Authentication and access control

This article introduces authentication and workspace object access control in Databricks. For information about securing access to your data, see Data governance guide.

For more information on how to best configure user and groups in Databricks, see Identity best practices.

Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.

Feature

Pricing tier

Single sign-on

Standard

Google ID token authentication

Standard

Databricks personal access token management

Premium

Access control lists

Premium

Single sign-on

Single sign-on in the form of Google Cloud Identity is available in Databricks by default. You can use your Google Cloud Identity single sign-on for both the account console and workspaces. You can enable multi-factor authentication via Google Cloud Identity. See Single sign-on

Secure API access

For REST API authentication, you can use either built-in revocable Databricks personal access tokens or use revocable Google ID tokens. As a security best practice, Databricks recommends using Google ID tokens for service accounts to authenticate to automated tools, systems, scripts, and apps. For details, see Authentication with Google ID tokens.

Workspace admins can use the Token Management API to review current Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. You can use the related Permissions API to control which users can create and use tokens to access workspace REST APIs.

Access control lists

In Databricks, you can use access control lists (ACLs) to configure permission to access objects, such as: notebooks, experiments, models, clusters, jobs, dashboards, queries, and SQL warehouses. All admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. See Access control.