topic Prevent Access to AI Functions Execution in Administration & Architecture

Prevent Access to AI Functions Execution

Raman_Unifeye — Mon, 24 Nov 2025 14:05:59 GMT

As a workspace Admin, I want to prevent unexpected API costs from unrestricted usage of AI Functions (AI_QUERY() etc.), how can we control that only a particular group-users can execute AI Functions ?

I understand the function execution cost can be viewed from https://docs.databricks.com/aws/en/large-language-models/ai-functions#-view-costs-for-ai-function-workloads, but perhaps it will be too late 😉

Best Practice and guidelines pls.

Re: Prevent Access to AI Functions Execution

iyashk-DB — Mon, 24 Nov 2025 18:00:27 GMT

Hi @Raman_Unifeye ,
For PT (Provisioned Throughput) endpoints, on the UI, you will have an option to edit "Permissions" and set a specific User/Group that can query them. You will have to assign that group "Can Query" permission. By Default all Admins will have access to this.

Thanks,
Yashwanth

Re: Prevent Access to AI Functions Execution

Raman_Unifeye — Mon, 24 Nov 2025 22:24:05 GMT

@iyashk-DB - can you pls elaborate on it. I am looking to turn it off for all of Databricks AI Functions usage - https://docs.databricks.com/aws/en/large-language-models/ai-functions#-task-specific-ai-functions

Re: Prevent Access to AI Functions Execution

iyashk-DB — Tue, 25 Nov 2025 07:38:52 GMT

@Raman_Unifeye , you will be disabling access to the endpionts that will be used inside the ai_query() function. It is not something like disabling the function, but managing the endpoint's access to the Users/groups who can and cannot query them.

Re: Prevent Access to AI Functions Execution

Raman_Unifeye — Tue, 25 Nov 2025 10:32:31 GMT

ok, so it has to be done at individual end-point and function level 😒

Re: Prevent Access to AI Functions Execution

iyashk-DB — Tue, 25 Nov 2025 12:33:48 GMT

Nothing at the function level, but yes this has to be done to each endpoint