Databricks Community

SmileyVille · ‎09-06-2023

We are trying to leverage Azure PIM. This works great for most things, however; we've run into a snag. We want to limit the contributor role to a group and only at the resource group level, not subscription. We wish to elevate via PIM. This will then allow the user access within DataBricks.

#1 issue - We have to enable PIM at the group level as it doesn't show up for group members within PIM and can't assign a contributor level group within the PIM application in Azure. So an admin has to enable PIM for the user to activate at the group level. We've also tried to do this scenario leveraging the Managed Application Contributor role as well.

#2 - Delay - We are using the SCIM connector for User Provisioning leveraging Azure AD Groups. This connects to the unity catalog and are able to assign the groups within the Workspace. The issue - after you elevate the users permission in the contributor group at the resource level, you have to wait for 40 minutes for user provisioning to run or stop/start it. Until then, the user remains in an 'inactive' state within DataBricks.

We feel we are missing a more fluid way to grant these rights and leverage PIM. Suggestions?

Thanks in advance.

SmileyVille · ‎09-07-2023

Thanks - think we were originally overthinking this.

We determined we were doing this correctly, the user just needed to switch to 'groups' within PIM to request elevation of permissions. The larger issue is actually the 40 min user provisioning cycle as DataBricks does not pick up the change until this runs. This may be an option long-term, but the User Provisioning delay is making this a no go for our team.