cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Monitor workspace admin activities

antonionuzzo
New Contributor III

‎04-18-2025 02:49 AM

Hello everyone,

I am conducting tests on Databricks AWS and have noticed that in an organization with multiple workspaces, each with different workspace admins, a workspace admin can invite a user who is not mapped within their workspace but is already mapped inside databricks metastore. I would like to understand if it is possible to prohibit this action for the workspace admin or, alternatively, where this information is logged. I believe it is within the system audit access table, but I am unable to find the row that identifies this action.

0 Kudos
3 REPLIES 3

SP_6721
Honored Contributor

‎04-18-2025 06:43 AM

Hi @antonionuzzo 

There isn’t a way in Databricks to restrict workspace admins from inviting users who aren’t part of their workspace but already exist in the metastore. If you're trying to track this activity, you can use the system.access.audit table (assuming system tables are enabled).

Here's a sample query you can run to check for user additions in a specific workspace:

SELECT
     event_time,
     user_identity.email,
     action_name,
     request_params
FROM
     system.access.audit
WHERE
     action_name = 'addUser'
     AND request_params.workspace_id = 'YOUR_WORKSPACE_ID'
ORDER BY
     event_time DESC;

This should help you to see when users were added and by whom.

0 Kudos

antonionuzzo
New Contributor III
In response to SP_6721

‎04-18-2025 07:29 AM

Thank you very much for the response. I tried to grant the user access directly, and they are able to access the workspace (workspace enabled with Unity Catalog and system tables enabled). Then I executed the query you recommended, but it returns empty.

0 Kudos

Louis_Frolio
Databricks Employee
Databricks Employee

‎04-18-2025 09:57 AM

You do have some control over what workspace admins can do. Databricks allows account admins to restrict workspace admin permissions by enabling the RestrictWorkspaceAdmins setting. Have a look here: https://docs.databricks.com/aws/en/admin/workspace-settings/restrict-workspace-admins

 

Account admins are elevated and have entitlements at the Databricks Account level. There will only be one or two of these people. Hope this helps.  Louis.

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements