SCIM API 2.0
Preview
This feature is in Public Preview.
This article describes how to use the Databricks SCIM APIs to provision users, service principals, and groups to Databricks.
SCIM, or System for Cross-domain Identity Management, is an open standard that allows you to automate user provisioning. Databricks supports both UI-based SCIM provisioning and provisioning using REST APIs and JSON. The Databricks SCIM API follows version 2.0 of the SCIM protocol.
For UI-based SCIM provisioning setup, see Sync users and groups from your identity provider.
Account-level and workspace-level SCIM
You can configure SCIM provisioning connector from your identity provider to your Databricks account, using account-level SCIM provisioning, or configure SCIM provisioning connectors to each workspace, using workspace-level SCIM provisioning.
Account-level SCIM provisioning: You can use account-level SCIM provisioning to create, update, and delete users from the account.
Workspace-level SCIM provisioning: You can use workspace-level SCIM provisioning to create, update, and delete users from individual workspaces.
To manage account-level SCIM provisioning using the REST API, see:
To manage workspace-level SCIM provisioning using the REST API, see:
For more information about workspace-level vs account-level SCIM provisioning, see Sync users and groups from your identity provider.
Your Databricks account must have the Databricks Premium Plan.
SCIM 2.0 APIs
A Databricks workspace admin can invoke all workspace-level SCIM API endpoints:
Non-admin users and service principals can invoke the workspace-level Me Get endpoint, the workspace-level Users Get endpoint to display names and IDs, and the workspace-level Group Get endpoint to display group display names and IDs.
Account admins can invoke the account-level SCIM API endpoints:
For error codes, see SCIM API 2.0 Error Codes.
Call workspace-level SCIM APIs
To call workspace-level SCIM APIs, replace <databricks-instance>
with the workspace URL of your Databricks deployment.
https://<databricks-instance>/api/2.0/preview/scim/v2/<api-endpoint>
Call account-level SCIM APIs
You must be an account admin to call SCIM API 2.0 (Accounts) .
You call the account-level SCIM API on the accounts.gcp.databricks.com
domain, not your workspace domain. For example:
https://accounts.gcp.databricks.com/api/2.0/accounts/{account_id}/scim/v2/Users/{user_id}
Header parameters
Parameter |
Type |
Description |
---|---|---|
Authorization (required) Or: The |
|
Set to Important! The Databricks admin user who generates this token should not be managed by your identity provider (IdP). A Databricks admin user who is managed by the IdP can be deprovisioned using the IdP, which would cause your SCIM provisioning integration to be disabled. Instead of an
|
Content-Type (required for write operations) |
|
Set to |
Accept (required for read operations) |
|
Set to |
Filter results
Use filters to return a subset of users or groups. For all users, the user userName
and group displayName
fields are supported. Admin users can filter users on the active
attribute.
Operator |
Description |
Behavior |
---|---|---|
eq |
equals |
Attribute and operator values must be identical. |
ne |
not equal to |
Attribute and operator values are not identical. |
co |
contains |
Operator value must be a substring of attribute value. |
sw |
starts with |
Attribute must start with and contain operator value. |
and |
logical AND |
Match when all expressions evaluate to true. |
or |
logical OR |
Match when any expression evaluates to true. |
Sort results
Sort results using the sortBy
and sortOrder
query parameters. The default is to sort by ID.