โ02-10-2026 03:48 AM
โ02-10-2026 03:49 AM
โ02-11-2026 08:23 AM
The Creator will always have CAN_MANAGE in addition to the Workspace Admins.
In your screenshot that 3rd row email is a different one from the creator right?
Creator (1st row email) ends with "a". 3rd row email ends with "s".
Are you trying to make sure that 3rd email does not have CAN_MANAGE?
โ02-12-2026 06:23 AM
No โ Iโm not trying to remove the CAN_MANAGE permission from the third email. That user was added only as a test to see how a newly added user with CAN_MANAGE would appear.
My actual issue is different:
Regular workspace users automatically receive CAN_MANAGE on the dashboards they create, which means they can share those dashboards freely. What I want is to disable the sharing option for non-admin users.
I initially thought that changing the dashboard creatorโs permission from CAN_MANAGE to CAN_EDIT could help, but I realized this isnโt possible because:
Given these constraints, Iโm looking for another way to disable the share button for users who are not workspace admins, allowing only admins to share dashboards and change sharing settings.
โ02-20-2026 04:21 PM
Ah ok. That suggests that your issue lies further up. Try navigating up all the way up to the top and see what your permissions are set up like. In this example, I navigated all the way up to the "Workspace" and I can see that "All workspace users" have View access. Check if yours are more permissible.
But to be clear, there isn't a setting that prevents User1 from creating Dashboard1 and choosing to Share it with User2/Group3.
โ
โ02-25-2026 10:52 AM
Thank you for your response. I wasnโt able to find an ideal way to disable the Share button for regular users, nor to prevent them from adding new users and assigning permission levels directly on the dashboard.
What Iโm currently testing is a routine that monitors dashboard permissions through a Databricks API endpoint. The routine checks the ACL list for each dashboard in the workspace, evaluating all users, groups, and their respective permission levels. If it finds that any dashboard has users or groups with permissions beyond the admin group and the owner, it automatically resets those permissions. It also consistently resets the View access for โAll workspace usersโ back to its default state.
My intention with this approach is to enforce stronger control over how sensitive business dashboards and data are shared across users, promoting a stricter โleast privilegeโ access policy.
โ02-26-2026 12:24 PM
Makes sense. You can't unilaterally disable the "Share" option. Because it is expected that users share objects they own. There have been requests from customers to try and guardrail this such as maybe members of a team/group can share with each other but no broader etc. But that's not a thing today. So your approach seems like a good corrective option.
2 weeks ago
Any movement on this topic?
We too need to restrict sharing, in our case ideally with only other users of the same workspace. As it stands, any user who creates a dashboard can share that dashboard with any account user, across all of our workspaces. This is on Azure Databricks.
2 weeks ago
Hey, that thread's already got the core answer right: there's no setting to strip CAN_MANAGE from a dashboard creator, and you already found that out the hard way when the API downgrade to CAN_READ had no effect. That's expected, Databricks docs confirm creators always keep CAN_MANAGE on objects they create, and that's not something an ACL update can override.
The thing worth separating out for your automated routine: don't waste cycles trying to touch the creator's own permission entry, that call will always be a no-op. What actually matters is who else is in the dashboard's ACL.
Sharing works by adding new principals to that list, so your enforcement job should be diffing the ACL against an allowlist (creator, admins, whatever groups you've decided are fine) and stripping anyone outside that list, rather than trying to change the creator's own entry.
GET /api/2.0/permissions/dashboards/{dashboard_id}
to pull the current ACL, then
PUT /api/2.0/permissions/dashboards/{dashboard_id}
{
"access_control_list":
[
{ "user_name": "creator@company.com", "permission_level": "CAN_MANAGE" },
{ "group_name": "admins", "permission_level": "CAN_MANAGE" }
]
}
to reset it back to just your allowed principals. PUT replaces the whole list, so anything the creator added gets dropped in one call. If you want to react faster than a polling job, check the `dashboards` service in your audit logs, worth confirming what action name actually fires on a permission change in your workspace before you build detection around it, since the documented action list for that service covers dashboard CRUD and publishing but doesn't call out a dedicated sharing/permission event name. A quick test share plus a look at `system.access.audit` right after will tell you exactly what to filter on.