cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

Leverage Azure PIM with DataBricks with Contributor role privilege

SmileyVille
New Contributor II

We are trying to leverage Azure PIM.  This works great for most things, however; we've run into a snag.  We want to limit the contributor role to a group and only at the resource group level, not subscription.  We wish to elevate via PIM.  This will then allow the user access within DataBricks.

 

#1 issue - We have to enable PIM at the group level as it doesn't show up for group members within PIM and can't assign a contributor level group within the PIM application in Azure.  So an admin has to enable PIM for the user to activate at the group level.  We've also tried to do this scenario leveraging the Managed Application Contributor role as well.

 

#2 - Delay - We are using the SCIM connector for User Provisioning leveraging Azure AD Groups.  This connects to the unity catalog and are able to assign the groups within the Workspace.  The issue - after you elevate the users permission in the contributor group at the resource level, you have to wait for 40 minutes for user provisioning to run or stop/start it.  Until then, the user remains in an 'inactive' state within DataBricks.

 

We feel we are missing a more fluid way to grant these rights and leverage PIM.  Suggestions?

 

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Kaniz_Fatma
Community Manager
Community Manager

Hi @SmileyVille , 

  - Issue 1: Enabling PIM at the group level
 • User wants to limit contributor role to group at resource group level
 • Tried assigning contributor level group in Azure PIM, but it doesn't show up for group members
 • Tried Managed Application Contributor role, but it didn't work
 • Admin needs to enable PIM for user to activate at group level
 • Possible solution: Admin should log in to Azure Portal, go to Azure Active Directory, select group, enable PIM, assign contributor role at resource group level, save changes- Issue

2: Delay in user provisioning within Databricks
 • User using SCIM connector for User Provisioning, connects to unity catalog and assigns groups in Workspace
 • After elevating user's permission in contributor group, user has to wait 40 minutes for provisioning to run or stop/start it
 • User remains in 'inactive' state until provisioning is complete
 • Possible solution: User should wait 40 minutes for provisioning to complete, try stopping and starting provisioning if user remains inactive, contact Azure support if issue persists/

View solution in original post

2 REPLIES 2

Kaniz_Fatma
Community Manager
Community Manager

Hi @SmileyVille , 

  - Issue 1: Enabling PIM at the group level
 • User wants to limit contributor role to group at resource group level
 • Tried assigning contributor level group in Azure PIM, but it doesn't show up for group members
 • Tried Managed Application Contributor role, but it didn't work
 • Admin needs to enable PIM for user to activate at group level
 • Possible solution: Admin should log in to Azure Portal, go to Azure Active Directory, select group, enable PIM, assign contributor role at resource group level, save changes- Issue

2: Delay in user provisioning within Databricks
 • User using SCIM connector for User Provisioning, connects to unity catalog and assigns groups in Workspace
 • After elevating user's permission in contributor group, user has to wait 40 minutes for provisioning to run or stop/start it
 • User remains in 'inactive' state until provisioning is complete
 • Possible solution: User should wait 40 minutes for provisioning to complete, try stopping and starting provisioning if user remains inactive, contact Azure support if issue persists/

SmileyVille
New Contributor II

Thanks - think we were originally overthinking this.

We determined we were doing this correctly, the user just needed to switch to 'groups' within PIM to request elevation of permissions.  The larger issue is actually the 40 min user provisioning cycle as DataBricks does not pick up the change until this runs.  This may be an option long-term, but the User Provisioning delay is making this a no go for our team.

 

 

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!