https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/115741#M2018 <P>Enable Workspace-Only Access to SQL Warehouses (Serverless or Classic)<BR />If you're using Serverless SQL Warehouses, or even Classic, you can restrict them to workspace access only:</P><P>1.Only notebooks, dashboards, and SQL editor can connect.<BR />2.External JDBC/ODBC clients (like Power BI) will be blocked.</P> Thu, 17 Apr 2025 10:50:09 GMT tltharani 2025-04-17T10:50:09Z https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/115738#M2017 <P class="">Hi everyone,</P><P class="">I'm currently setting up access controls in our Databricks development workspace. The goal is to enable business users to explore data and build their SQL skills within the workspace itself (e.g., via SQL editor or notebooks), but <STRONG>prevent them from connecting to the SQL Warehouse externally</STRONG>, such as from Power BI or other BI tools using JDBC/ODBC.</P><P class="">This is because the environment is a <STRONG>sandbox</STRONG> and not intended for enterprise reporting or external data access. We want to ensure that all data interaction remains within the Databricks environment.</P><P class="">I’m looking for the best way to:</P><OL><LI><P class="">Allow SQL querying within the workspace for selected users.</P></LI><LI><P class="">Prevent any connections from external tools to the SQL Warehouse endpoint (e.g., blocking Power BI or DBeaver access).</P></LI><LI><P class="">Maintain this control without overly complicating access for internal development/testing.</P></LI></OL><P class="">I’ve looked into IP Access Lists and Unity Catalog permissions but would appreciate any best practices, tips, or lessons learned from others who have implemented similar restrictions.</P><P class="">Thanks in advance!</P> Thu, 17 Apr 2025 10:37:05 GMT https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/115738#M2017 teixeire 2025-04-17T10:37:05Z https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/115741#M2018 <P>Enable Workspace-Only Access to SQL Warehouses (Serverless or Classic)<BR />If you're using Serverless SQL Warehouses, or even Classic, you can restrict them to workspace access only:</P><P>1.Only notebooks, dashboards, and SQL editor can connect.<BR />2.External JDBC/ODBC clients (like Power BI) will be blocked.</P> Thu, 17 Apr 2025 10:50:09 GMT https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/115741#M2018 tltharani 2025-04-17T10:50:09Z https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/115748#M2019 <P>Thanks for your reply, maybe you can guide me ?<BR /><BR />I set up two different as suggested, one as Serverless and another as Classic, and I could establish connection though catalogue using Power BI.</P> Thu, 17 Apr 2025 11:12:24 GMT https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/115748#M2019 teixeire 2025-04-17T11:12:24Z https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/118087#M2049 <P class="">Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/159826">@teixeire</a>&nbsp;,</P><P class="">To prevent external tools like Power BI or DBeaver from connecting to your SQL Warehouse, one effective approach is to <SPAN class=""><STRONG>restrict personal access token (PAT) creation</STRONG></SPAN> for users who should only query data inside the Databricks workspace.<BR /><BR /></P><P class="">This ensures that:</P><UL><LI><P class="">Users cannot generate tokens to connect via JDBC/ODBC from outside.</P></LI><LI><P class="">Any existing tokens should be manually revoked if already created.</P></LI></UL><P class="">In addition to token restrictions, you can control what users can do <SPAN class="">inside</SPAN> the workspace by using <SPAN class=""><STRONG>Unity Catalog permissions</STRONG></SPAN>. For example:</P><UL><LI><P class="">Grant <SPAN class="">USE CATALOG</SPAN>, <SPAN class="">USE SCHEMA</SPAN>, and <SPAN class="">SELECT</SPAN> only to users or groups who are allowed to run SQL queries.</P></LI><LI><P class="">Use cluster access control to make sure only selected users can run notebooks or use shared compute resources.</P></LI></UL><P class="">With this combination, you allow SQL exploration within the workspace while fully blocking external access.<BR /><BR />Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />Isi</P> Wed, 07 May 2025 08:56:25 GMT https://community.databricks.com/t5/warehousing-analytics/how-to-restrict-external-access-to-sql-warehouse-but-allow/m-p/118087#M2049 Isi 2025-05-07T08:56:25Z