แชร์ผ่าน


Manage users

This article explains how to add, update, and remove Azure Databricks users.

For an overview of the Azure Databricks identity model, see Azure Databricks identities.

To manage access for users, see Authentication and access control.

Overview of user management

To manage users in Azure Databricks, you must be either an account admin or a workspace admin.

  • Account admins can add users to the account and assign them admin roles. They can also assign users to workspaces and configure data access for them across workspaces, as long as those workspaces use identity federation.

  • Workspace admins can add users to an Azure Databricks workspace, assign them the workspace admin role, and manage access to objects and functionality in the workspace, such as the ability to create clusters or access specified persona-based environments. Adding a user to an Azure Databricks workspace also adds them to the account.

    Workspace admins are members of the admins group in the workspace, which is a reserved group that cannot be deleted.

    Users with a built-in Contributor or Owner role in Azure are automatically assigned the workspace admin role when they click Launch Workspace in the Azure portal. For more information, see What are workspace admins?.

Important

Databricks began to enable new workspaces for identity federation and Unity Catalog automatically on November 9, 2023, with a rollout proceeding gradually across accounts. If your workspace is enabled for identity federation by default, it cannot be disabled. For more information, see Automatic enablement of Unity Catalog.

Sync users to your Azure Databricks account from your Microsoft Entra ID tenant

Account admins can sync users from your Microsoft Entra ID tenant to your Azure Databricks account using a SCIM provisioning connector.

Important

If you already have SCIM connectors that sync identities directly to your workspaces, you must disable those SCIM connectors when the account-level SCIM connector is enabled. See Migrate workspace-level SCIM provisioning to the account level.

For instructions, see Provision identities to your Azure Databricks account using Microsoft Entra ID.

Manage users in your account

Account admins can add users to your Azure Databricks account using the account console. Users in a Azure Databricks account do not have any default access to a workspace, data, or compute resources.

Add users to your account using the account console

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. On the Users tab, click Add User.
  4. Enter a name and email address for the user.
  5. Click Add user.

Note

A user cannot belong to more than 50 Azure Databricks accounts.

To give users access to a workspace, you must add them to the workspace. See Manage users in your workspace.

Assign account admin roles to a user

  1. As an account admin, log in to the account console.

  2. In the sidebar, click User management.

  3. Find and click the username.

  4. On the Roles tab, turn on Account admin, Marketplace admin, or Billing admin.

Assign a user to a workspace using the account console

To add users to a workspace using the account console, the workspace must be enabled for identity federation. Workspace admins can also assign users to workspaces using the workspace admin settings page. See Assign a user to a workspace using the workspace admin settings page.

  1. As an account admin, log in to the account console.
  2. In the sidebar, click Workspaces.
  3. Click your workspace name.
  4. On the Permissions tab, click Add permissions.
  5. Search for and select the user, assign the permission level (workspace User or Admin), and click Save.

Remove a user from a workspace using the account console

To remove users from a workspace using the account console, the workspace must be enabled for identity federation. When a user is removed from a workspace, the user can no longer access the workspace, however permissions are maintained on the user. If the user is later added back to the workspace, they regain their previous permissions.

  1. As an account admin, log in to the account console
  2. In the sidebar, click Workspaces.
  3. Click your workspace name.
  4. On the Permissions tab, find the user.
  5. Click the Kebab menu kebab menu at the far right of the user row and select Remove.
  6. On the confirmation dialog, click Remove.

Deactivate a user in your Azure Databricks account

Account admins can deactivate users across an Azure Databricks account. A deactivated user cannot login to the Azure Databricks account or workspaces. However, all of the user’s permissions and workspace objects remain unchanged. When a user is deactivated the following is true:

  • The user cannot login to the account or any of their workspaces from any method.
  • Applications or scripts that use the tokens generated by the user can no longer access the Databricks API. The tokens remain but cannot be used to authenticate while a user is deactivated.
  • Notebooks owned by the user remain.
  • Clusters owned by the user remain running.
  • Scheduled jobs created by the user have to be assigned to a new owner to prevent them from failing.

When a user is reactivated, they can login to Azure Databricks with the same permissions. Databricks recommends deactivating users from the account instead of removing them because removing a user is a destructive action. A deactivated user’s status is labeled Inactive in the account console. You can also deactivate a user from a specific workspace. See Deactivate a user in your Azure Databricks workspace.

You cannot deactivate a user using the account console. Instead, use the Account Users API. For example:

curl --netrc -X PATCH \
https://${DATABRICKS_HOST}/api/2.1/accounts/{account_id}/scim/v2/Users/{id} \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": [
        {
          "value": "false"
        }
      ]
    }
  ]
}

Remove users from your Azure Databricks account

Account admins can delete users from an Azure Databricks account. Workspace admins cannot. When you delete a user from the account, that user is also removed from their workspaces.

Important

When you remove a user from the account, that user is also removed from their workspaces, regardless of whether or not identity federation has been enabled. We recommend that you refrain from deleting account-level users unless you want them to lose access to all workspaces in the account. Be aware of the following consequences of deleting users:

  • Applications or scripts that use the tokens generated by the user can no longer access Databricks APIs
  • Jobs owned by the user fail
  • Clusters owned by the user stop
  • Queries or dashboards created by the user and shared using the Run as Owner credential have to be assigned to a new owner to prevent sharing from failing

When a user is removed from an account, the user can no longer access the account or their workspaces, however permissions are maintained on the user. If the user is later added back to the account, they regain their previous permissions.

To remove a user using the account console, do the following:

  1. As an account admin, log in to the account console.
  2. In the sidebar, click User management.
  3. Find and click the username.
  4. On the User Information tab, click the Kebab menu kebab menu in the upper-right corner and select Delete.
  5. On the confirmation dialog, click Confirm delete.

If you remove a user using the account console, you must ensure that you also remove the user using any SCIM provisioning connectors or SCIM API applications that have been set up for the account. If you don’t, SCIM provisioning adds the user back the next time it syncs. See Sync users and groups from Microsoft Entra ID.

To remove a user from an Azure Databricks account using SCIM APIs, you must be an account admin. See Sync users and groups to your Azure Databricks account and the Account Groups API.

Manage users in your workspace

Workspace admins can add and manage users using the workspace admin settings page.

Assign a user to a workspace using the workspace admin settings page

To add a user to a workspace using the workspace admin settings page, do the following:

  1. As a workspace admin, log in to the Azure Databricks workspace.

  2. Click your username in the top bar of the Azure Databricks workspace and select Settings.

  3. Click on the Identity and access tab.

  4. Next to Users, click Manage.

  5. Click Add User.

  6. Select an existing user to assign to the workspace or click Add new to create a new user.

    You can add any user who belongs to the Microsoft Entra ID tenant of your Azure Databricks workspace. Adding a new user to your workspace also adds the user to your Azure Databricks account.

  7. Click Add.

Note

If your workspace is not enabled for identity federation, you only see the option to add a new user to the workspace. If you add a user that shares a username (email address) with an existing account user, those users are merged.

Assign the workspace admin role to a user using the workspace admin settings page

To assign the workspace admin role using the workspace admin settings page, do the following:

  1. As a workspace admin, log in to the Azure Databricks workspace.
  2. Click your username in the top bar of the Azure Databricks workspace and select Settings.
  3. Click on the Identity and access tab.
  4. Next to Users, click Manage.
  5. Select the user.
  6. Click the Entitlements tab.
  7. Click the toggle next to Admin access.

To remove the workspace admin role from a workspace user, perform the same steps, but clear the Admin access toggle.

Deactivate a user in your Azure Databricks workspace

Workspace admins can deactivate users in a Azure Databricks workspace. A deactivated user cannot login to the workspace or access it from Azure Databricks APIs, however all of the user’s permissions and workspace objects remain unchanged. When a user is deactivated:

  • The user cannot login to the workspaces from any method.
  • The user’s status shows as Inactive in the workspace admin setting page.
  • Applications or scripts that use the tokens generated by the user can no longer access the Databricks API. The tokens remain but cannot be used to authenticate while a user is deactivated.
  • Notebooks owned by the user remain.
  • Clusters owned by the user remain running.
  • Scheduled jobs created by the user have to be assigned to a new owner to prevent them from failing.

When a user is reactivated, they can login to the workspace with the same permissions. Databricks recommends deactivating users instead of removing them because removing a user is a destructive action. You cannot deactivate a user using the workspace admin settings page. Instead, use the Workspace Users API. For example:

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Users/<user-id> \
--header 'Content-type: application/scim+json' \
--data @update-user.json \
| jq .

update-user.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": [
        {
          "value": "false"
        }
      ]
    }
  ]
}

Remove a user from a workspace using the workspace admin settings page

When a user is removed from a workspace, the user can no longer access the workspace, however permissions are maintained on the user. If the user is later added back to the workspace, they regain their previous permissions.

  1. As a workspace admin, log in to the Azure Databricks workspace.
  2. Click your username in the top bar of the Azure Databricks workspace and select Settings.
  3. Click on the Identity and access tab.
  4. Next to Users, click Manage.
  5. Find the user and Kebab menu kebab menu at the far right of the user row and select Remove.
  6. Click Delete to confirm.

Manage users using the API

Account admins and workspace admins can manage users in the Azure Databricks account and workspaces using Databricks APIs.

Manage users in the account using the API

Admins can add and manage users in the Azure Databricks account using the Account Users API. Account admins and workspace admins invoke the API using a different endpoint URL:

  • Account admins use {account-domain}/api/2.1/accounts/{account_id}/scim/v2/.
  • Workspace admins use {workspace-domain}/api/2.0/account/scim/v2/.

For details, see the Account Users API.

Manage users in the workspace using the API

Account and workspace admins can use the Workspace Assignment API to assign users to workspaces enabled for identity federation. The Workspace Assignment API is supported through the Azure Databricks account and workspaces.

  • Account admins use {account-domain}/api/2.0/accounts/{account_id}/workspaces/{workspace_id}/permissionassignments.
  • Workspace admins use {workspace-domain}/api/2.0/preview/permissionassignments/principals/{user_id}.

See Workspace Assignment API.

If your workspace is not enabled for identity federation, a workspace admin can use the workspace-level APIs to assign users to their workspaces. See Workspace Users API.