Credential passthrough
This actually needs some setting up in AWS IAM to get started. Once you've created the right instance profiles, you'll need to add them to your Databricks workspace. There's pretty exhaustive guides here that has each of the steps.
AWS: https://docs.databricks.com/security/credential-passthrough/iam-passthrough.html
Azure: https://docs.microsoft.com/en-us/azure/databricks/security/credential-passthrough/adls-passthrough
Single user access
Do you mean restricting access to a cluster for a single user? You can't directly do this with only SCIM APIs. You'll need to utilize the permissions API to set which users can attach to/run/manage a cluster and simply restrict that to a single user or group.
The SCIM APIs allow you to set whether that user is part of a particular group or whether they can access the Databricks DE/DS or SQL analytics workspace in the first place. It also allows you to specify if someone has global cluster creation/editing privileges.
Permission settings
See above, you might want to look at the permissions API.
https://docs.databricks.com/dev-tools/api/latest/permissions.html
Heads up some of the advanced permissions settings also need to be enabled by logging in, going to the Admin console from the dropdown in the top right, and then 'Workspace Settings' tab at the top.
