Access control overview

In Databricks, there are different access control systems for different securable objects. The table below shows which access control system governs which type of securable object.

Securable object

Access control system

Workspace-level securable objects

Access control lists

Account-level securable objects

Account role based access control

Data securable objects

Unity Catalog, Hive metastore table access control

Databricks also provides admin roles and entitlements that are assigned directly to users, service principals, and groups.

Note

Access control requires the Premium plan.

Access control lists

In Databricks, you can use access control lists (ACLs) to configure permission to access workspace objects (folders, notebooks, experiments, and models), clusters, pools, jobs, Delta Live Tables pipelines, alerts, dashboards, queries, and SQL warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists.

If you’re new to Databricks, and want an example of how to map typical personas to workspace-level permissions, see the Proposal for Getting Started With Databricks Groups and Permissions.

Note

Access control settings are disabled by default on workspaces that are upgraded from the Standard plan to the Premium plan. Once an access control setting is enabled, it can not be disabled. For more information, see Access controls lists can be enabled on upgraded workspaces.

Follow these articles for more information on access control lists on specific workspace-level objects:

Account role based access control

You can use account role based access control to configure permission to use account-level objects such as service principals and groups. Account roles are defined once, in your account, and apply across all workspaces. All account admin users can manage account roles, as can users who have been given delegated permissions to manage them, such as group managers and service principal managers.

Follow these articles for more information on account roles on specific account-level objects:

Data governance

Databricks provides centralized governance for data and AI with Unity Catalog and Delta Sharing.

  • Unity Catalog is a fine-grained governance solution for data and AI on the Databricks lakehouse. It helps simplify security and governance of your data by providing a central place to administer and audit data access.

  • Delta Sharing is an open protocol developed by Databricks for secure data sharing with other organizations, or with other teams within your organization, regardless of which computing platforms they use.

  • Databricks Marketplace is an open forum for exchanging data products using Delta Sharing.

For best practices on Databricks data governance, see Unity Catalog best practices.

Databricks admin roles

In addition to access control on securable objects, there are built-in roles on the Databricks platform. Users, service principals, and groups can be assigned roles.

There are two main levels of admin privileges available on the Databricks platform:

  • Account admins: Manage the Databricks account, including workspace creation, user management, cloud resources, and account usage monitoring.

  • Workspace admins: Manage workspace identities, access control, settings, and features for individual workspaces in the account.

Additionally, users can be assigned these feature-specific admin roles, which have narrower sets of privileges:

  • Marketplace admins: Manage their account’s Databricks Marketplace provider profile, including creating and managing Marketplace listings.

  • Metastore admins: Manage privileges and ownership for all securable objects within a Unity Catalog metastore, such as who can create catalogs or query a table.

Users can also be assigned to be workspace users. A workspace user has the ability to log in to a workspace, where they can be granted workspace-level permissions.

For more information, see Assigning admin roles.

Workspace entitlements

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Workspace admins assign entitlements to users, service principals, and groups at the workspace-level. For more information, see Assigning entitlements.