cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

No Explicit Deny for User security configurations at the group level?

Go to solution
Chris_Shehu
Valued Contributor III

‎03-22-2023 03:20 PM

Currently when you add new users to the Databricks workspace they get added to a "Users" group that has full access to the workspace. There should be a way to use group security to explicitly deny access to those same settings. This setting should override the default allow access.

imageimage 

image 

I also noticed the Parent User Groups are empty inside the groups? Is this maybe something we should be using that we're not?

Preview file
12 KB
Preview file
7 KB
Preview file
9 KB
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎03-24-2023 10:35 AM

@Christopher Shehu​ If you don't want the "Users" group is enabled with "Workspace access" and "Databricks SQL access" entitlements, you disable all entitlements. Create separate groups based on your use case and enable the required entitlements.

Regarding parent user groups, a group can be a member(child) of another group(s). As per the screenshot, subgroup is a child of john_test_group and maingroup (parent groups). Hope this helps.

image

View solution in original post

4 REPLIES 4

Go to solution
Anonymous
Not applicable

‎03-24-2023 10:35 AM

@Christopher Shehu​ If you don't want the "Users" group is enabled with "Workspace access" and "Databricks SQL access" entitlements, you disable all entitlements. Create separate groups based on your use case and enable the required entitlements.

Regarding parent user groups, a group can be a member(child) of another group(s). As per the screenshot, subgroup is a child of john_test_group and maingroup (parent groups). Hope this helps.

image

Go to solution
Anonymous
Not applicable

‎03-26-2023 10:01 PM

Hi @Christopher Shehu​ 

Thank you for posting your question in our community! We are happy to assist you.

To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?

This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance! 

0 Kudos

Go to solution
deanjames
New Contributor II

‎03-28-2023 01:10 AM

Yes, there should be a way to use group security to explicitly deny access to the workspace settings for new users added to the "Users" group. This setting should override the default allow access. UMR Provider Portal Login

Go to solution
Anonymous
Not applicable

‎03-28-2023 03:14 AM

@dean james​ I am not sure about your case why you want to deny access to the group once you create it. Anyhow, we can use deacticate/activate an user using "2.0/preview/scim/v2/Users/{id}" rest API endpoint. We can also deactivate users that have not logged in for a customizable period. Hope this helps

https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#activate-and-deactivate-user-b...

https://docs.databricks.com/dev-tools/api/latest/scim/scim-users.html#automatically-deactivate-users

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements