Authentication and access control

This article introduces authentication and workspace object access control in Databricks. For information about securing access to your data, see Data governance guide.

For more information on how to best configure user and groups in Databricks, see Identity best practices.

Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.

Feature

Pricing tier

Single sign-on

Standard

Databricks automation authentication permissions

Premium

SCIM Provisioning

Premium

Databricks personal access token management

Premium

Access control lists

Premium

Single sign-on

Single sign-on in the form of Google Cloud Identity (or GSuite) is available in Databricks by default. You use your Google Cloud Identity single sign-on for both the account console and workspaces. You can enable multi-factor authentication via Google Cloud Identity.

Optionally, you can configure your Google Cloud Identity account (or GSuite account) to federate with an external SAML 2.0 Identity Provider (IdP) to verify user credentials. Google Cloud Identity can federate with Microsoft Entra ID (formerly Azure Active Directory), Okta, Ping, and other IdPs. However, Databricks only interacts directly with the Google Identity Platform APIs.

Sync users and groups from your identity provider using SCIM provisioning

You can use SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning, to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. When a user leaves your organization or no longer needs access to Databricks, admins can terminate the user in your identity provider, and that user’s account is also removed from Databricks. This ensures a consistent offboarding process and prevents unauthorized users from accessing sensitive data. For more information, see Sync users and groups from your identity provider.

Secure API authentication

Databricks personal access tokens are one of the most well-supported types of credentials for resources and operations at the Databricks workspace level. In order to secure API authentication, workspace admins can control which users, service principals, and groups can create and use Databricks personal access tokens.

For more information, see Manage access to Databricks automation.

Workspace admins can also review Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. See Manage personal access tokens.

For more information on authenticating to Databricks automation, see Authentication for Databricks automation - overview.

Access control

In Databricks, there are different access control systems for different securable objects. To learn more about them, see Access control overview.