1. If you enable Unity Catalog in a workspace, users in that workspace may be able to access the same data that users in other workspaces in your account can access. Data guardians can control who has access to what data across all workspaces from one place [1].
2. When you make users and service principals in a location, they are synced with your account as account-level users and service principals. Groups in a workspace are not linked to an account.[2][3][4][5].
3. Workspace managers can add users, service principals, and groups to the Databricks account. If their workspaces are set up for identity federation, they can also add groups to the account [5].
4. Each workspace can have up to 10,000 people, 10,000 service principals, and 5,000 groups [4].
5. When identity federation isn't turned on for a workspace, workspace admins handle users, service principals, and groups within the workspace itself [4, 5].
To sum up, account-level interfaces can be used to control users, groups, and service principals at the account level for a workspace. As account-level users and service principals, users and service principals that are made in a workspace are synced to the account. However, workplace-local groups are not synced to the account. Workspace admins can add users, service masters, and groups to the Databricks account. If their workspaces are set up for identity federation, they can also add groups to the account
