Request to share Genie space URL with restricted access

avadhut22111997 — Tue, 20 Aug 2024 05:40:56 GMT

Dear Databricks Team,

I hope this email finds you well.

I would like to share a specific Genie Space URL with a user, but I want to ensure that the user only has access to view this particular Genie Space ask questions in that space and no other features within the platform.

Could you please guide me on how to configure the settings or permissions to restrict the user's access exclusively to the Genie Space content?

Thank you for your assistance. I look forward to your guidance.

Best regards,

Avadhut Shedge

Re: Request to share Genie space URL with restricted access

Louis_Frolio — Thu, 06 Nov 2025 18:42:15 GMT

Greetings @avadhut22111997 , sorry this fell through the cracks. I am Happy to help you lock down access to a single Genie Space so the user can only view it and ask questions there.

What “view and ask only” means in Genie

Give the user the Genie Space permission level CAN VIEW/CAN RUN. This lets them see the space and ask Genie questions, but not edit instructions or manage sharing.

Option A — Share to a workspace member with a restricted UI (recommended)

To keep the user in a read-only experience and limit broader platform features, use Consumer access and share only the specific space:

Assign the user only the Consumer access entitlement (do not grant Databricks SQL or Workspace access). Consumer access provides a simplified, read-only experience focused on dashboards, Genie spaces, and Databricks Apps shared with them.
Ensure your workspace’s default entitlements don’t automatically grant broader access; if your org uses the default “users” group entitlements, configure entitlements so this user retains only Consumer access in the workspace.
Open the Genie Space, click Share, add the user or group, and set permission to CAN VIEW/CAN RUN.
Grant minimal runtime permissions required for the space to function:
- Compute: Give the user at least CAN USE on the space’s default SQL warehouse.
- Data: Grant SELECT on the Unity Catalog tables the space uses; if they lack access, questions about those tables return empty results.

Option B

— Share beyond the workspace (account-level) with embedded credentials If you want to avoid onboarding the user to the workspace entirely, there is a private preview to share Genie Spaces with account users (not workspace members) so they can open the URL, authenticate, and ask questions only:

Share the Genie Space to account users and, in Space settings, enable embedded credentials. This creates a service principal mirroring the last editor’s table permissions so account users can ask questions without having direct data/compute access. Account users are restricted to asking questions and providing thumbs up/down feedback; they cannot edit or manage the space.

Note: Public docs currently state that "viewers must be members of the workspace to interact with Genie spaces"; use the account-level sharing path only if your account team has enabled the private preview in your tenant.

Practical configuration checklist

Confirm the intended sharing model (workspace member with Consumer access vs account user in private preview).
In the Genie Space:
- Verify the default warehouse and keep it minimal; grant the user CAN USE on that warehouse only.
- Review attached tables; grant the user SELECT only on the required tables (or remove tables they shouldn’t see).
- Share the space with CAN VIEW/CAN RUN only (not CAN EDIT/MANAGE).
Optional safeguards:
- If file uploads are enabled for Genie in your org, keep uploads disabled for this space to prevent users from blending external files.
- If you prefer not to grant individual data permissions, consider publishing a dashboard with Enable Genie and “shared data” permissions; the linked Genie Space will run with the publisher’s credentials while viewers interact, which can reduce per-user UC grants. This approach still requires viewers to be members of the workspace.

How to share the URL

In the Genie Space, click Share and use Copy link to get a shareable URL; recipients with the required permissions can open the space and ask questions.

Hoping this guidance is still useful to you.

Cheers, Louis.