cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

User Provisioning ( SCIM for OKTA)

RoyRoger711
New Contributor II

Hello Databricks 

I wanted to ask a couple questions regarding switching SSO from onelogin to OKTA and turning on user provisioning. We have a total of 4 workspaces ( 1 sandbox , 2 dev and 1 prod) within our account. We have unified login enabled for only 3 of the workspaces but reading the provisioning documentation it says "If you delete a user from the account-level Databricks application in Okta, the user is deleted in the Databricks account and loses access to all workspaces, whether or not those workspaces are enabled for identity federation.” and “By default, Databricks users inherit the workspace-access and databricks-sql-access entitlements. By default, Databricks admin users inherit the create-cluster entitlement. You don’t need to assign these inherited entitlements from Okta.” Which would means that they get deprovisioned from all workspaces and added to all workspaces regardless. If we do not want to provision access prod at all, should we avoid enabling provisioning ?

1 ACCEPTED SOLUTION

Accepted Solutions

Kaniz_Fatma
Community Manager
Community Manager

Hi @RoyRoger711Let’s break down your questions regarding switching SSO from OneLogin to Okta and enabling user provisioning for Databricks workspaces.

  1. Switching SSO from OneLogin to Okta:

  2. User Provisioning:

    • User provisioning ensures that user accounts are created, updated, or deactivated consistently across applications.
    • The statement you mentioned from the provisioning documentation is important: “If you delete a user from the account-level Databricks application in Okta, the user is deleted in the Databricks account and loses access to all workspaces, whether or not those workspaces are enabled for identity federation.”
    • By default, Databricks users inherit certain entitlements related to workspace access and SQL access. Admin users also inherit the create-cluster entitlement.
    • If you enable provisioning, users will be added to all workspaces by default, regardless of whether you’ve enabled identity federation for those workspaces.
    • Considerations for Your Scenario:
      • If you do not want to provision access to the “prod” workspace, you have a few options:
        • Avoid enabling provisioning: If you don’t want users to be automatically added to the “prod” workspace, refrain from enabling provisioning.
        • Manually manage access: Instead of relying on provisioning, manually manage user access to the “prod” workspace. This way, you can control who has access.
      • Keep in mind that if you delete a user from the account-level Databricks application in Okta, they’ll lose access to all workspaces, including “prod,” due to the inheritance of entitlements.
 

View solution in original post

1 REPLY 1

Kaniz_Fatma
Community Manager
Community Manager

Hi @RoyRoger711Let’s break down your questions regarding switching SSO from OneLogin to Okta and enabling user provisioning for Databricks workspaces.

  1. Switching SSO from OneLogin to Okta:

  2. User Provisioning:

    • User provisioning ensures that user accounts are created, updated, or deactivated consistently across applications.
    • The statement you mentioned from the provisioning documentation is important: “If you delete a user from the account-level Databricks application in Okta, the user is deleted in the Databricks account and loses access to all workspaces, whether or not those workspaces are enabled for identity federation.”
    • By default, Databricks users inherit certain entitlements related to workspace access and SQL access. Admin users also inherit the create-cluster entitlement.
    • If you enable provisioning, users will be added to all workspaces by default, regardless of whether you’ve enabled identity federation for those workspaces.
    • Considerations for Your Scenario:
      • If you do not want to provision access to the “prod” workspace, you have a few options:
        • Avoid enabling provisioning: If you don’t want users to be automatically added to the “prod” workspace, refrain from enabling provisioning.
        • Manually manage access: Instead of relying on provisioning, manually manage user access to the “prod” workspace. This way, you can control who has access.
      • Keep in mind that if you delete a user from the account-level Databricks application in Okta, they’ll lose access to all workspaces, including “prod,” due to the inheritance of entitlements.
 
Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!