Databricks Community

Aaron_Wong · ‎11-11-2024

I'm trying to do something seemingly very simple - disable someone's user account.

I don't even want to delete the user, just disable it for the time being.

How do I go about doing that?

Stefan-Koch · ‎11-11-2024

Hello Aaron

You can disable the user account in the directory of your cloud provider. For example, if you are using Azure Databricks, then you will manage the users via Azure Entra. Then you can simply deactivate the user account in Entra, for example, by unchecking the “Account enabled” button.

If you want the user to remain active in the cloud after all and just not be allowed to access Databricks Workspace, you can remove them from the workspace.

The user is not deleted in Entra, but merely removed from the workspace. It can still be found in the account.

Aaron_Wong · ‎11-13-2024

Ah, thanks for the reply Stefan! I should have clarified that I'm using Databricks via the AWS Marketplace.

The issue I'm encountering when I'm trying to remove someone, is that it will say "User assigned through a group cannot be deleted". However, when I go and try to remove the person from the group, I encounter this error:

PERMISSION_DENIED: Requesting user does not have permission to edit system groups.

However, I'm an admin on both the account and workspace.

Let me know! Thanks!

Screenshot 2024-11-13 at 10.17.31 AM.png

Screenshot 2024-11-13 at 10.21.52 AM.png

Stefan-Koch · ‎11-13-2024

Aaron

Is the user in another group as well? You may first remove him from that group, if it is so?

arjun_kr · ‎11-13-2024

Looks like you have users added via the system group 'account users' to the workspace. This is a system group and cannot be edited. You may make the user inactive at the workspace level using `Users` Patch API as shown below. You may get the userId from the user details page URL (for eg : 123 being the user Id from user details page : https://abc.cloud.databricks.com/settings/workspace/identity-and-access/users/123?o=456)
```

curl  --request PATCH '{{workspaceUrl}}/api/2.0/preview/scim/v2/Users/<UserId>' \
--header 'Accept: application/scim+json' \
--header 'Content-Type: application/json' \
--header 'Authorization: <Token>' \
--data '{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], 
  "Operations": [ { 
    "op": "replace", 
    "path": "active", 
    "value": [ { "value": "false" } ] 
  } ] 
}'

Aaron_Wong · ‎11-14-2024

Thanks! I'll try this out and report back!

Aaron_Wong · ‎11-15-2024

Hello! I tried this call. I hid the sensitive information with "HIDDEN" in the example:

curl --request PATCH 'https://HIDDEN.cloud.databricks.com/api/2.0/preview/scim/v2/Users/HIDDEN' \
--header 'Accept: application/scim+json' \
--header 'Content-Type: application/json' \
--header 'Authorization: HIDDEN' \
--data '{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], 
  "Operations": [{
    "op": "replace", 
    "path": "active", 
    "value": false 
  }] 
}'

But I'm getting this error for some reason:

SyntaxError: unterminated string literal (detected at line 5) (command-194238644311154-3846552969, line 5)

Any help is much appreciated!

arjun_kr · ‎12-05-2024

It looks like you might have run it as non-shell command. I can see the same error with the curl command being executed as a python command. Can you try executing it as a shell command by using %sh magic command

%sh 
curl --request PATCH 'https://HIDDEN.cloud.databricks.com/api/2.0/preview/scim/v2/Users/HIDDEN' \
--header 'Accept: application/scim+json' \
--header 'Content-Type: application/json' \
--header 'Authorization: HIDDEN' \
--data '{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], 
  "Operations": [{
    "op": "replace", 
    "path": "active", 
    "value": false 
  }] 
}'

maaz1 · 3 weeks ago

In Databricks, go to the Admin Console.
Navigate to the Service Principals section.
Create a Service Role (make sure it has necessary permissions (Admin Access).
Generate OAuth Token
Follow the instructions in the Databricks documentation to generate api access token for the service role: Follow instuction to generate the token OAuth M2M Manual Setup.
After completing the setup, you'll have a Bearer Token for the service role.
Once you have the Bearer Token, hit the curl --location --request DELETE 'https://accounts.cloud.databricks.com/api/2.0/accounts/YOUR_ACCOUNT_ID/scim/v2/Users/YOUR_USER_ID/' \ --header 'Authorization: Bearer YOUR_BEARER_TOKEN'

Databricks Community

How do I simply disable someone's user account

Photos

Join Us as a Local Community Builder!

Business Intelligence in the Era of AI

🚀 Monthly Databricks Get Started Days – Accelerate Your Learning Journey! 🚀

Databricks Community Champion - March 2025 - Takuya Omi

Intelligent Data Warehousing: AI/BI for Self-service Analytics

Get Started With Lakehouse Architecture | Pass a quiz to earn your certificate completion.