ā05-09-2026 11:14 AM
Hi Team,
Iām looking for guidance on workspace governance and change control in Databricks, specifically related to vendor access.
We recently observed that workspace-level changes seem to be applied directly, and we want to understand how this is happening and how to better control it.
ā05-09-2026 01:00 PM
Hi ,
How are you doing today? as per my understanding, we can first validate whether Databricks personnel access is enabled for your workspace. If it is enabled, we should confirm whether any recent workspace-level changes were performed as part of an approved support case, vendor activity, or internal admin action.
To get better clarity, we can review the workspace audit logs and check details such as who made the change, when it was made, what was changed, and whether it was linked to an approved change request or support ticket.
Going forward, you may want to keep vendor access disabled by default and enable it only when required for a specific support case, with a clear approval, defined time window, and audit tracking. Any workspace-level changes such as policies, configurations, permissions, or settings should ideally go through our standard change control process.
Hope this helps ensure better visibility, accountability, and full auditability for all Databricks workspace changes.
Let me know for any additional questions.
Regards,
Brahma
ā05-09-2026 01:32 PM
In our current Databricks workspace, the Personal Access Tokens (PAT) option is disabled, and we are reviewing additional controls to strengthen governance around workspace-level changes.
I have also seen the setting āWorkspace access for Azure Databricks personnel,ā which appears to allow Databricks engineers to access the workspace for troubleshooting purposes. However, this option seems limited to support scenarios and does not fully address our broader governance requirement. this also disabled right now.
With that context, I would like to understand:
Our goal is to ensure that no changes are applied directly to the workspace without visibility, control, and proper approval, particularly in production environments.
ā05-09-2026 01:49 PM
Thanks for adding more details.
Since PAT and Databricks personnel workspace access are already disabled, I would suggest first reviewing audit logs to identify whether the change was made by a workspace admin, account admin, service principal, Terraform, CLI, API, or vendor user.
Customer-controlled changes should generally be traceable through audit logs. For Databricks platform-side updates, new feature rollouts, or backend service changes, Databricks Support would be the right team to confirm what can be controlled, deferred, monitored, or audited.
For stronger governance, you can consider limiting workspace admin access, managing changes through IaC/CI-CD, disabling previews in production, separating dev/test/prod workspaces, and setting alerts for workspace setting or policy changes.
Hope this helps.
a month ago
Hi koti521,
When you say vendor I'm assuming you mean Databricks, or is there other vendors you have in mind. Thoughts below.
1. Customer-controlled changes (configs, policies, permissions) are made by your admins, service principals, or automation, and are traceable in audit logs. Query system.access.audit for who/when/what/source IP. Some events (notebook, command-level) need verbose audit logging enabled.
2. Platform-side updates (GA features, backend changes) are applied by the managed service and are mostly not customer-deferrable. The lever you control is automatic cluster update timing via maintenance windows. For a specific update, Databricks Support can confirm what's configurable or monitored.
Controlling what runs in production ā two distinct controls:
Suggested production baseline:
system.access.audit and alert on high-risk events (admin roles, token policy, workspaceConfKeys, cluster policies, Unity Catalog grants, secrets).Thanks,
Emma