cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Databricks One Redirectio

Go to solution
NatJ
New Contributor III

‎02-03-2026 01:15 PM

Hello, 

I have an Entra ID group linked to Databricks with the Consumer Access entitlement enabled, other entitlements are unchecked. They also have "use catalog" on the a specific catalog. They have "select" and "use schema" to a gold level schema within the catalog. This is so they can use the Genie Spaces the developers have shared with them. 

My understanding is that with Consumer Access enabled they are redirected to the Databricks One interface. We've found that if they have a link to a catalog (https://<databricks-host>/explore/data/<catalog-name>?o=<schema-id>) users with Consumer Access are able to see the schema and tables in the workspace interface. I have yet to do in-depth exploration as to what they can do with that access, I will be exploring that once I have a non-production workspace account set up. 

My understanding is that the expected behavior is Consumer Access users would always go to Databricks One. Am I missing an option that prevents a user from accessing a schema in the workspace interface? 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
SteveOstrowski
Databricks Employee
Databricks Employee

a month ago

Hi @NatJ,

You are correct that users with only the Consumer Access entitlement are intended to see the Databricks One interface when they log in. However, the behavior you are observing with direct URLs to the catalog explorer is expected, and here is why.

UNDERSTANDING CONSUMER ACCESS AND DIRECT URL BEHAVIOR

Consumer Access is a workspace entitlement that controls which UI a user sees upon login and what navigation options are available to them. When a user has only Consumer Access (no Workspace Access, no Databricks SQL Access), they land on the Databricks One homepage, which shows only dashboards, Genie spaces, and Databricks Apps shared with them.

However, Consumer Access does not act as a URL firewall. If someone shares a direct link to a workspace resource (such as a catalog explorer URL like https://<databricks-host>/explore/data/<catalog-name>), the user may still be able to navigate to that page because they have valid credentials and workspace membership. The simplified Databricks One interface removes navigation elements that would lead users to those pages, but it does not block direct URL access to all workspace paths.

WHAT CONSUMER ACCESS USERS CAN AND CANNOT DO

What they CAN do:
1. View and interact with AI/BI dashboards, Genie spaces, and Databricks Apps shared with them
2. Query SQL warehouses using third-party BI tools (if warehouse permissions are granted)
3. See data governed by Unity Catalog row-level and column-level security as configured

What they CANNOT do:
1. Create new objects in the workspace (notebooks, queries, dashboards, etc.)
2. View SQL warehouses or Query History in the UI
3. Access the full Lakehouse workspace UI navigation (notebooks, jobs, models, pipelines)

KEY CONFIGURATION CHECK

The important thing to verify is that Consumer Access is the ONLY entitlement these users have. Entitlements are additive, so the simplified consumer experience only applies when Consumer Access is the sole entitlement. If the users group has Workspace Access or Databricks SQL Access assigned by default, your consumer users will inherit those elevated entitlements.

To check this:
1. Go to your workspace Settings
2. Click the Identity and access tab
3. Click Manage next to Groups
4. Select the "users" group (all workspace users are automatically members of this group)
5. Check the Entitlements tab, and make sure only Consumer Access is enabled

If the users group still has Workspace Access or Databricks SQL Access, you need to remove those entitlements. Databricks provides a streamlined way to do this called "Change default workspace access to Consumer access," which uses group cloning to preserve existing user access while changing the default for new users:

1. Go to Settings
2. Click the Advanced tab
3. Under Access control, next to "Change default workspace access to consumer access," click Open
4. Follow the wizard to create a cloned group for your existing users who need authoring privileges
5. The system updates the users group to have only Consumer Access

REGARDING CATALOG EXPLORER ACCESS VIA DIRECT LINK

Even with proper Consumer Access configuration, a user who receives a direct URL to the catalog explorer may be able to view schema and table metadata if they have been granted Unity Catalog permissions (like "use catalog," "use schema," and "select" that you mentioned). This is because Unity Catalog permissions govern data access independently from workspace entitlements.

If you need to prevent consumer users from browsing catalog objects entirely, consider whether the Unity Catalog grants are broader than necessary. For Genie spaces to work, the underlying data permissions are handled by the Genie space sharing model, so you may be able to tighten the direct catalog grants depending on your setup.

That said, even if a consumer user can view the catalog explorer page via a direct link, they still cannot create objects, run notebooks, or perform authoring actions in the workspace.

DOCUMENTATION REFERENCES

Here are the key documentation pages for this topic:

What is consumer access?
https://learn.microsoft.com/en-us/azure/databricks/ai-bi/consumers/

What is Databricks One?
https://learn.microsoft.com/en-us/azure/databricks/workspace/databricks-one

Manage entitlements
https://learn.microsoft.com/en-us/azure/databricks/security/auth/entitlements

Change default workspace access to consumer access
https://learn.microsoft.com/en-us/azure/databricks/security/auth/change-default-workspace-access

I would recommend setting up your non-production workspace account as planned to test the exact boundaries. Verify the users group entitlements first, as that is the most common reason consumer users end up with more access than expected.

* This reply used an agent system I built to research and draft this response based on the wide set of documentation I have available and previous memory. I personally review the draft for any obvious issues and for monitoring system reliability and update it when I detect any drift, but there is still a small chance that something is inaccurate, especially if you are experimenting with brand new features.

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
SteveOstrowski
Databricks Employee
Databricks Employee

a month ago

Hi @NatJ,

You are correct that users with only the Consumer Access entitlement are intended to see the Databricks One interface when they log in. However, the behavior you are observing with direct URLs to the catalog explorer is expected, and here is why.

UNDERSTANDING CONSUMER ACCESS AND DIRECT URL BEHAVIOR

Consumer Access is a workspace entitlement that controls which UI a user sees upon login and what navigation options are available to them. When a user has only Consumer Access (no Workspace Access, no Databricks SQL Access), they land on the Databricks One homepage, which shows only dashboards, Genie spaces, and Databricks Apps shared with them.

However, Consumer Access does not act as a URL firewall. If someone shares a direct link to a workspace resource (such as a catalog explorer URL like https://<databricks-host>/explore/data/<catalog-name>), the user may still be able to navigate to that page because they have valid credentials and workspace membership. The simplified Databricks One interface removes navigation elements that would lead users to those pages, but it does not block direct URL access to all workspace paths.

WHAT CONSUMER ACCESS USERS CAN AND CANNOT DO

What they CAN do:
1. View and interact with AI/BI dashboards, Genie spaces, and Databricks Apps shared with them
2. Query SQL warehouses using third-party BI tools (if warehouse permissions are granted)
3. See data governed by Unity Catalog row-level and column-level security as configured

What they CANNOT do:
1. Create new objects in the workspace (notebooks, queries, dashboards, etc.)
2. View SQL warehouses or Query History in the UI
3. Access the full Lakehouse workspace UI navigation (notebooks, jobs, models, pipelines)

KEY CONFIGURATION CHECK

The important thing to verify is that Consumer Access is the ONLY entitlement these users have. Entitlements are additive, so the simplified consumer experience only applies when Consumer Access is the sole entitlement. If the users group has Workspace Access or Databricks SQL Access assigned by default, your consumer users will inherit those elevated entitlements.

To check this:
1. Go to your workspace Settings
2. Click the Identity and access tab
3. Click Manage next to Groups
4. Select the "users" group (all workspace users are automatically members of this group)
5. Check the Entitlements tab, and make sure only Consumer Access is enabled

If the users group still has Workspace Access or Databricks SQL Access, you need to remove those entitlements. Databricks provides a streamlined way to do this called "Change default workspace access to Consumer access," which uses group cloning to preserve existing user access while changing the default for new users:

1. Go to Settings
2. Click the Advanced tab
3. Under Access control, next to "Change default workspace access to consumer access," click Open
4. Follow the wizard to create a cloned group for your existing users who need authoring privileges
5. The system updates the users group to have only Consumer Access

REGARDING CATALOG EXPLORER ACCESS VIA DIRECT LINK

Even with proper Consumer Access configuration, a user who receives a direct URL to the catalog explorer may be able to view schema and table metadata if they have been granted Unity Catalog permissions (like "use catalog," "use schema," and "select" that you mentioned). This is because Unity Catalog permissions govern data access independently from workspace entitlements.

If you need to prevent consumer users from browsing catalog objects entirely, consider whether the Unity Catalog grants are broader than necessary. For Genie spaces to work, the underlying data permissions are handled by the Genie space sharing model, so you may be able to tighten the direct catalog grants depending on your setup.

That said, even if a consumer user can view the catalog explorer page via a direct link, they still cannot create objects, run notebooks, or perform authoring actions in the workspace.

DOCUMENTATION REFERENCES

Here are the key documentation pages for this topic:

What is consumer access?
https://learn.microsoft.com/en-us/azure/databricks/ai-bi/consumers/

What is Databricks One?
https://learn.microsoft.com/en-us/azure/databricks/workspace/databricks-one

Manage entitlements
https://learn.microsoft.com/en-us/azure/databricks/security/auth/entitlements

Change default workspace access to consumer access
https://learn.microsoft.com/en-us/azure/databricks/security/auth/change-default-workspace-access

I would recommend setting up your non-production workspace account as planned to test the exact boundaries. Verify the users group entitlements first, as that is the most common reason consumer users end up with more access than expected.

* This reply used an agent system I built to research and draft this response based on the wide set of documentation I have available and previous memory. I personally review the draft for any obvious issues and for monitoring system reliability and update it when I detect any drift, but there is still a small chance that something is inaccurate, especially if you are experimenting with brand new features.

0 Kudos

Go to solution
NatJ
New Contributor III
In response to SteveOstrowski

a month ago

Hello Steve, 

Thank you for taking the time to reply. I've verified what you said above is true. Prior to this post I had removed all entitlements from the default user group. The Consumer Access entitlement is the only entitlement the target group has enabled. I ended up setting up a test account in a non-production environment and accessing every area of the Workspace that my admin account could access. At no point could I change data in the Workspace. The exec who brought this issue to my attention was briefed and is content knowing data cannot be changed. 

0 Kudos
Announcements