Databricks Community

AndrewHess · 3 weeks ago

We would like to have the ability to assign an individual and/or group to the "Group: Manager" role, providing them with the ability to add/remove users without the need to be an account or workspace administrator. Ideally this would be an option for the group manager within the user interface, but we'd also be OK with an API solution.

It does look like Databricks is working towards this, as Account & Workspace managers are able to assign a principal to a "Group: Manager" role (screenshot), but we have not been able to figure out a way yet to take advantage of that.

We've tried following the API documentation listed here, but have not been able to get anything to work that doesn't require the user to also be a workspace manager.

Manage groups - Azure Databricks | Microsoft Learn

Curious if anyone has been successful in implementing this concept? Or if there's a roadmap from Databricks on this functionality?

NandiniN · 3 weeks ago

Using the API

You can also use the Account Groups API to assign the "Group: Manager" role. Here is an example of how to do this:

curl --netrc -X PATCH \
  https://${DATABRICKS_HOST}/api/2.1/accounts/{account_id}/scim/v2/Groups/{id} \
  --header 'Content-type: application/scim+json' \
  --data @update-group.json \
  | jq .

Bash

update-group.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "add",
      "path": "roles",
      "value": [
        {
          "value": "group_manager"
        }
      ]
    }
  ]
}

JSON

Using the Account Console

Log in to the Account Console:
- As an account admin, log in to the account console.
- Navigate to the "Groups" tab.
Select the Group:
- Find and click the group name you want to manage.
- Go to the "Permissions" tab.
Grant Access:
- Click "Grant access".
- Search for and select the user, service principal, or group.
- Choose the "Group: Manager" role.
- Click "Save".

AndrewHess · 3 weeks ago

Thanks @NandiniN, good to know about using the API to assign group managers.

What we've been unable to figure out is how a group manager can actually add or remove members from the group they are a manager of? We haven't been able to get anything to work without the manager also being a Workspace admin, which is not what we want.

NandiniN · 3 weeks ago

I see, I was the admin.

Group managers who are not workspace admins can manage group roles using the Accounts Access Control API. This allows them to add or remove members from the group they manage.

mentioned here - https://learn.microsoft.com/en-us/azure/databricks/admin/users-groups/groups#who-can-manage-account-..., https://learn.microsoft.com/en-us/azure/databricks/admin/users-groups/groups#manage-group-roles-api

Workspace admins and group managers use {workspace-domain}/api/2.0/preview/accounts/access-control/assignable-roles.https://docs.databricks.com/api/azure/account/accountaccesscontrol

Hope this helps?

AndrewHess · 3 weeks ago

thanks @NandiniN ,

we have looked through that documentation and still have not been able to get anything to work without the user also being an account or workspace admin. The way i'm interpreting the documentation (screenshot) is the API currently only supports assigning a user a role (i.e. the Group Manager), but does not allow for adding or removing users from the group. When trying to patch we get error messages like "Members attribute cannot be updated as group newgroup can only be managed in account."

Hoping to hear if/when Databricks plans to support this?