Coarse-grained access management for jobs

camilo_s — Tue, 18 Jun 2024 09:32:42 GMT

Are there any perspectives in Databricks' roadmap for enabling coarse-grained access management for jobs?

Currently, access to jobs has to be managed on a job by job basis: https://docs.databricks.com/en/security/auth-authz/access-control/index.html#job-acls . It's not difficult to implement this using the Update job permissions API (e.g. automatically during CI/CD).

However, it is difficult to get a global view on who has access to what, short of collecting that information job-by-job yourself. Now, imagine you have to migrate some service principal and need to update permissions on all the workflows it has access to, what a nightmare.

It would be great if you could define job scopes or folders (like workspace folders) that you could define access permissions on in a hierarchical hereditary way. Having a top level scope could also be a first step towards restricting job creation (e.g. only principals X, Y, Z may create jobs at "root" scope, etc.)

Is it just me lacking such a feature?

Re: Coarse-grained access management for jobs

camilo_s — Thu, 20 Jun 2024 12:26:55 GMT

Hi @Retired_mod, thanks for your reply.

A more mature access management concept in Databricks would be definitely terrific. I understand it's not entirely along the AI-lines that Databricks is pushing hard currently, but it would improve a lot the platform experience/platform capabilities (e.g. self-service) of Databricks.

I'm not gonna mark the answer as a solution as the original problem isn't solved. Maybe this discussion serves as a place for gathering feedback around the topic.

topic Re: Coarse-grained access management for jobs in Administration & Architecture

Coarse-grained access management for jobs

Re: Coarse-grained access management for jobs