Greetings @avadhut22111997 , sorry this fell through the cracks. I am Happy to help you lock down access to a single Genie Space so the user can only view it and ask questions there.
What โview and ask onlyโ means in Genie
- Give the user the Genie Space permission level CAN VIEW/CAN RUN. This lets them see the space and ask Genie questions, but not edit instructions or manage sharing.
Option A โ Share to a workspace member with a restricted UI (recommended)
To keep the user in a read-only experience and limit broader platform features, use Consumer access and share only the specific space:
-
Assign the user only the Consumer access entitlement (do not grant Databricks SQL or Workspace access). Consumer access provides a simplified, read-only experience focused on dashboards, Genie spaces, and Databricks Apps shared with them.
-
Ensure your workspaceโs default entitlements donโt automatically grant broader access; if your org uses the default โusersโ group entitlements, configure entitlements so this user retains only Consumer access in the workspace.
-
Open the Genie Space, click Share, add the user or group, and set permission to CAN VIEW/CAN RUN.
-
Grant minimal runtime permissions required for the space to function:
- Compute: Give the user at least CAN USE on the spaceโs default SQL warehouse.
- Data: Grant SELECT on the Unity Catalog tables the space uses; if they lack access, questions about those tables return empty results.
Option B
โ Share beyond the workspace (account-level) with embedded credentials If you want to avoid onboarding the user to the workspace entirely, there is a private preview to share Genie Spaces with account users (not workspace members) so they can open the URL, authenticate, and ask questions only:
- Share the Genie Space to account users and, in Space settings, enable embedded credentials. This creates a service principal mirroring the last editorโs table permissions so account users can ask questions without having direct data/compute access. Account users are restricted to asking questions and providing thumbs up/down feedback; they cannot edit or manage the space.
Note: Public docs currently state that "viewers must be members of the workspace to interact with Genie spaces"; use the account-level sharing path only if your account team has enabled the private preview in your tenant.
Practical configuration checklist
- Confirm the intended sharing model (workspace member with Consumer access vs account user in private preview).
-
In the Genie Space:
- Verify the default warehouse and keep it minimal; grant the user CAN USE on that warehouse only.
-
Optional safeguards:
- If file uploads are enabled for Genie in your org, keep uploads disabled for this space to prevent users from blending external files.
- If you prefer not to grant individual data permissions, consider publishing a dashboard with Enable Genie and โshared dataโ permissions; the linked Genie Space will run with the publisherโs credentials while viewers interact, which can reduce per-user UC grants. This approach still requires viewers to be members of the workspace.
How to share the URL
- In the Genie Space, click Share and use Copy link to get a shareable URL; recipients with the required permissions can open the space and ask questions.
Hoping this guidance is still useful to you.
Cheers, Louis.
