Databricks Community

1. If you enable Unity Catalog in a workspace, users in that workspace may be able to access the same data that users in other workspaces in your account can access. Data guardians can control who has access to what data across all workspaces from one place [1].

2. When you make users and service principals in a location, they are synced with your account as account-level users and service principals. Groups in a workspace are not linked to an account.[2][3][4][5].

3. Workspace managers can add users, service principals, and groups to the Databricks account. If their workspaces are set up for identity federation, they can also add groups to the account [5].

4. Each workspace can have up to 10,000 people, 10,000 service principals, and 5,000 groups [4].

5. When identity federation isn't turned on for a workspace, workspace admins handle users, service principals, and groups within the workspace itself [4, 5].

To sum up, account-level interfaces can be used to control users, groups, and service principals at the account level for a workspace. As account-level users and service principals, users and service principals that are made in a workspace are synced to the account. However, workplace-local groups are not synced to the account. Workspace admins can add users, service masters, and groups to the Databricks account. If their workspaces are set up for identity federation, they can also add groups to the account

In the context of Unity Catalog, SCIM (System for Cross-domain Identity Management), and Identity Federation in a Unity-based environment, users, groups, and service principals may need to be explicitly added to a Workspace in various scenarios based on your organizational requirements and the specific functionalities or features you are implementing. Here are some common scenarios where such additions might be necessary:

1. Access Control and Permissions:

   • Users: If you want to grant specific individuals access to a particular Workspace, you may need to add them explicitly. This ensures that they have the necessary permissions to view, edit, or contribute to the resources within that Workspace.

   • Groups: Adding groups to a Workspace allows you to manage access at a broader level. Instead of adding individual users, you can control access by adding or removing groups, simplifying permissions management.

   • Service Principals: For automated processes or services that require access to a Workspace, you might use service principals. Adding service principals to a Workspace ensures that these entities can interact with the resources as needed.

2. Collaboration and Sharing:

   • Users: If you have specific users who need to collaborate within a Workspace, adding them directly allows them to participate in collaborative activities, discussions, and project work.

   • Groups: Workspace collaboration is often streamlined by adding groups. When individuals in a group are added or removed, their access to the Workspace is automatically adjusted, facilitating collaboration management.

3. Integration with External Systems:

   • Service Principals: When integrating Unity with external systems or services, service principals may need to be added to the Workspace to ensure seamless communication and data exchange. This is particularly relevant if your Unity deployment is part of a larger system that requires integration.

4. SCIM Provisioning:

   • Users and Groups: If you are utilizing SCIM for identity provisioning and management, users and groups may be automatically provisioned to Unity Catalog based on your SCIM configuration. However, you might need to explicitly add them to a Workspace to define their role and access level within that specific context.

5. Identity Federation:

   • Users and Groups: In an Identity Federation scenario where identities are federated from external identity providers, you may need to explicitly add federated users or groups to a Workspace to ensure they are recognized and granted access.

Remember that the specifics can vary based on your Unity configuration, the integrations you have in place, and your organization's security and access control policies. mykohlscard.com login