Databricks Community

shivamrai162 · yesterday

Hello,

I've provided necessary permissions to a chatbot that i created using DAB and deployed on databricks apps following this documentation. At the backend its using below agents

Multi Agent Supervisor
Knowledge Assistant
AI/BI Genie

I've provided can_query permission to first two in databricks.yml file.
Also provided the same permissions through UI (including for genie) but still the multi supervisor agent is not able to communicate with Genie.

Could anyone please help with this.

Thank You.

bianca_unifeye · yesterday

From the screenshot it does show:

genie-space – Type: Genie space – Permissions: Can run

That’s good, but this must come from your databricks.yml. If you only added it via the UI, but the bundle doesn’t declare it, a redeploy can put things out of sync.

Key points:

For serving endpoints → CAN_QUERY is correct.
For Genie spaces → you need CAN_RUN, not CAN_QUERY.
Put the permission on app: ${bundle.app_id} so the app identity, not just you as a user, can call Genie.

If Genie was only granted to you or another user in the UI, the multi-agent (running as the app identity) still won’t be able to use it.

Permissions alone aren’t enough; the Multi Agent Supervisor needs Genie explicitly defined as a tool in its agent spec.

You should have something like:

"tools": [
{
"type": "agent",
"agent_id": "knowledge-assistant",
"name": "knowledge_assistant"
},
{
"type": "ai_bi_genie",
"name": "genie",
"genie_space_key": "genie-space" // must match the app resource key
}
]

Common mistakes:

Wrong genie_space_key (must match the genie-space key defined under app.resources in databricks.yml).
Using wrong tool type name (ai_bi_genie vs something else from the sample code).

If the key doesn’t match, the app starts fine but the supervisor can’t resolve the Genie tool at runtime.

Go to the App → Logs tab and look for messages when the supervisor tries to use Genie:

If you see PERMISSION_DENIED / 403 / “no access to genie space” → it’s a permissions / app-identity issue → fix CAN_RUN for the app as above.
If you see something like “tool not found” / “unknown tool” / “no resource genie-space” → it’s a wiring issue → fix the tools configuration and/or the genie_space_key.

This will tell you very quickly whether it’s auth or config.

Also, don't forget about the underlying permissions.

Even if the app can “run” the Genie space, Genie still needs access to:

The semantic models / queries / tables used in that Genie space.

Make sure the app principal (same identity you gave CAN_RUN on Genie) has:

SELECT / USE CATALOG / USE SCHEMA on the relevant UC objects, or
CAN_USE on semantic models if you’re using them.

Otherwise the supervisor might reach Genie, but Genie will fail to answer because it can’t see the data.

Hope it helps!

View solution in original post

bianca_unifeye · yesterday

From the screenshot it does show:

genie-space – Type: Genie space – Permissions: Can run

That’s good, but this must come from your databricks.yml. If you only added it via the UI, but the bundle doesn’t declare it, a redeploy can put things out of sync.

Key points:

For serving endpoints → CAN_QUERY is correct.
For Genie spaces → you need CAN_RUN, not CAN_QUERY.
Put the permission on app: ${bundle.app_id} so the app identity, not just you as a user, can call Genie.

If Genie was only granted to you or another user in the UI, the multi-agent (running as the app identity) still won’t be able to use it.

Permissions alone aren’t enough; the Multi Agent Supervisor needs Genie explicitly defined as a tool in its agent spec.

You should have something like:

"tools": [
{
"type": "agent",
"agent_id": "knowledge-assistant",
"name": "knowledge_assistant"
},
{
"type": "ai_bi_genie",
"name": "genie",
"genie_space_key": "genie-space" // must match the app resource key
}
]

Common mistakes:

Wrong genie_space_key (must match the genie-space key defined under app.resources in databricks.yml).
Using wrong tool type name (ai_bi_genie vs something else from the sample code).

If the key doesn’t match, the app starts fine but the supervisor can’t resolve the Genie tool at runtime.

Go to the App → Logs tab and look for messages when the supervisor tries to use Genie:

If you see PERMISSION_DENIED / 403 / “no access to genie space” → it’s a permissions / app-identity issue → fix CAN_RUN for the app as above.
If you see something like “tool not found” / “unknown tool” / “no resource genie-space” → it’s a wiring issue → fix the tools configuration and/or the genie_space_key.

This will tell you very quickly whether it’s auth or config.

Also, don't forget about the underlying permissions.

Even if the app can “run” the Genie space, Genie still needs access to:

The semantic models / queries / tables used in that Genie space.

Make sure the app principal (same identity you gave CAN_RUN on Genie) has:

SELECT / USE CATALOG / USE SCHEMA on the relevant UC objects, or
CAN_USE on semantic models if you’re using them.

Otherwise the supervisor might reach Genie, but Genie will fail to answer because it can’t see the data.

Hope it helps!

shivamrai162 · yesterday

Hello Bianca,

After following what you told, i found issues at two levels

One was the missing genie-space configuration within databricks.yml
Other was with granting permissions to the service principal (app identity) access to the underlying tables.that Genie was using.

You're the best!

Thanks a lot!

Databricks Community

Multi Agent Supervisor not able to coordinate with genie when deployed as a databricks app

Join Us as a Local Community Builder!

Join us for another BrickTalk: Vibe-Coding Databricks Apps in Replit with Augusto!

🌟 Community Pulse: Your Weekly Roundup! November 14 – 20, 2025

Celebrating Our First Brickster Champion: Louis Frolio

⭐ Setup Spark with Hadoop Anywhere : A DBR aligned local Spark+HDFS+Hive stack on Docker⭐

Big Book of Data Engineering - Get how-tos, code snippets and real-world examples