cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Databricks Workspace Access and Permissions

karthiknuvepro
New Contributor II

‎01-22-2025 01:07 AM

Hi Team,

  • The GCP Databricks URL https://accounts.gcp.databricks.com/ for GCP Databricks is linked to the GCP Billing Account.
  • We have two clients with separate GCP Organizations:
    • client1.example.com
    • client2.example.com
  • Both GCP Organizations share the same GCP Billing Account.
  • The GCP provides a single Billing Account for the company.

To create a Databricks Workspace, the AccountAdmin permission must be assigned to the GCP IAM user through User Management.

If we grant AccountAdmin permissions to both clients, they will be able to:

  • View other client workspaces.
  • Modify or delete workspaces belonging to other clients.

We want guidance on how to:

  1. Restrict GCP IAM users so they can create workspaces but only access the workspaces they create.
  2. Ensure other workspaces are neither visible nor accessible to them.

Please let us know how this can be achieved.

Regards,
Karthik Kumar P L
Lead Cloud Support

0 Kudos
3 REPLIES 3

Alberto_Umana
Databricks Employee
Databricks Employee

‎01-22-2025 04:59 AM

HIi @karthiknuvepro,

To isolate resources you can follow these steps:

 

  • Create Separate GCP Projects for Each Client:

    • Create a separate GCP project for each client within their respective GCP Organizations.
    • This ensures that each client has isolated resources and permissions.

  • Assign AccountAdmin Permissions at the Project Level:

    • Grant the AccountAdmin permission to the GCP IAM user at the project level, not at the organization level.
    • This limits their permissions to only the resources within their specific project.

 

0 Kudos

karthiknuvepro
New Contributor II
In response to Alberto_Umana

‎01-23-2025 06:03 AM

Hi @Alberto_Umana ,

In the Databricks Account, we can only see Account Admin permissions and no permissions at the project level. Please provide reference screenshots indicating where to grant permissions at the project level.

Note: In GCP IAM, all permissions are assigned solely at the project level."

image.png
Preview file
38 KB
0 Kudos

mnorland
New Contributor III

3 weeks ago

@karthiknuvepro The Databricks Account should be handled by a third-party Cloud Administration team.  The workspace admins can work with them to set up the necessary cloud resources to support their catalogs and user adds/remove from their selected authentication method of choice.  Otherwise, one client should create a new Databricks Account under a new billing account and migrate there.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
Top