Manage entitlements
This article describes the how to manage entitlements for users, service principals, and groups.
Note
Entitlements are available only in the Premium plan.
Entitlements overview
An entitlement is a property that allows a user, service principal, or group to interact with Azure Databricks in a specified way. Entitlements are assigned to users at the workspace level. The following table lists entitlements and the workspace UI and API property names that you use to manage each one. You can use the workspace admin settings page and Workspace Users, Service Principals, and Groups APIs to manage entitlements.
Entitlement name | Entitlement API name | Default | Description |
---|---|---|---|
Workspace access | workspace-access |
Granted by default. | When granted to a user or service principal, they can access the Data Science & Engineering and Databricks Mosaic AI persona-based environments. Can't be removed from workspace admins. |
Databricks SQL access | databricks-sql-access |
Granted by default. | When granted to a user or service principal, they can access Databricks SQL. |
Allow unrestricted cluster creation | allow-cluster-create |
Not granted to users or service principals by default. | When granted to a user or service principal, they can create unrestricted clusters. You can restrict access to existing clusters using cluster-level permissions. Can't be removed from workspace admins. |
Allow pool creation (not available via UI) | allow-instance-pool-create |
Can't be granted to individual users or service principals. | When granted to a group, its members can create instance pools. Can't be removed from workspace admins. |
The users
group is granted the Workspace access and Databricks SQL access entitlements by default. All workspace users and service principals are members of the users
group. To assign these entitlements on a user-by-user basis, a workspace admin must remove the entitlement from the users
group and assign it individually to users, service principals, and groups.
To log in and access an Azure Databricks workspace, a user must have the Databricks SQL access or Workspace access entitlement.
You cannot grant the allow-instance-pool-create
entitlement using the admin settings page. Instead, use the Workspace Users, Service Principals, or Groups API.
Manage entitlements on users
Workspace admins can add or remove an entitlement for a user using the workspace admin settings page. You can also use the Workspace Users API.
- As a workspace admin, log in to the Azure Databricks workspace.
- Click your username in the top bar of the Azure Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Users, click Manage.
- Select the user.
- Click the Entitlements tab.
- To add an entitlement, select the toggle in the corresponding column.
To remove an entitlement, perform the same steps, but deselect the toggle instead.
If an entitlement is inherited from a group, the entitlement toggle is selected but grayed out. To remove an inherited entitlement, either remove the user from the group that has the entitlement, or remove the entitlement from the group.
Manage entitlements on service principals
Workspace admins can add or remove an entitlement for a service principal using the workspace admin settings page. You can also use the Workspace Service Principals API.
- As a workspace admin, log in to the Azure Databricks workspace.
- Click your username in the top bar of the Azure Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Service principals, click Manage.
- Select the service principal you want to update.
- To add an entitlement, under Entitlements, select the corresponding checkbox.
To remove an entitlement, perform the same steps, but clear the checkbox instead.
If an entitlement is inherited from a group, the entitlement toggle is selected but grayed out. To remove an inherited entitlement, either remove the service principal from the group that has the entitlement, or remove the entitlement from the group.
Manage entitlements on groups
Workspace admins can manage group entitlements at the workspace level, regardless of whether the group was created in the account or is workspace-local.
- As a workspace admin, log in to the Azure Databricks workspace.
- Click your username in the top bar of the Azure Databricks workspace and select Settings.
- Click on the Identity and access tab.
- Next to Groups, click Manage.
- Select the group you want to update. You must have the group manager role on the group to update it.
- On the Entitlements tab, select the entitlement you want to grant to all users in the group.
To remove an entitlement, perform the same steps, but deselect the toggle instead. Group members lose the entitlement, unless they have permission granted as an individual user or through another group membership.