Authentication and access control

This article introduces authentication and access control in Databricks. For information about securing access to your data, see Data governance with Unity Catalog.

Single sign-on using Google Cloud Identity

Single sign-on in the form of Google Cloud Identity (or GSuite) is available in Databricks by default. You use your Google Cloud Identity single sign-on for both the account console and workspaces. You can enable multi-factor authentication via Google Cloud Identity.

Optionally, you can configure your Google Cloud Identity account (or GSuite account) to federate with an external SAML 2.0 Identity Provider (IdP) to verify user credentials. Google Cloud Identity can federate with Microsoft Entra ID, Okta, Ping, and other IdPs. However, Databricks only interacts directly with the Google Identity Platform APIs.

Sync users and groups from your identity provider

You can sync users and groups automatically from your identity provider to your Databricks account using SCIM. SCIM is an open standard that allows you to automate user provisioning. SCIM enables a consistent onboarding and offboarding process. It uses your identity provider to create users and groups in Databricks and give them the proper level of access. When a user leaves your organization or no longer needs access to Databricks, admins can terminate the user in your identity provider, and that user’s account is also removed from Databricks. This prevents unauthorized users from accessing sensitive data. For more information, see Sync users and groups from your identity provider.

For more information on how to best configure users and groups in Databricks, see Identity best practices.

Secure API authentication with OAuth

Databricks OAuth supports secure credentials and access for resources and operations at the Databricks workspace level and supports fine-grained permissions for authorization.

Databricks also supports personal access tokens (PATs), but recommends you use OAuth instead. To monitor and manage PATs, see Monitor and revoke personal access tokens and Manage personal access token permissions.

For more information on authenticating to Databricks automation overall, see Authenticate access to Databricks resources.

Access control overview

In Databricks, there are different access control systems for different securable objects. The table below shows which access control system governs which type of securable object.

Securable object	Access control system
Workspace-level securable objects	Access control lists
Account-level securable objects	Account role based access control
Data securable objects	Unity Catalog

Databricks also provides admin roles and entitlements that are assigned directly to users, service principals, and groups.

For information about securing data, see Data governance with Unity Catalog.

Access control lists

In Databricks, you can use access control lists (ACLs) to configure permission to access workspace objects such as notebooks and SQL Warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. For more information on access control lists, see Access control lists.

Account role based access control

You can use account role based access control to configure permission to use account-level objects such as service principals and groups. Account roles are defined once, in your account, and apply across all workspaces. All account admin users can manage account roles, as can users who have been given delegated permissions to manage them, such as group managers and service principal managers.

Follow these articles for more information on account roles on specific account-level objects:

• Roles for managing service principals

• Manage roles on a group using the account console

Admin roles and workspace entitlements

There are two main levels of admin privileges available on the Databricks platform:

• Account admins: Manage the Databricks account, including workspace creation, user management, cloud resources, and account usage monitoring.

• Workspace admins: Manage workspace identities, access control, settings, and features for individual workspaces in the account.

There are also feature-specific admin roles with a narrower set of privileges. To learn about the available roles, see Databricks administration introduction.

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. Workspace admins assign entitlements to users, service principals, and groups at the workspace-level. For more information, see Manage entitlements.