Databricks Community

Its already set to true.

I was reading the SAT GitHub page and this might be network issue as well.

If you run SAT on Serverless compute or behind IP ACLs, cross‑workspace API calls can be blocked.
The Setup guide notes that SAT can’t analyze other workspaces when:

The destination workspaces (or account) use IP ACLs that block the SAT workspace/compute, or
The SAT workspace enforces serverless egress control that prevents outbound calls.
Fix: Allow the egress/IPs, run SAT on classic compute, or deploy a separate SAT instance in the restricted workspace

I have tried some trouble shooting and was able to detect the second WS for SAT scan
i have added the WS details in table "admin.security_analysis.account_workspaces"
and when i run the Job it fetched this

but eventually the check was not completed with following error message

 Forbidden 2025-10-10 13:51:19,378 - _profiler_ - INFO - {"error_code":403,"message":"Cert validation failed. Cross workspace access is denied due to network policies.

Can we have a suitable solution to this. We are using SAT in serverless 

It seems like a access is denied by network policy. You have to update Network Policy for Serverless at account level

In Account Console → Cloud Resources → Policies → Serverless Egress Control → default-policy
Check the Allow access to all destinations (unrestricted outbound) OR
Keep Restricted Access but add the FQDNs of all target workspaces (e.g., adb-<workspace-id>.azuredatabricks.net) to the Allowed Domains list.

It will require Account Admin Permissions

-----------------------------------------------------------------------------------------------------------------------------------------------
If PrivateLink is enforced in your workspaces, create NCC rules to allow managed private endpoints for cross-workspace API calls.
NCC is account-level and can attach to multiple workspaces.

https://learn.microsoft.com/en-us/azure/databricks/security/network/serverless-network-security/