Databricks SQL dashboard access control
With dashboard access control, individual permissions determine a user’s abilities. This article describes the individual permissions and how to configure Databricks SQL dashboard access control.
Dashboard permissions
A dashboard has five permission levels: No Permissions, Can View, Can Run, Can Edit, and Can Manage.
The table lists the abilities for each permission.
Ability |
No Permissions |
Can View |
Can Run |
Can Edit |
Can Manage |
---|---|---|---|---|---|
See in dashboard list |
x |
x |
x |
x |
|
View dashboard and results |
x |
x |
x |
x |
|
Refresh query results in the dashboard (or choose different parameters) |
x |
x |
x |
||
Edit dashboard |
x (1) |
x |
|||
Modify permissions |
x |
||||
Delete dashboard |
x |
(1) Requires the Run as viewer sharing setting.
Sharing settings
Dashboards support two types of sharing settings: Run as viewer and Run as owner. The following are the permissions for these two types of sharing settings.
Ability |
Run as viewer |
Run as owner |
---|---|---|
See in dashboard list |
x |
|
Edit query/dashboard/alerts |
x |
|
Schedule |
x |
|
Choose warehouse |
x |
|
Create visualization |
x |
|
Move to trash |
x |
|
Reach cache maximum |
x |
Note
On dashboards set to use the Run as owner credential, only the dashboard owner can have Can Edit or Can Manage permissions. On Run as viewer dashboards, other users and groups can be added as collaborators with Can Edit or Can Manage permissions.
To configure sharing settings:
Click Dashboards in the sidebar.
Click a dashboard.
Click the
button at the upper-right.
In the Sharing settings > Credentials field at the bottom of the dialog, select:
Run as viewer: The viewer’s credential is used to execute the queries in the dashboard. The viewer must also have at least Can Use permissions on the warehouse.
Run as owner: The owner’s credential is used to execute the queries in the dashboard.
Schedule permissions
You can set a schedule so that your dashboard automatically updates with fresh data. See Automatically refresh a dashboard for more information. Schedules are granted permissions distinctly from the query, dashboard, or alert they are assigned to. You can assign permission settings for individual users, groups, or service principals after you create a schedule.
There are five available permission settings:
No Permissions: No permissions have been granted. Users with no permissions cannot see that the schedule exists, even if they are subscribers or included in listed notification destinations.
Can View: Grants permission to view scheduled run results.
Can Manage Run: Grants permission to view scheduled run results.
Can Manage: Grants permission to view, modify, and delete schedules. This permission is required in order to make changes to the run interval, update the subscriber list, and pause or unpause the schedule.
Is Owner: Grants all permissions of Can Manage. Additionally, the credentials of the schedule owner will be used to run dashboard queries. Only a workspace admin can change the owner.
Note
Only users with Can Manage or Is Owner permissions can add or remove themselves as dashboard subscribers or change alert notification settings.
Manage dashboard permission with folders
You can manage dashboard permissions by adding published dashboards to folders. In most cases, dashboards in a folder inherit all permissions settings of that folder. For example, a user that has Can Run permission on a folder has Can Run permission on the dashboards in that folder. For dashboards that have been published with the Run as Owner credential and shared in a folder, non-owners have their permissions transparently downgraded to Can Run.
To learn about configuring permissions on folders, see Folder permissions.
To learn more about organizing dashboards into folders, see Workspace browser.
Manage dashboard permissions using the UI
Click Dashboards in the sidebar.
Click a dashboard.
Click the
button at the upper-right. A dialog like the following appears:
Follow the steps based on the permission type you want to grant:
Can Edit permission
Select the Run as viewer sharing setting.
Click the top field to add a user or group.
Select the Can Edit permission.
Click Add.
Can Run permission
Click the top field to add a user or group.
Select the Can Run permission.
Click Add.
Dismiss the dialog.