Share via

Restrict workspace admins

  • Article

This article explains how account admins can use the RestrictWorkspaceAdmins setting to limit workspace admin permissions around jobs and service principals.

Default permissions

Without enabling the RestrictWorkspaceAdmins setting, workspace admins have the following permissions:

  • Can change a job owner to any user or service principal in their workspace.
  • Can update a job’s Run as setting to any user in their workspace or to any service principal where they have the Service Principal User role.

Restricted permissions

After enabling the RestrictWorkspaceAdmins setting, workspace admins have the following permissions:

  • Can only change a job’s owner to themselves.
  • Can update a job’s Run as setting to themselves or to any service principal where they have the Service Principal User role.

Enable the restriction setting

To enable the RestrictWorkspaceAdmins setting, you must be an account admin and you must be a member of the workspace that you want to restrict. The following example uses the Databricks CLI v0.215.0.

The RestrictWorkspaceAdmins setting uses an etag field to ensure consistency. To enable or disable the setting, first issue a GET to receive an etag in response. You can update the setting using the etag. For example:

databricks settings restrict-workspace-admins get

Example response:

{
  "etag":"<etag>",
  "restrict_workspace_admins": {
    "status":"ALLOW_ALL"
  },
  "setting_name":"default"
}

Copy the etag field from the response body and use it to update the RestrictWorkspaceAdmins setting. For example:

databricks settings restrict-workspace-admins update --json '{
  "setting": {
    "setting_name": "default",
    "restrict_workspace_admins": {
      "status": "RESTRICT_TOKENS_AND_JOB_RUN_AS"
    },
    "etag": "<etag>"
  },
  "allow_missing": true,
  "field_mask": "restrict_workspace_admins.status"
}'

Example response:

{
  "etag":"<response-etag>",
  "restrict_workspace_admins": {
    "status":"RESTRICT_TOKENS_AND_JOB_RUN_AS"
  },
  "setting_name":"default"
}

To disable the RestrictWorkspaceAdmins set the status to ALLOW_ALL.

You can also use the Restrict Workspace Admins API or the Databricks Terraform provider.