlements:

Note

If your workspace is not enabled for identity federation, you cannot assign existing account users to your workspace.

Assign a user to a workspace using REST APIs

The REST APIs that you can use to assign users to workspaces depend on whether the workspace is enabled for identity federation as follows:

• Workspace enabled for identity federation: Account and workspace admins can use the Workspace Assignment API to assign users to workspaces. See Workspace Assignment API.

• Workspace not enabled for identity federation: A workspace admin can use the workspace-level SCIM APIs to assign users and other identities to their workspaces. See workspace-level SCIM (Users) section in the API Explorer.

Remove a user from a workspace

Workspace admins can remove users in their workspace by using the workspace admin settings page and the workspace-level SCIM APIs.

Remove a user from a workspace using the account console

To remove users from a workspace using the account console, the workspace must be enabled for identity federation.

1. As an account admin or a workspace admin for the workspace, log in to the account console.

2. In the sidebar, click Workspaces.

3. On the Permissions tab, find the user.

4. Click the kebab menu at the far right of the user row and select Remove.

5. On the confirmation dialog, click Remove.

Remove a user from a workspace using the workspace admin settings

1. As a workspace admin, log in to the Databricks workspace.

2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

3. On the Users tab, find the user and click the at the far right of the user row.

4. Click Delete to confirm.

Remove a user from a workspace using REST APIs

The REST APIs that you can use to remove users from workspaces depend on whether the workspace is enabled for identity federation:

• Workspace enabled for identity federation: Account and workspace admins can use the Workspace Assignment API to remove users from workspaces. See Workspace Assignment API.

• Workspace not enabled for identity federation: A workspace admin can use the workspace-level SCIM APIs to remove users from their workspaces. See workspace-level SCIM (Users) section in the API Explorer.

Assign the workspace admin role to a user

You can assign the workspace admin role using the account console, workspace admin settings page, REST APIs, or provisioning connector from your IdP.

Assign the workspace admin role to a user using the account console

To the workspace admin role using the account console, the workspace must be enabled for identity federation.

1. As an account admin, log in to the account console.

2. In the sidebar, click Workspaces.

3. On the Permissions tab, find the user.

4. Click the kebab menu at the far right of the user row and select Edit.

5. Under Role, choose Admin.

6. Click Save.

To remove the admin role from a workspace user, perform the same steps, but choose User under Role.

Assign the workspace admin role to a user using the workspace admin settings page

To assign the workspace admin role using the workspace admin settings page, do the following:

1. As a workspace admin, log in to the Databricks workspace.

2. Click your username in the top bar of the Databricks workspace and select Admin Settings.

3. On the Users tab, find the user and select the Admin checkbox.

To remove the admin role from a workspace user, perform the same steps, but clear the Admin checkbox.

Assign the workspace admin role to a user using the REST APIs

The REST APIs that you can use to assign the workspace admin role depend on whether the workspace is enabled for identity federation as follows:

• Workspace enabled for identity federation: An account admin can use the account-level Workspace Assignment API to assign or remove the workspace admin role. Either an account admin or workspace admin can use the workspace-level Workspace Assignment API to perform this task. See the Workspace Assignment API reference.

• Workspace not enabled for identity federation: A workspace admin can use the workspace-level SCIM (Groups) REST API. to assign a user to the admin group or remove them from the group.

Assign the workspace admin role to a user using a SCIM provisioning connector

Because workspace admins are members of the Databricks admins group, you can manage the workspace admin role the same way you manage any group provisioning using a SCIM provisioning connector from your IdP. All group members in the IdP group that syncs to the Databricks admins group will be provisioned to Databricks as workspace admins.

See Sync users and groups from your identity provider.

Assign entitlements to a user

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Entitlements are assigned to users at the workspace level. The following table lists entitlements and the workspace UI and API property name that you use to manage each one. You can use the workspace admin settings page and workspace-level SCIM REST APIs to manage entitlements.

Entitlement name (UI)	Entitlement name (API)	Default	Description
Workspace access	workspace-access	Granted by default.	When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Machine Learning persona-based environments. Can’t be removed from workspace admins.
Databricks SQL access	databricks-sql-access	Granted by default.	When granted to a user or service principal, they can access Databricks SQL.
Allow unrestricted cluster creation	allow-cluster-create	Not granted to users or service principals by default.	When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions. Can’t be removed from workspace admins.
Allow pool creation (not available via UI)	allow-instance-pool-create	Can’t be granted to individual users or service principals.	When granted to a group, its members can create instance pools. Can’t be removed from workspace admins.

New users have the Workspace access and Databricks SQL access entitlements by default.

Important

To log in and access Databricks, a user must have either the Databricks SQL access or Workspace access entitlement (or both).

The Workspace access entitlement gives the user access to the Data Science & Engineering workspace and to Databricks Machine Learning. The user inherits this entitlement as a member of the users group, which has the entitlement. To assign this entitlement on a user-by-user basis, a workspace admin must remove the entitlement from the users group and assign it individually to users on the Users tab.

For information about the Databricks SQL access entitlement, see Step 2: Grant access to Databricks SQL.

If cluster access control is enabled, and you don’t select the Allow unrestricted cluster creation checkbox, the user is added without the cluster creation entitlement.

If you reactivate a user who previously existed in the workspace, the user’s previous entitlements are restored.

Add or remove an entitlement for a user using the workspace admin settings page

As a workspace admin, do the following:

1. Click your username in the top bar of the Databricks workspace and select Admin Settings.

2. Go the row for the user.

3. To add an entitlement, select the checkbox in the corresponding column.

4. To remove an entitlement, deselect the checkbox in the corresponding column.

Note

Admin is not an entitlement. The Admin checkbox is a convenient way to add the user to the admins group.

To add an entitlement explicitly, you can select its corresponding checkbox. If an entitlement is inherited from a group, the entitlement checkbox is selected but greyed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.

The allow-instance-pool-create entitlement can’t be granted directly to a user. Instead, you can grant the entitlement to a group and add the user to that group.

You can also add or remove an entitlement for a group.

Add or remove an entitlement for a user using the SCIM REST APIs

You can add entitlements when you when you create or update (via PATCH or PUT) a user using the workspace-level SCIM (Users) REST API. For example, this API call adds the allow-cluster-create entitlement to the specified user.

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Users/<user-id> \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "add",
      "path": "entitlements",
      "value": [
        {
          "value": "allow-cluster-create"
        }
      ]
    }
  ]
}

For details, see the workspace-level SCIM (Users) REST API reference.