https://community.databricks.com/t5/administration-architecture/removing-compute-policy-permissions-using-terraform/m-p/119682#M3378 <P>By default, the "users" and "admins" groups have CAN_USE permission on the Personal Compute policy.</P><P>I'm using Terraform and would like to prevent regular users from using this policy to create additional compute clusters.</P><P>I haven't found a way to do this. The&nbsp;databricks_permissions resource requires an access_control block with a valid group_name and permission_level.</P><UL><LI>Because at least one access_control block is required, I must specify some permission.</LI><LI>I can't just give the admins CAN_USE here, because the API won't let you modify admin permissions for cluster-policy resources.</LI><LI>The only supported permission level is CAN_USE, so I can't set a lower permission level, like CAN_VIEW.</LI></UL><P>How can I remove the default permissions from the "users" group here?</P><PRE>resource "databricks_permissions" "personal_compute_policy" {<BR /> cluster_policy_id = data.databricks_cluster_policy.personal_compute.id<BR /><BR /> access_control {<BR /> group_name = "users"<BR /> permission_level = "CAN_USE"<BR /> }<BR />}<BR /><BR />data "databricks_cluster_policy" "personal_compute" {<BR /> name = "Personal Compute"<BR />}</PRE><P>&nbsp;</P> Tue, 20 May 2025 03:39:01 GMT mzs 2025-05-20T03:39:01Z https://community.databricks.com/t5/administration-architecture/removing-compute-policy-permissions-using-terraform/m-p/119682#M3378 <P>By default, the "users" and "admins" groups have CAN_USE permission on the Personal Compute policy.</P><P>I'm using Terraform and would like to prevent regular users from using this policy to create additional compute clusters.</P><P>I haven't found a way to do this. The&nbsp;databricks_permissions resource requires an access_control block with a valid group_name and permission_level.</P><UL><LI>Because at least one access_control block is required, I must specify some permission.</LI><LI>I can't just give the admins CAN_USE here, because the API won't let you modify admin permissions for cluster-policy resources.</LI><LI>The only supported permission level is CAN_USE, so I can't set a lower permission level, like CAN_VIEW.</LI></UL><P>How can I remove the default permissions from the "users" group here?</P><PRE>resource "databricks_permissions" "personal_compute_policy" {<BR /> cluster_policy_id = data.databricks_cluster_policy.personal_compute.id<BR /><BR /> access_control {<BR /> group_name = "users"<BR /> permission_level = "CAN_USE"<BR /> }<BR />}<BR /><BR />data "databricks_cluster_policy" "personal_compute" {<BR /> name = "Personal Compute"<BR />}</PRE><P>&nbsp;</P> Tue, 20 May 2025 03:39:01 GMT https://community.databricks.com/t5/administration-architecture/removing-compute-policy-permissions-using-terraform/m-p/119682#M3378 mzs 2025-05-20T03:39:01Z https://community.databricks.com/t5/administration-architecture/removing-compute-policy-permissions-using-terraform/m-p/119829#M3385 <P>I learned the Personal Compute policy can be turned off at the account level:</P><P><A href="https://learn.microsoft.com/en-us/azure/databricks/admin/clusters/personal-compute#manage-policy" target="_blank">https://learn.microsoft.com/en-us/azure/databricks/admin/clusters/personal-compute#manage-policy</A></P><P>&nbsp;</P> Wed, 21 May 2025 04:44:11 GMT https://community.databricks.com/t5/administration-architecture/removing-compute-policy-permissions-using-terraform/m-p/119829#M3385 mzs 2025-05-21T04:44:11Z