cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

Databricks Workspace Access and Permissions

karthiknuvepro
New Contributor II

Hi Team,

  • The GCP Databricks URL https://accounts.gcp.databricks.com/ for GCP Databricks is linked to the GCP Billing Account.
  • We have two clients with separate GCP Organizations:
    • client1.example.com
    • client2.example.com
  • Both GCP Organizations share the same GCP Billing Account.
  • The GCP provides a single Billing Account for the company.

To create a Databricks Workspace, the AccountAdmin permission must be assigned to the GCP IAM user through User Management.

If we grant AccountAdmin permissions to both clients, they will be able to:

  • View other client workspaces.
  • Modify or delete workspaces belonging to other clients.

We want guidance on how to:

  1. Restrict GCP IAM users so they can create workspaces but only access the workspaces they create.
  2. Ensure other workspaces are neither visible nor accessible to them.

Please let us know how this can be achieved.

Regards,
Karthik Kumar P L
Lead Cloud Support

2 REPLIES 2

Alberto_Umana
Databricks Employee
Databricks Employee

HIi @karthiknuvepro,

To isolate resources you can follow these steps:

 

  • Create Separate GCP Projects for Each Client:

    • Create a separate GCP project for each client within their respective GCP Organizations.
    • This ensures that each client has isolated resources and permissions.
  • Assign AccountAdmin Permissions at the Project Level:

    • Grant the AccountAdmin permission to the GCP IAM user at the project level, not at the organization level.
    • This limits their permissions to only the resources within their specific project.

 

Hi @Alberto_Umana ,

In the Databricks Account, we can only see Account Admin permissions and no permissions at the project level. Please provide reference screenshots indicating where to grant permissions at the project level.

Note: In GCP IAM, all permissions are assigned solely at the project level."

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group