https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115850#M3273 <P>Thank you very much for the response. I tried to grant the user access directly, and they are able to access the workspace (workspace enabled with Unity Catalog and system tables enabled). Then I executed the query you recommended, but it returns empty.</P> Fri, 18 Apr 2025 14:29:47 GMT antonionuzzo 2025-04-18T14:29:47Z https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115830#M3269 <P><SPAN>Hello everyone,</SPAN></P><P><SPAN>I am conducting tests on Databricks AWS and have noticed that in an organization with multiple workspaces, each with different workspace admins, a workspace admin can invite a user who is not mapped within their workspace but is already mapped inside databricks metastore. I would like to understand if it is possible to prohibit this action for the workspace admin or, alternatively, where this information is logged. I believe it is within the system audit access table, but I am unable to find the row that identifies this action.</SPAN></P> Fri, 18 Apr 2025 09:49:34 GMT https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115830#M3269 antonionuzzo 2025-04-18T09:49:34Z https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115847#M3272 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/157648">@antonionuzzo</a>&nbsp;</P><P>There isn’t a way in Databricks to restrict workspace admins from inviting users who aren’t part of their workspace but already exist in the metastore. If you're trying to track this activity, you can use the system.access.audit table (assuming system tables are enabled).<BR /><BR />Here's a sample query you can run to check for user additions in a specific workspace:</P><P>SELECT<BR />&nbsp; &nbsp; &nbsp;event_time,<BR />&nbsp; &nbsp; &nbsp;user_identity.email,<BR />&nbsp; &nbsp; &nbsp;action_name,<BR />&nbsp; &nbsp; &nbsp;request_params<BR />FROM<BR />&nbsp; &nbsp; &nbsp;system.access.audit<BR />WHERE<BR />&nbsp; &nbsp; &nbsp;action_name = 'addUser'<BR />&nbsp; &nbsp; &nbsp;AND request_params.workspace_id = 'YOUR_WORKSPACE_ID'<BR />ORDER BY<BR />&nbsp; &nbsp; &nbsp;event_time DESC;</P><P>This should help you to see when users were added and by whom.</P> Fri, 18 Apr 2025 13:43:11 GMT https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115847#M3272 SP_6721 2025-04-18T13:43:11Z https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115850#M3273 <P>Thank you very much for the response. I tried to grant the user access directly, and they are able to access the workspace (workspace enabled with Unity Catalog and system tables enabled). Then I executed the query you recommended, but it returns empty.</P> Fri, 18 Apr 2025 14:29:47 GMT https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115850#M3273 antonionuzzo 2025-04-18T14:29:47Z https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115859#M3274 <P>You do have some control over what workspace admins can do.&nbsp;Databricks allows account admins to restrict workspace admin permissions by enabling the <CODE>RestrictWorkspaceAdmins</CODE> setting. Have a look here:&nbsp;<A href="https://docs.databricks.com/aws/en/admin/workspace-settings/restrict-workspace-admins" target="_blank">https://docs.databricks.com/aws/en/admin/workspace-settings/restrict-workspace-admins</A></P> <P>&nbsp;</P> <P>Account admins are elevated and have entitlements at the Databricks Account level. There will only be one or two of these people. Hope this helps.&nbsp; Louis.</P> Fri, 18 Apr 2025 16:57:18 GMT https://community.databricks.com/t5/administration-architecture/monitor-workspace-admin-activities/m-p/115859#M3274 Louis_Frolio 2025-04-18T16:57:18Z