cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot downgrade workspace object permissions using API

takak
New Contributor II

2 weeks ago

Hi!

I'd like to restrict some users' permissions using REST API and got an issue while trying to update a permission on 'directories'.

I'm trying to set a user's permission on their default username folder in the workspace to 'can edit' so that they cannot create a new notebook until further approval. This works fine on UI, but if I try with API I get the following error.

 

{'error_code': 'INVALID_PARAMETER_VALUE', 'message': "Cannot downgrade xxx@abc.com's CAN_MANAGE permission on xxxxxxxxxx"}

 

Is there any way to make this work programmaticaly?

0 Kudos
3 REPLIES 3

Alberto_Umana
Databricks Employee
Databricks Employee

2 weeks ago - last edited 2 weeks ago

Hi @takak,

Greetings from Databricks!

What is the REST API you are making the call to?

Looks like this might not be supported programmatically, but will try to test it internally. it appears that the CAN_MANAGE permission is a higher-level permission that cannot be downgraded programmatically through the API. This restriction is likely in place to prevent accidental loss of critical management permissions.

takak
New Contributor II
In response to Alberto_Umana

2 weeks ago

Hi @Alberto_Umana 

Thank you for your response!

The endpoint I'm calling is `/api/2.0/permissions/{workspace_object_type}/{workspace_object_id}`.

It would be great if it can be tested indeed, thanks!

0 Kudos

alexzet
New Contributor II
In response to Alberto_Umana

Friday

Hello Alberto, 

I am trying to disable user access to their folders in our production workspace via API, or maybe limit to can_read.  When I do I get a similar message as the posting above. By default users receive the can_manage for their folders. Is there any other way to do lock down these folders? Users are created automatically via AD Groups, so it has to be done programmatically. 

Any help would be grately appreciated!

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements