Databricks

valjas · ‎02-19-2024

We are working on creating a new databricks workspace for external entities. We have disabled Cluster and Warehouse creation permission but the external users are still able to create Jobs and job clusters. Is there a way to revoke Job creation permissions on a user or group level?

Is there a way to disable Machine Learning section?

Ayushi_Suthar · ‎02-19-2024

Hi @valjas , Good Day!

Currently, we do have an open feature request for this but as a workaround we would suggest that you to restrict non-admin users from the job creation and allow them to view required jobs, in this case is the following:

Proceed with step A).
Create a job(s) and add its tags as required.
At job ACL level, assign "Can View".

The above will allow these users to interact with the required jobs, but not edit them or create new ones.

A) It is not possible at job ACL level. However, this can be worked around by removing the permissions to create clusters to the users you do not want to create jobs. Also please check the following steps:

Remove/adjust user from clusters with the Control access to clusters where they have "Can Manage" permissions.
Remove the required user from any cluster policy they have access to.

Please let me know if this helps and leave a like if this information is useful, followups are appreciated.
Kudos
Ayushi

valjas · ‎02-20-2024

> "However, this can be worked around by removing the permissions to create clusters to the users you do not want to create jobs."

I have already removed Cluster creation permissions for the users, but they can still create a job from the UI and create a job cluster while creating the job. Is there a way to create a policy where I can restrict creating a job cluster and if there is one, can I enforce it on a specific user/group?

> "Remove the required user from any cluster policy they have access to"

Can you pls guide me on how to do this? How do I check which policy an user has access to and then revoke that?

Kaniz · ‎02-19-2024

Hi @valjas, Revoking Job Creation Permissions:

In Databricks, you can control job permissions at different levels. Here are the available permission levels for jobs:
- NO PERMISSIONS: No access to the job.
- CAN VIEW: View job details and settings.
- CAN MANAGE RUN: View results, view Spark UI, logs of a job run, run the job, and cancel a run.
- IS OWNER: The creator of the job has this permission by default. It includes all the abilities of CAN MANAGE RUN.
- CAN MANAGE: Full control over the job, including editing, deleting, and modifying permissions.
Workspace admins automatically have the CAN MANAGE permission on all jobs.
To configure job permissions:
1. Go to the Job Runs section in the Databricks workspace.
2. Click on the name of the specific job.
3. In the Job details panel, click Edit permissions.
4. Add users, groups, or service principals and assign the desired permission level.
5. Save your changes.
Note that only workspace admins can change the job owner and the IS OWNER permission cannot be grant....

Venk1599 · ‎02-20-2024

It permits cluster creation during Workflow/Job/DLT pipeline creation. However, when attempting to start any of these, it fails with a 'Not authorized to create compute' error. Please try it and inform me of the outcome

Databricks

Disable Machine Learning and Job Creation

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs