Manage personal access token permissions
This article describes the how to configure permissions for Azure Databricks personal access tokens. To learn how to use credentials to authenticate to Azure Databricks, see Authenticate access to Azure Databricks resources.
Note
Azure Databricks automation authentication permissions are available only in the Premium plan.
Personal access token permissions
Workspace admins can set permissions on personal access tokens to control which users, service principals, and groups can create and use tokens. Before you can use token access control, an Azure Databricks workspace admin must enable personal access tokens for the workspace. See Enable or disable personal access token authentication for the workspace.
A workspace user can have one of the following token permissions:
- NO PERMISSIONS: User cannot create or use personal access tokens to authenticate to the Azure Databricks workspace.
- CAN USE: User can create a personal access token and use it to authenticate to the workspace.
- CAN MANAGE (workspace admins only):** User can manage all workspace users' personal access tokens and permission to use them. Users in the workspace
admins
group have this permission by default and you cannot revoke it. No other users, service principals, or groups can be granted this permission.
This table lists the permissions required for each token-related task:
Task | NO PERMISSIONS | CAN USE | CAN MANAGE |
---|---|---|---|
Create a token | x | x | |
Use a token for authentication | x | x | |
Revoke your own token | x | x | |
Revoke any user's or service principal's token | x | ||
List all tokens | x | ||
Modify token permissions | x |
Manage token permissions using the admin settings page
This section describes how to manage permissions using the workspace UI. You can also use the Permissions API or Databricks Terraform provider.
Go to the settings page.
Click the Advanced tab.
Next to Personal Access Tokens, click the Permissions button to open the token permissions editor.
Search for and select the user, service principal, or group and choose the permission to assign.
If the
users
group has the CAN USE permission and you want to apply more fine-grained access for non-admin users, remove the CAN USE permission from theusers
group by clicking the X next to the permission drop-down menu in the users row.Click + Add.
Click Save.
Warning
After you save your changes, any users who previously had either the CAN USE or CAN MANAGE permission and no longer have either permission are denied access to personal access token authentication and their active tokens are immediately deleted (revoked). Deleted tokens cannot be retrieved.