Authentication and access control
This article introduces authentication and workspace object access control in Databricks. For information about securing access to your data, see Data governance guide.
For more information on how to best configure user and groups in Databricks, see Identity best practices.
Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.
Feature |
Pricing tier |
|---|---|
Single sign-on |
Standard |
Databricks automation authentication permissions |
Premium |
SCIM Provisioning |
Premium |
Databricks personal access token management |
Premium |
Access control lists |
Premium |
Single sign-on
Single sign-on in the form of Google Cloud Identity (or GSuite) is available in Databricks by default. You use your Google Cloud Identity single sign-on for both the account console and workspaces. You can enable multi-factor authentication via Google Cloud Identity.
Optionally, you can configure your Google Cloud Identity account (or GSuite account) to federate with an external SAML 2.0 Identity Provider (IdP) to verify user credentials. Google Cloud Identity can federate with Azure Active Directory, Okta, Ping, and other IdPs. However, Databricks only interacts directly with the Google Identity Platform APIs.
Sync users and groups from your identity provider using SCIM provisioning
You can use SCIM provisioning to sync users and groups automatically from your identity provider to your Databricks account. SCIM streamlines onboarding a new employee or team by using your identity provider to create users and groups in Databricks and give them the proper level of access. When a user leaves your organization or no longer needs access to Databricks, admins can terminate the user in your identity provider and that user’s account is also removed from Databricks. This ensures a consistent offboarding process and prevents unauthorized users from accessing sensitive data. For more information, see Sync users and groups from your identity provider.
Secure API authentication
Databricks personal access tokens are one of the most well-supported types of credentials for resources and operations at the Databricks workspace level. In order to secure API authentication, workspace admins can control which users, service principals, and groups can create and use Databricks personal access tokens.
For more information, see Manage access to Databricks automation.
Workspace admins can also review Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. See Manage personal access tokens.
For more information on authenticating to Databricks automation, see Authentication for Databricks automation.
Access control lists
In Databricks, you can use access control lists (ACLs) to configure permission to access objects, such as: notebooks, experiments, models, clusters, jobs, dashboards, queries, and SQL warehouses. All workspace admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. See Access control.