cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Warehousing & Analytics
Engage in discussions on data warehousing, analytics, and BI solutions within the Databricks Community. Share insights, tips, and best practices for leveraging data for informed decision-making.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to restrict external access to SQL Warehouse but allow workspace queries?

teixeire
New Contributor II

4 weeks ago

Hi everyone,

I'm currently setting up access controls in our Databricks development workspace. The goal is to enable business users to explore data and build their SQL skills within the workspace itself (e.g., via SQL editor or notebooks), but prevent them from connecting to the SQL Warehouse externally, such as from Power BI or other BI tools using JDBC/ODBC.

This is because the environment is a sandbox and not intended for enterprise reporting or external data access. We want to ensure that all data interaction remains within the Databricks environment.

I’m looking for the best way to:

  1. Allow SQL querying within the workspace for selected users.

  2. Prevent any connections from external tools to the SQL Warehouse endpoint (e.g., blocking Power BI or DBeaver access).

  3. Maintain this control without overly complicating access for internal development/testing.

I’ve looked into IP Access Lists and Unity Catalog permissions but would appreciate any best practices, tips, or lessons learned from others who have implemented similar restrictions.

Thanks in advance!

0 Kudos
3 REPLIES 3

tltharani
New Contributor II

4 weeks ago

Enable Workspace-Only Access to SQL Warehouses (Serverless or Classic)
If you're using Serverless SQL Warehouses, or even Classic, you can restrict them to workspace access only:

1.Only notebooks, dashboards, and SQL editor can connect.
2.External JDBC/ODBC clients (like Power BI) will be blocked.

0 Kudos

teixeire
New Contributor II
In response to tltharani

4 weeks ago

Thanks for your reply, maybe you can guide me ?

I set up two different as suggested, one as Serverless and another as Classic, and I could establish connection though catalogue using Power BI.

0 Kudos

Isi
Contributor III

Wednesday

Hi @teixeire ,

To prevent external tools like Power BI or DBeaver from connecting to your SQL Warehouse, one effective approach is to restrict personal access token (PAT) creation for users who should only query data inside the Databricks workspace.

This ensures that:

  • Users cannot generate tokens to connect via JDBC/ODBC from outside.

  • Any existing tokens should be manually revoked if already created.

In addition to token restrictions, you can control what users can do inside the workspace by using Unity Catalog permissions. For example:

  • Grant USE CATALOG, USE SCHEMA, and SELECT only to users or groups who are allowed to run SQL queries.

  • Use cluster access control to make sure only selected users can run notebooks or use shared compute resources.

With this combination, you allow SQL exploration within the workspace while fully blocking external access.

Hope this helps 🙂

Isi

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements