https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/98996#M2318 <P>Hello Alberto,&nbsp;</P><P>I am trying to disable user access to their folders in our production workspace via API, or maybe limit to can_read.&nbsp; When I do I get a similar message as the posting above. By default users receive the can_manage for their folders. Is there any other way to do lock down these folders? Users are created automatically via AD Groups, so it has to be done programmatically.&nbsp;</P><P>Any help would be grately appreciated!</P> Fri, 15 Nov 2024 21:37:16 GMT alexzet 2024-11-15T21:37:16Z https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/97999#M2244 <P>Hi!</P><P>I'd like to restrict some users' permissions using REST API and got an issue while trying to update a permission on 'directories'.</P><P>I'm trying to set a user's permission on their default username folder in the workspace to 'can edit' so that they cannot create a new notebook until further approval. This works fine on UI, but if I try with API I get the following error.</P><P>&nbsp;</P><LI-CODE lang="markup">{'error_code': 'INVALID_PARAMETER_VALUE', 'message': "Cannot downgrade xxx@abc.com's CAN_MANAGE permission on xxxxxxxxxx"}</LI-CODE><P>&nbsp;</P><P>Is there any way to make this work programmaticaly?</P> Wed, 06 Nov 2024 16:49:43 GMT https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/97999#M2244 takak 2024-11-06T16:49:43Z https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/98007#M2245 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/131364">@takak</a>,</P> <P>Greetings from Databricks!</P> <P>What is the REST API you are making the call to?</P> <P>Looks like this might not be supported programmatically, but will try to test it internally.&nbsp;it appears that the <CODE>CAN_MANAGE</CODE> permission is a higher-level permission that cannot be downgraded programmatically through the API. This restriction is likely in place to prevent accidental loss of critical management permissions.</P> Wed, 06 Nov 2024 18:52:07 GMT https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/98007#M2245 Alberto_Umana 2024-11-06T18:52:07Z https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/98031#M2247 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/106294">@Alberto_Umana</a>&nbsp;</P><P>Thank you for your response!</P><P>The endpoint I'm calling is `<SPAN>/api/2.0/permissions/{workspace_object_type}/{workspace_object_id}`.</SPAN></P><P><SPAN>It would be great if it can be tested indeed, thanks!</SPAN></P> Thu, 07 Nov 2024 04:35:08 GMT https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/98031#M2247 takak 2024-11-07T04:35:08Z https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/98996#M2318 <P>Hello Alberto,&nbsp;</P><P>I am trying to disable user access to their folders in our production workspace via API, or maybe limit to can_read.&nbsp; When I do I get a similar message as the posting above. By default users receive the can_manage for their folders. Is there any other way to do lock down these folders? Users are created automatically via AD Groups, so it has to be done programmatically.&nbsp;</P><P>Any help would be grately appreciated!</P> Fri, 15 Nov 2024 21:37:16 GMT https://community.databricks.com/t5/administration-architecture/cannot-downgrade-workspace-object-permissions-using-api/m-p/98996#M2318 alexzet 2024-11-15T21:37:16Z