https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7218#M3145 <P>@Christopher Shehu​&nbsp;If you don't want the "Users" group is enabled with "Workspace access" and "Databricks SQL access" entitlements, you disable all entitlements. Create separate groups based on your use case and enable the required entitlements. </P><P></P><P>Regarding parent user groups, a group can be a member(child) of another group(s). As per the screenshot, subgroup is a child of john_test_group and maingroup (parent groups). Hope this helps.</P><P></P><P><span class="lia-inline-image-display-wrapper" image-alt="image"><img src="https://community.databricks.com/t5/image/serverpage/image-id/2550i0D26FE544C2BA8F3/image-size/large?v=v2&amp;px=999" role="button" title="image" alt="image" /></span></P> Fri, 24 Mar 2023 17:35:59 GMT Anonymous 2023-03-24T17:35:59Z https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7217#M3144 <P>Currently when you add new users to the Databricks workspace they get added to a "Users" group that has full access to the workspace. There should be a way to use group security to explicitly deny access to those same settings. This setting should override the default allow access. </P><P></P><P></P><P><span class="lia-inline-image-display-wrapper" image-alt="image"><img src="https://community.databricks.com/t5/image/serverpage/image-id/504iC8F8E9178D51583F/image-size/large?v=v2&amp;px=999" role="button" title="image" alt="image" /></span><span class="lia-inline-image-display-wrapper" image-alt="image"><img src="https://community.databricks.com/t5/image/serverpage/image-id/505i23E1872C4C47A410/image-size/large?v=v2&amp;px=999" role="button" title="image" alt="image" /></span>&nbsp;</P><P><span class="lia-inline-image-display-wrapper" image-alt="image"><img src="https://community.databricks.com/t5/image/serverpage/image-id/509i052F12A5E96ADF14/image-size/large?v=v2&amp;px=999" role="button" title="image" alt="image" /></span>&nbsp;</P><P>I also noticed the Parent User Groups are empty inside the groups? Is this maybe something we should be using that we're not? </P> Wed, 22 Mar 2023 22:20:27 GMT https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7217#M3144 Chris_Shehu 2023-03-22T22:20:27Z https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7218#M3145 <P>@Christopher Shehu​&nbsp;If you don't want the "Users" group is enabled with "Workspace access" and "Databricks SQL access" entitlements, you disable all entitlements. Create separate groups based on your use case and enable the required entitlements. </P><P></P><P>Regarding parent user groups, a group can be a member(child) of another group(s). As per the screenshot, subgroup is a child of john_test_group and maingroup (parent groups). Hope this helps.</P><P></P><P><span class="lia-inline-image-display-wrapper" image-alt="image"><img src="https://community.databricks.com/t5/image/serverpage/image-id/2550i0D26FE544C2BA8F3/image-size/large?v=v2&amp;px=999" role="button" title="image" alt="image" /></span></P> Fri, 24 Mar 2023 17:35:59 GMT https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7218#M3145 Anonymous 2023-03-24T17:35:59Z https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7219#M3146 <P>Hi @Christopher Shehu​&nbsp;</P><P></P><P>Thank you for posting your question in our community! We are happy to assist you.</P><P></P><P>To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?</P><P></P><P>This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance!&nbsp;</P><P></P><P></P> Mon, 27 Mar 2023 05:01:20 GMT https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7219#M3146 Anonymous 2023-03-27T05:01:20Z https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7220#M3147 <P>Yes, there should be a way to use group security to explicitly deny access to the workspace settings for new users added to the "Users" group. This setting should override the default allow access. <A href="https://www.umrproviderportal.org/" alt="https://www.umrproviderportal.org/" target="_blank">UMR Provider Portal Login</A></P><P></P><P></P><P></P><P></P><P></P> Tue, 28 Mar 2023 08:10:34 GMT https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7220#M3147 deanjames 2023-03-28T08:10:34Z https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7221#M3148 <P>@dean james​&nbsp;I am not sure about your case why you want to deny access to the group once you create it. Anyhow, we can use deacticate/activate an user using "2.0/preview/scim/v2/Users/{id}" rest API endpoint. We can also deactivate users that have not logged in for a customizable period. Hope this helps</P><P></P><P></P><P><A href="https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#activate-and-deactivate-user-by-id" target="test_blank">https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#activate-and-deactivate-user-by-id</A></P><P><A href="https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#automatically-deactivate-users" target="test_blank">https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#automatically-deactivate-users</A></P> Tue, 28 Mar 2023 10:14:06 GMT https://community.databricks.com/t5/data-engineering/no-explicit-deny-for-user-security-configurations-at-the-group/m-p/7221#M3148 Anonymous 2023-03-28T10:14:06Z