topic Re: SAT Tool Scan other workspaces in Administration & Architecture

SAT Tool Scan other workspaces

vvijay61 — Thu, 09 Oct 2025 16:51:32 GMT

Hello Team,

i have been setting up SAT in my Databricks workspace and i am able to do it and scan in my workspace. i have provided my SP access to all other Workspaces as well

When i run the initialize job (SAT Initializer Notebook (one-time)) , I could notice that all workspaces in my account is being listed in the the "configs/workspace_configs.csv"

But when i trigger the job "SAT Driver Notebook" it is still scanning only on current workspace. No other workspace are being scanned

can anybody help me out in scanning all other workspace as well in the SAT job or provide some clear documentation on this

Thanks

Re: SAT Tool Scan other workspaces

nayan_wylde — Thu, 09 Oct 2025 18:31:37 GMT

@vvijay61Just confirming if your SPN have workspace admin access also you can make sure in the config csv if analysis_enabled = True

Re: SAT Tool Scan other workspaces

vvijay61 — Thu, 09 Oct 2025 18:28:20 GMT

Hello,

My SP have workspace admin access. When running initialization job. It is fetching all workspace ID

Re: SAT Tool Scan other workspaces

nayan_wylde — Thu, 09 Oct 2025 18:32:33 GMT

Can you also make sure in the config csv if analysis_enabled = True

Re: SAT Tool Scan other workspaces

vvijay61 — Thu, 09 Oct 2025 19:29:27 GMT

Its already set to true.

Re: SAT Tool Scan other workspaces

nayan_wylde — Thu, 09 Oct 2025 19:49:29 GMT

I was reading the SAT GitHub page and this might be network issue as well.

If you run SAT on Serverless compute or behind IP ACLs, cross‑workspace API calls can be blocked.
The Setup guide notes that SAT can’t analyze other workspaces when:

The destination workspaces (or account) use IP ACLs that block the SAT workspace/compute, or
The SAT workspace enforces serverless egress control that prevents outbound calls.
Fix: Allow the egress/IPs, run SAT on classic compute, or deploy a separate SAT instance in the restricted workspace

Re: SAT Tool Scan other workspaces

vvijay61 — Fri, 10 Oct 2025 13:58:09 GMT

I have tried some trouble shooting and was able to detect the second WS for SAT scan
i have added the WS details in table "admin.security_analysis.account_workspaces"
and when i run the Job it fetched this

but eventually the check was not completed with following error message

Forbidden 2025-10-10 13:51:19,378 - _profiler_ - INFO - {"error_code":403,"message":"Cert validation failed. Cross workspace access is denied due to network policies.

Can we have a suitable solution to this. We are using SAT in serverless

Re: SAT Tool Scan other workspaces

nayan_wylde — Fri, 10 Oct 2025 14:21:54 GMT

It seems like a access is denied by network policy. You have to update Network Policy for Serverless at account level

In Account Console → Cloud Resources → Policies → Serverless Egress Control → default-policy
Check the Allow access to all destinations (unrestricted outbound) OR
Keep Restricted Access but add the FQDNs of all target workspaces (e.g., adb-<workspace-id>.azuredatabricks.net) to the Allowed Domains list.

It will require Account Admin Permissions

-----------------------------------------------------------------------------------------------------------------------------------------------
If PrivateLink is enforced in your workspaces, create NCC rules to allow managed private endpoints for cross-workspace API calls.
NCC is account-level and can attach to multiple workspaces.

https://learn.microsoft.com/en-us/azure/databricks/security/network/serverless-network-security/