Hello,
There are several ways to grant Workspace Admin permissions in Databricks. While this may seem straightforward, I found it a bit confusing when I started using Databricks, so I’d like to share my experience. This guide is aimed at beginners.
How Account Admins Can Grant Workspace Admin Permissions
This is a simple process. From the account console, you can directly attach an ID (user, group, or service principal) to a workspace. By selecting "Admin" during the attachment, you can grant Workspace Admin permissions.
How Workspace Admins Can Grant Workspace Admin Permissions
Compared to granting permissions via the account console, this method is slightly more complex as it varies depending on the ID type.
Granting Permissions to a User
- Log in to the Databricks workspace as a Workspace Admin.
- Click on Settings > Identity and Access.
- Click Manage next to Users, and select the target user.
- Go to the Entitlements tab and toggle Admin access to enable it.
Granting Permissions to a Service Principal
- Log in to the Databricks workspace as a Workspace Admin.
- Click on Settings > Identity and Access.
- Click Manage next to Groups, and select the admins system group.
- Click Add members, select the service principal, and click Confirm.
Note: This method can also be used for users.
Granting Permissions to a Group
Currently, it is not possible to directly grant Workspace Admin permissions to a group from within the workspace.
Even though adding a group to the admins system group might seem like an option, this is not allowed. So, how can this be achieved? This is the main topic of this guide.
Understanding Parent Groups
To grant admin permissions to a group, you can either:
- Have an Account Admin assign permissions via the account console, or
- Add the group to an existing group that already has Workspace Admin permissions.
The latter creates a parent-child relationship where the admin permissions of the parent group propagate to the child group. Let’s explore this mechanism.
Parent Group Setup Example
- admin_group: A group directly attached to the workspace by an Account Admin, possessing Workspace Admin permissions.
- test_group: A group that needs admin permissions, added to the workspace by a Workspace Admin.
- test_user: A user in test_group who does not initially have admin permissions.
By adding test_group to admin_group, a parent-child relationship is established. You can verify this under the Parent groups tab in the group settings. Once set, the parent group’s permissions propagate to the child group.
Verifying Permissions
After setting up the parent-child relationship:
- The test_user, who originally did not have admin permissions, will now have Admin access enabled in the Entitlements section.
- Under the groups the user belongs to, you’ll see admin_group, test_group, and admins, indicating Workspace Admin permissions.
Granting Workspace Admin Permissions to Users Added Through Groups
Lastly, let’s address this scenario:
If a user is added to the workspace via a group, you cannot directly enable their admin permissions from the Entitlements tab.
"This user is added through a group. Manage its admin status from the parent group instead."
Instead, you must add the user to a group that already has Workspace Admin permissions.
I hope this guide has been helpful in explaining how to grant Workspace Admin permissions to an ID using the parent group mechanism. Feel free to share your feedback or thoughts in the comments!