Cannot downgrade workspace object permissions using API

takak
New Contributor II

‎11-06-2024 08:49 AM

Hi!

I'd like to restrict some users' permissions using REST API and got an issue while trying to update a permission on 'directories'.

I'm trying to set a user's permission on their default username folder in the workspace to 'can edit' so that they cannot create a new notebook until further approval. This works fine on UI, but if I try with API I get the following error.

 

{'error_code': 'INVALID_PARAMETER_VALUE', 'message': "Cannot downgrade xxx@abc.com's CAN_MANAGE permission on xxxxxxxxxx"}

 

Is there any way to make this work programmaticaly?

0 Kudos

Alberto_Umana
Databricks Employee
Databricks Employee

‎11-06-2024 10:51 AM - edited ‎11-06-2024 10:52 AM

Hi @takak,

Greetings from Databricks!

What is the REST API you are making the call to?

Looks like this might not be supported programmatically, but will try to test it internally. it appears that the CAN_MANAGE permission is a higher-level permission that cannot be downgraded programmatically through the API. This restriction is likely in place to prevent accidental loss of critical management permissions.

takak
New Contributor II
In response to Alberto_Umana

‎11-06-2024 08:35 PM

Hi @Alberto_Umana 

Thank you for your response!

The endpoint I'm calling is `/api/2.0/permissions/{workspace_object_type}/{workspace_object_id}`.

It would be great if it can be tested indeed, thanks!

0 Kudos

alexzet
New Contributor II
In response to Alberto_Umana

‎11-15-2024 01:37 PM

Hello Alberto, 

I am trying to disable user access to their folders in our production workspace via API, or maybe limit to can_read.  When I do I get a similar message as the posting above. By default users receive the can_manage for their folders. Is there any other way to do lock down these folders? Users are created automatically via AD Groups, so it has to be done programmatically. 

Any help would be grately appreciated!

0 Kudos