cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Removing access to Lakehouse and only allowing Databricks One?

Go to solution
NatJ
New Contributor II

Friday - last edited Friday

Hello, 

I am trying to set up a user group for business users in our Azure Databricks that will only be able to query data. It looks like Databricks One is the solution to use. So I followed the documentation and granted the user group Consumer Access in the Workspace. I made sure the other entitlements were not checked. The user has use catalog access to the default catalog, the catalog where the data they're querying is, and select on the gold level schema under the catalog. 

When I log in as a test user using the Databricks One URL I can log in and query data as the user. When I go to the switch applications menu I see Lakehouse as an option. I can access lake house and create jobs and do things our project owner would like to have restricted. I remember reading all permissions have to be removed from the workspace and only Consumer Access assigned. I've tried removing access to the catalog, gold level data, and compute from the user. When I do Databricks One queries no longer work. 

Is there a step I'm missing to force the user into Databricks One and remove the Lakehouse from the Switch Apps Menu? 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
emma_s
Databricks Employee
Databricks Employee

22 hours ago

Hi, have you checked inherited access? So the "users" and "account users" groups by default have "workspace access" and "Databricks SQL" access by default. You would need to remove this access from these groups as well otherwise you'll never be able to grant a single user consumer access only. You will then need to create new groups for anyone who still needs workspace access.

View solution in original post

3 REPLIES 3

Go to solution
emma_s
Databricks Employee
Databricks Employee

22 hours ago

Hi, have you checked inherited access? So the "users" and "account users" groups by default have "workspace access" and "Databricks SQL" access by default. You would need to remove this access from these groups as well otherwise you'll never be able to grant a single user consumer access only. You will then need to create new groups for anyone who still needs workspace access.

Go to solution
NatJ
New Contributor II

17 hours ago

Yeah, that was it. I had set up Databricks with Entra groups from the beginning and had done all my permission work there. I didn't even think of checking the default groups. Thank you! 

Go to solution
emma_s
Databricks Employee
Databricks Employee
In response to NatJ

17 hours ago

No problem, glad I could help.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements