cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

how to restrict creation serving endpoints in databricks to a user

drag7ter
Contributor

โ€Ž05-05-2025 10:14 AM

Is it possible somehow to restrict creation of the serving endpoints to specific users? I want to grant Workspace access under the Entitlements of the specific group, but I want not to allow users of this group create serving endpoints.

The only way I see to do this revoke permissions to system.ai schema for all workspace users set by default?

0 Kudos
3 REPLIES 3

lingareddy_Alva
Honored Contributor II

โ€Ž05-06-2025 04:28 PM - edited โ€Ž05-06-2025 04:30 PM

@drag7ter 

 Yes, you can restrict the creation of serving endpoints to specific users while still allowing general workspace access.
This is a common requirement when you want to control infrastructure/cost-related operations.

Options for Restricting Serving Endpoint Creation
1. Using Access Control Lists (ACLs)
    The most precise approach is to manage the specific permissions related to serving endpoints:
    REVOKE CREATE SERVING ENDPOINT ON WORKSPACE FROM `group_name`;
    or at the user level:
   REVOKE CREATE SERVING ENDPOINT ON WORKSPACE FROM `user@example.com`;

2. Modifying System Schema Permissions

    Your intuition about the system.ai schema is correct. The serving endpoint functionality is controlled through                 permissions on this schema. You have two approaches:
    Option A: Revoke broadly and grant selectively.
         -- Revoke from all workspace users
         REVOKE ALL PRIVILEGES ON SCHEMA system.ai FROM `users`;

         -- Grant to specific admin users/groups
        GRANT ALL PRIVILEGES ON SCHEMA system.ai TO `admins`;

    Option B: Revoke specific privileges
        -- More targeted approach
        REVOKE CREATE, USAGE ON SCHEMA system.ai FROM `restricted_group`;

3. Using Workspace-Level Entitlements
       If you're using Workspace-level entitlements:
           1. Create a custom entitlement that excludes serving endpoint creation.
           2. Assign this custom entitlement to the group instead of using the predefined roles.

 

 

LR
0 Kudos

drag7ter
Contributor
In response to lingareddy_Alva

โ€Ž05-07-2025 01:02 AM

@lingareddy_Alva thx for detailed explanation could you pls guide me to databricks docs where and how I can use option 3) ?
3. Using Workspace-Level Entitlements
       If you're using Workspace-level entitlements:
           1. Create a custom entitlement that excludes serving endpoint creation.
           2. Assign this custom entitlement to the group instead of using the predefined roles.

0 Kudos

lingareddy_Alva
Honored Contributor II

โ€Ž05-07-2025 10:49 AM - edited โ€Ž05-07-2025 10:50 AM

@drag7ter 

While I mentioned Workspace-level entitlements as an approach, I need to clarify something important: Databricks doesn't currently support creating fully customized entitlements where you can exclude specific permissions like "serving endpoint creation" while keeping everything else.

Workspace-Level Entitlements Approach

Rather than creating custom entitlements (which isn't supported), you would:

  1. Use the standard entitlement roles that exclude ML capabilities
  2. Then supplement with specific SQL permissions

Here's where to find the documentation and how to implement this:

Documentation References

  1. Account-level entitlements documentation: https://docs.databricks.com/en/admin/users-groups/index.html
  2. Workspace access control documentation: https://docs.databricks.com/en/security/access-control/workspace-acl.html
  3. SQL permissions documentation: https://docs.databricks.com/en/sql/language-manual/security-grant.html

 

 

LR
0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements