topic Implementing Databricks Persona in in Administration & Architecture https://community.databricks.com/t5/administration-architecture/implementing-databricks-persona-in/m-p/91280#M1864 <P>Hi all,</P><P>I am looking to implement the "persona" based access control across multiple workspaces for multiple user groups in Azure Databricks workspaces. Specifically,</P><P>- I have a "DEV" workspace where the developer groups (Data Engineers and ML Engineers) should be able to start up compute clusters and execute Databricks workflows and jobs at will</P><P>- I have a "PROD" workspace where the developer groups&nbsp;should only be able to view the workflow or job details and logs but should not be able to execute these.&nbsp;</P><P>To me it seems like the "persona" based solution described <A href="https://www.databricks.com/discover/pages/access-control" target="_self">in this article</A>&nbsp;fits the bill nicely. Does anyone have a suggestion on how to implement this in terraform, e.g. using <A href="https://registry.terraform.io/providers/databricks/databricks/latest/docs" target="_self">the Databricks provider</A>&nbsp;?</P><P>Thanks in advance!</P><P>Dipanjan</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 21 Sep 2024 12:19:39 GMT d_kailthya 2024-09-21T12:19:39Z Implementing Databricks Persona in https://community.databricks.com/t5/administration-architecture/implementing-databricks-persona-in/m-p/91280#M1864 <P>Hi all,</P><P>I am looking to implement the "persona" based access control across multiple workspaces for multiple user groups in Azure Databricks workspaces. Specifically,</P><P>- I have a "DEV" workspace where the developer groups (Data Engineers and ML Engineers) should be able to start up compute clusters and execute Databricks workflows and jobs at will</P><P>- I have a "PROD" workspace where the developer groups&nbsp;should only be able to view the workflow or job details and logs but should not be able to execute these.&nbsp;</P><P>To me it seems like the "persona" based solution described <A href="https://www.databricks.com/discover/pages/access-control" target="_self">in this article</A>&nbsp;fits the bill nicely. Does anyone have a suggestion on how to implement this in terraform, e.g. using <A href="https://registry.terraform.io/providers/databricks/databricks/latest/docs" target="_self">the Databricks provider</A>&nbsp;?</P><P>Thanks in advance!</P><P>Dipanjan</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 21 Sep 2024 12:19:39 GMT https://community.databricks.com/t5/administration-architecture/implementing-databricks-persona-in/m-p/91280#M1864 d_kailthya 2024-09-21T12:19:39Z Re: Implementing Databricks Persona in https://community.databricks.com/t5/administration-architecture/implementing-databricks-persona-in/m-p/137473#M4358 <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">You can implement persona-based access control for Azure Databricks workspaces using Terraform and the Databricks provider, aligning with the setup you described for DEV and PROD environments. Terraform allows you to codify workspace configuration, user/group assignments, and access controls so that developer groups have appropriate permissions in each workspace.</P> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">DEV Workspace: Granting Execution Privileges</H2> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">For DEV, you want Data Engineers and ML Engineers to manage clusters and run jobs freely. You should:</P> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Assign these groups Databricks roles such as "Can Manage" at both cluster and job/workflow levels.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Use Terraform<SPAN>&nbsp;</SPAN><CODE>databricks_group</CODE><SPAN>&nbsp;</SPAN>resource to manage user groups.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Assign permissions using<SPAN>&nbsp;</SPAN><CODE>databricks_permissions</CODE><SPAN>&nbsp;</SPAN>for clusters and jobs.</P> </LI> </UL> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2"><STRONG>Sample Terraform configuration:</STRONG></P> <DIV class="w-full md:max-w-[90vw]"> <DIV class="codeWrapper text-light selection:text-super selection:bg-super/10 my-md relative flex flex-col rounded font-mono text-sm font-normal bg-subtler"> <DIV class="translate-y-xs -translate-x-xs bottom-xl mb-xl flex h-0 items-start justify-end md:sticky md:top-[100px]"> <DIV class="overflow-hidden rounded-full border-subtlest ring-subtlest divide-subtlest bg-base"> <DIV class="border-subtlest ring-subtlest divide-subtlest bg-subtler">&nbsp;</DIV> </DIV> </DIV> <DIV class="-mt-xl"> <DIV> <DIV class="text-quiet bg-subtle py-xs px-sm inline-block rounded-br rounded-tl-[3px] font-thin" data-testid="code-language-indicator">text</DIV> </DIV> <DIV><SPAN><CODE>resource "databricks_group" "data_engineers" { display_name = "data-engineers" } resource "databricks_group" "ml_engineers" { display_name = "ml-engineers" } # Assign cluster management permissions resource "databricks_permissions" "dev_cluster_permissions" { cluster_id = databricks_cluster.dev.id access_control { group_name = databricks_group.data_engineers.display_name permission_level = "CAN_MANAGE" } access_control { group_name = databricks_group.ml_engineers.display_name permission_level = "CAN_MANAGE" } } # Assign job execution permissions resource "databricks_permissions" "dev_job_permissions" { job_id = databricks_job.dev.id access_control { group_name = databricks_group.data_engineers.display_name permission_level = "CAN_MANAGE" } access_control { group_name = databricks_group.ml_engineers.display_name permission_level = "CAN_MANAGE" } } </CODE></SPAN></DIV> </DIV> </DIV> </DIV> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">This configuration ensures both groups can start clusters and execute jobs in DEV.</P> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">PROD Workspace: Granting Read-Only Access</H2> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">For PROD, restrict these groups so they can only<SPAN>&nbsp;</SPAN><STRONG>view job/workflow details and logs</STRONG>, not execute them.</P> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Assign them "Can View" permissions only—using the same resources, but with<SPAN>&nbsp;</SPAN><CODE>"CAN_VIEW"</CODE><SPAN>&nbsp;</SPAN>instead of<SPAN>&nbsp;</SPAN><CODE>"CAN_MANAGE"</CODE>.</P> </LI> </UL> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2"><STRONG>Sample Terraform configuration:</STRONG></P> <DIV class="w-full md:max-w-[90vw]"> <DIV class="codeWrapper text-light selection:text-super selection:bg-super/10 my-md relative flex flex-col rounded font-mono text-sm font-normal bg-subtler"> <DIV class="translate-y-xs -translate-x-xs bottom-xl mb-xl flex h-0 items-start justify-end md:sticky md:top-[100px]"> <DIV class="overflow-hidden rounded-full border-subtlest ring-subtlest divide-subtlest bg-base"> <DIV class="border-subtlest ring-subtlest divide-subtlest bg-subtler">&nbsp;</DIV> </DIV> </DIV> <DIV class="-mt-xl"> <DIV> <DIV class="text-quiet bg-subtle py-xs px-sm inline-block rounded-br rounded-tl-[3px] font-thin" data-testid="code-language-indicator">text</DIV> </DIV> <DIV><SPAN><CODE>resource "databricks_permissions" "prod_cluster_permissions" { cluster_id = databricks_cluster.prod.id access_control { group_name = databricks_group.data_engineers.display_name permission_level = "CAN_VIEW" } access_control { group_name = databricks_group.ml_engineers.display_name permission_level = "CAN_VIEW" } } resource "databricks_permissions" "prod_job_permissions" { job_id = databricks_job.prod.id access_control { group_name = databricks_group.data_engineers.display_name permission_level = "CAN_VIEW" } access_control { group_name = databricks_group.ml_engineers.display_name permission_level = "CAN_VIEW" } } </CODE></SPAN></DIV> </DIV> </DIV> </DIV> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">This aligns with a persona-based approach, where personas (developer, analyst, etc.) map to groups that receive distinct role assignments per workspace.</P> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">Additional Guidance</H2> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Use Terraform workspaces or separate configurations for DEV and PROD environments to keep isolation.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Consult the<SPAN>&nbsp;</SPAN><A class="reset interactable cursor-pointer decoration-1 underline-offset-1 text-super hover:underline font-semibold" href="https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permissions" target="_blank" rel="nofollow noopener"><SPAN class="text-box-trim-both">Databricks provider documentation</SPAN></A><SPAN>&nbsp;</SPAN>for the latest permission levels and supported resources.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Consider using Databricks access control lists (ACLs), cluster policies, and workspace-level role assignments for more granular control.</P> </LI> </UL> <H2 class="mb-2 mt-4 font-display font-semimedium text-base first:mt-0">References</H2> <UL class="marker:text-quiet list-disc"> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">Persona-based access is described in detail in Databricks documentation.</P> </LI> <LI class="py-0 my-0 prose-p:pt-0 prose-p:mb-2 prose-p:my-0 [&amp;&gt;p]:pt-0 [&amp;&gt;p]:mb-2 [&amp;&gt;p]:my-0"> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">The Terraform Databricks provider gives exact implementation examples for roles, permissions, and resource management.</P> </LI> </UL> <P class="my-2 [&amp;+p]:mt-4 [&amp;_strong:has(+br)]:inline-block [&amp;_strong:has(+br)]:pb-2">By following these steps, you'll maintain strict boundaries between DEV and PROD, in line with persona-based governance principles.</P> Mon, 03 Nov 2025 21:26:26 GMT https://community.databricks.com/t5/administration-architecture/implementing-databricks-persona-in/m-p/137473#M4358 mark_ott 2025-11-03T21:26:26Z