cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

No Explicit Deny for User security configurations at the group level?

Chris_Shehu
Valued Contributor III

Currently when you add new users to the Databricks workspace they get added to a "Users" group that has full access to the workspace. There should be a way to use group security to explicitly deny access to those same settings. This setting should override the default allow access.

imageimage 

image 

I also noticed the Parent User Groups are empty inside the groups? Is this maybe something we should be using that we're not?

1 ACCEPTED SOLUTION

Accepted Solutions

Anonymous
Not applicable

@Christopher Shehuโ€‹ If you don't want the "Users" group is enabled with "Workspace access" and "Databricks SQL access" entitlements, you disable all entitlements. Create separate groups based on your use case and enable the required entitlements.

Regarding parent user groups, a group can be a member(child) of another group(s). As per the screenshot, subgroup is a child of john_test_group and maingroup (parent groups). Hope this helps.

image

View solution in original post

4 REPLIES 4

Anonymous
Not applicable

@Christopher Shehuโ€‹ If you don't want the "Users" group is enabled with "Workspace access" and "Databricks SQL access" entitlements, you disable all entitlements. Create separate groups based on your use case and enable the required entitlements.

Regarding parent user groups, a group can be a member(child) of another group(s). As per the screenshot, subgroup is a child of john_test_group and maingroup (parent groups). Hope this helps.

image

Anonymous
Not applicable

Hi @Christopher Shehuโ€‹ 

Thank you for posting your question in our community! We are happy to assist you.

To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?

This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance! 

deanjames
New Contributor II

Yes, there should be a way to use group security to explicitly deny access to the workspace settings for new users added to the "Users" group. This setting should override the default allow access. UMR Provider Portal Login

Anonymous
Not applicable

@dean jamesโ€‹ I am not sure about your case why you want to deny access to the group once you create it. Anyhow, we can use deacticate/activate an user using "2.0/preview/scim/v2/Users/{id}" rest API endpoint. We can also deactivate users that have not logged in for a customizable period. Hope this helps

https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#activate-and-deactivate-user-b...

https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#automatically-deactivate-users

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group