Databricks Community

405041 · ‎04-26-2023

Hey,

As I understand, you cannot enable SSO and MFA for the Account Owner.

Is there any way on the Databricks side to secure the Account Owner beyond username/password? Is there a lockout that is set up automatically for this user?

What are the best practices to secure the Account Owner? (I don't mean how to handle username/password in general, but what in-built mechanisms can we use in Databricks)

Thank you in advance!

Anonymous · ‎04-26-2023

@Domonkos Rozsa :

You are correct that Databricks does not support SSO and MFA for the Account Owner. However, there are several built-in mechanisms that can help secure the Account Owner account and protect it from unauthorized access:

Password policy: Databricks allows you to set a password policy for all users, including the Account Owner. You can set password length, complexity requirements, and expiration rules to ensure that passwords are secure and regularly updated.
IP access lists: Databricks allows you to restrict access to your account based on IP address. You can create IP access lists that specify which IP addresses are allowed to access your Databricks account, and block access from all other IP addresses. This can help prevent unauthorized access to the Account Owner account.
Audit logging: Databricks provides extensive audit logging capabilities, including logs of all user activity, login attempts, and administrative actions. You can use these logs to monitor activity on the Account Owner account and identify any suspicious activity.
Role-based access control: Databricks supports role-based access control (RBAC), which allows you to grant permissions to users based on their roles and responsibilities. By assigning appropriate roles to the Account Owner, you can limit the actions they can perform and reduce the risk of accidental or intentional damage to your account.

Regarding the lockout mechanism, Databricks does not have an automatic lockout feature for the Account Owner account. However, you can set up an alert in Databricks monitoring that triggers when multiple failed login attempts are detected for the Account Owner account. This can help you identify and respond to potential unauthorized access attempts.

Overall, the best practices to secure the Account Owner account include enforcing strong passwords, restricting access to trusted IP addresses, monitoring activity through audit logging, and using RBAC to limit permissions. Additionally, you should regularly review and update your security measures to ensure they remain effective against evolving threats.

405041 · ‎04-27-2023

Dear Suteja,

Thank you for the answer.

I checked (in Premium and Enterprise tiers) and it seems to me that you can set a Password Policy only on Workspace level only and just for other users than the Account Owner. If it is possible to set a password policy for the Account Owner user, could you please help me finding the appropriate settings (in the UI)?

Also using RBAC you cannot exclude the Account Owner from Worspaces, right? It can always add itself back.

So this account has the potential to access every content on the account, in all Workspaces without any extra approval or admin account being needed?

Thank you again for the help!