Authentication and access control
This article introduces authentication and workspace object access control in Databricks. For information about securing access to your data, see Data governance guide.
For more information on how to best configure user and groups in Databricks, see Identity best practices.
Not all security features are available on all pricing tiers. The following table contains an overview of the features and how they align to pricing plans.
Feature |
Pricing tier |
|---|---|
Single sign-on |
Standard |
Google ID token authentication |
Standard |
Databricks personal access token management |
Premium |
Access control lists |
Premium |
Single sign-on
Single sign-on in the form of Google Cloud Identity is available in Databricks by default. You can use your Google Cloud Identity single sign-on for both the account console and workspaces. You can enable multi-factor authentication via Google Cloud Identity. See Single sign-on
Secure API access
For REST API authentication, you can use either built-in revocable Databricks personal access tokens or use revocable Google ID tokens. As a security best practice, Databricks recommends using Google ID tokens for service accounts to authenticate to automated tools, systems, scripts, and apps. For details, see Authentication with Google ID tokens.
Workspace admins can use the Token Management API to review current Databricks personal access tokens, delete tokens, and set the maximum lifetime of new tokens for their workspace. You can use the related Permissions API to control which users can create and use tokens to access workspace REST APIs.
Access control lists
In Databricks, you can use access control lists (ACLs) to configure permission to access objects, such as: notebooks, experiments, models, clusters, jobs, dashboards, queries, and SQL warehouses. All admin users can manage access control lists, as can users who have been given delegated permissions to manage access control lists. See Access control.