Access control lists
This article describes details about the permissions available for the different workspace objects.
Note
Access control requires the Premium plan.
Access control settings are disabled by default on workspaces that are upgraded from the Standard plan to the Premium plan. Once an access control setting is enabled, it can not be disabled. For more information, see Access controls lists can be enabled on upgraded workspaces.
Access control lists overview
In Databricks, you can use access control lists (ACLs) to configure permission to access workspace level objects. Workspace admins have the CAN MANAGE permission on all objects in their workspace, which gives them the ability to manage permissions on all objects in their workspaces. Users automatically have the CAN MANAGE permission for objects that they create.
For an example of how to map typical personas to workspace-level permissions, see the Proposal for Getting Started With Databricks Groups and Permissions.
Manage access control lists with folders
You can manage workspace object permissions by adding objects to folders. Objects in a folder inherit all permissions settings of that folder. For example, a user that has the CAN RUN permission on a folder has CAN RUN permission on the alerts in that folder. To learn about organizing objects into folders, see Workspace browser.
Alerts ACLs
Ability |
NO PERMISSIONS |
CAN RUN |
CAN MANAGE |
---|---|---|---|
See in alert list |
x |
x |
|
View alert and result |
x |
x |
|
Manually trigger alert run |
x |
x |
|
Subscribe to notifications |
x |
x |
|
Edit alert |
x |
||
Modify permissions |
x |
||
Delete alert |
x |
Compute ACLs
Ability |
NO PERMISSIONS |
CAN ATTACH TO |
CAN RESTART |
CAN MANAGE |
---|---|---|---|---|
Attach notebook to cluster |
x |
x |
x |
|
View Spark UI |
x |
x |
x |
|
View cluster metrics |
x |
x |
x |
|
View driver logs |
x |
x |
x |
|
Terminate cluster |
x |
x |
||
Start and restart cluster |
x |
x |
||
Edit cluster |
x |
|||
Attach library to cluster |
x |
|||
Resize cluster |
x |
|||
Modify permissions |
x |
Databricks SQL dashboard ACLs
Ability |
NO PERMISSIONS |
CAN VIEW |
CAN RUN |
CAN EDIT |
CAN MANAGE |
---|---|---|---|---|---|
See in dashboard list |
x |
x |
x |
x |
|
View dashboard and results |
x |
x |
x |
x |
|
Refresh query results in the dashboard (or choose different parameters) |
x |
x |
x |
||
Edit dashboard |
x |
x |
|||
Modify permissions |
x |
||||
Delete dashboard |
x |
Editing a dashboard requires the Run as viewer sharing setting. See Refresh behavior and execution context.
Delta Live Tables ACLs
Ability |
NO PERMISSIONS |
CAN VIEW |
CAN RUN |
CAN MANAGE |
IS OWNER |
---|---|---|---|---|---|
View pipeline details and list pipeline |
x |
x |
x |
x |
|
View Spark UI and driver logs |
x |
x |
x |
x |
|
Start and stop a pipeline update |
x |
x |
x |
||
Stop pipeline clusters directly |
x |
x |
x |
||
Edit pipeline settings |
x |
x |
|||
Delete the pipeline |
x |
x |
|||
Purge runs and experiments |
x |
x |
|||
Modify permissions |
x |
x |
Feature tables ACLs
Ability |
CAN VIEW METADATA |
CAN EDIT METADATA |
CAN MANAGE |
---|---|---|---|
Read feature table |
X |
X |
X |
Search feature table |
X |
X |
X |
Write features to feature table |
X |
X |
|
Update description of feature table |
X |
X |
|
Modify permissions |
X |
||
Delete feature table |
X |
File ACLs
Ability |
NO PERMISSIONS |
CAN READ |
CAN RUN |
CAN EDIT |
CAN MANAGE |
---|---|---|---|---|---|
Read file |
x |
x |
x |
x |
|
Comment |
x |
x |
x |
x |
|
Attach and detach file |
x |
x |
x |
||
Run file interactively |
x |
x |
x |
||
Edit file |
x |
x |
|||
Modify permissions |
x |
Folder ACLs
Ability |
NO PERMISSIONS |
CAN READ |
CAN EDIT |
CAN RUN |
CAN MANAGE |
---|---|---|---|---|---|
List objects in folder |
x |
x |
x |
x |
x |
View objects in folder |
x |
x |
x |
x |
|
Clone and export items |
x |
x |
x |
||
Run objects in the folder |
x |
x |
|||
Create, import, and delete items |
x |
||||
Move and rename items |
x |
||||
Modify permissions |
x |
Git folder ACLs
Ability |
NO PERMISSIONS |
CAN READ |
CAN RUN |
CAN EDIT |
CAN MANAGE |
---|---|---|---|---|---|
List assets in a folder |
x |
x |
x |
x |
x |
View assets in a folder |
x |
x |
x |
x |
|
Clone and export assets |
x |
x |
x |
x |
|
Run executable assets in folder |
x |
x |
x |
||
Edit and rename assets in a folder |
x |
x |
|||
Create a branch in a folder |
x |
||||
Pull or push a branch into a folder |
x |
||||
Create, import, delete, and move assets |
x |
||||
Modify permissions |
x |
Job ACLs
Ability |
NO PERMISSIONS |
CAN VIEW |
CAN MANAGE RUN |
IS OWNER |
CAN MANAGE |
---|---|---|---|---|---|
View job details and settings |
x |
x |
x |
x |
|
View results |
x |
x |
x |
x |
|
View Spark UI, logs of a job run |
x |
x |
x |
||
Run now |
x |
x |
x |
||
Cancel run |
x |
x |
x |
||
Edit job settings |
x |
x |
|||
Delete job |
x |
x |
|||
Modify permissions |
x |
x |
MLFlow experiment ACLs
Ability |
NO PERMISSIONS |
CAN READ |
CAN EDIT |
CAN MANAGE |
---|---|---|---|---|
View run info search compare runs |
x |
x |
x |
|
View, list, and download run artifacts |
x |
x |
x |
|
Create, delete, and restore runs |
x |
x |
||
Log run params, metrics, tags |
x |
x |
||
Log run artifacts |
x |
x |
||
Edit experiment tags |
x |
x |
||
Purge runs and experiments |
x |
|||
Modify permissions |
x |
MLFlow model ACLs
Ability |
NO PERMISSIONS |
CAN READ |
CAN EDIT |
CAN MANAGE STAGING VERSIONS |
CAN MANAGE PRODUCTION VERSIONS |
CAN MANAGE |
---|---|---|---|---|---|---|
View model details, versions, stage transition requests, activities, and artifact download URIs |
x |
x |
x |
x |
x |
|
Request a model version stage transition |
x |
x |
x |
x |
x |
|
Add a version to a model |
x |
x |
x |
x |
||
Update model and version description |
x |
x |
x |
x |
||
Add or edit tags |
x |
x |
x |
x |
||
Transition model version between stages |
x |
x |
x |
|||
Approve a transition request |
x |
x |
x |
|||
Cancel a transition request |
x |
|||||
Rename model |
x |
|||||
Modify permissions |
x |
|||||
Delete model and model versions |
x |
Notebook ACLs
Ability |
NO PERMISSIONS |
CAN READ |
CAN RUN |
CAN EDIT |
CAN MANAGE |
---|---|---|---|---|---|
View cells |
x |
x |
x |
x |
|
Comment |
x |
x |
x |
x |
|
Run via %run or notebook workflows |
x |
x |
x |
x |
|
Attach and detach notebooks |
x |
x |
x |
||
Run commands |
x |
x |
x |
||
Edit cells |
x |
x |
|||
Modify permissions |
x |
Pool ACLs
Ability |
NO PERMISSIONS |
CAN ATTACH TO |
CAN MANAGE |
---|---|---|---|
Attach cluster to pool |
x |
x |
|
Delete pool |
x |
||
Edit pool |
x |
||
Modify permissions |
x |
Query ACLs
Ability |
NO PERMISSIONS |
CAN VIEW |
CAN RUN |
CAN EDIT |
CAN MANAGE |
---|---|---|---|---|---|
View own queries |
x |
x |
x |
x |
|
See in query list |
x |
x |
x |
x |
|
View query text |
x |
x |
x |
x |
|
View query result |
x |
x |
x |
x |
|
Refresh query result (or choose different parameters) |
x |
x |
x |
||
Include the query in a dashboard |
x |
x |
x |
||
Edit query text |
x |
x |
|||
Change SQL warehouse or data source |
x |
||||
Modify permissions |
x |
||||
Delete query |
x |