Jobs access control
This article describes how to configure permissions on jobs.
Note
Access control is available only in the Premium plan.
Access control for jobs allows job owners to control who can view job results or manage runs of a job. This article describes the individual permissions and how to configure jobs access control.
Job permissions
There are five permission levels for jobs: NO PERMISSIONS, CAN VIEW, CAN MANAGE RUN, IS OWNER, and CAN MANAGE. Workspace admins have the CAN MANAGE permission on all jobs in their workspace and the job creator has the IS OWNER permission by default.
The table lists the abilities for each permission.
| Ability | NO PERMISSIONS | CAN VIEW | CAN MANAGE RUN | IS OWNER | CAN MANAGE |
|---|---|---|---|---|---|
| View job details and settings | x | x | x | x | |
| View results | x | x | x | x | |
| View Spark UI, logs of a job run | x | x | x | ||
| Run now | x | x | x | ||
| Cancel run | x | x | x | ||
| Edit job settings | x | x | |||
| Delete job | x | x | |||
| Modify permissions | x | x |
Note
- You can view notebook run results only if you have the CAN VIEW or higher permission on the job. This allows jobs access control to be intact even if the job notebook was renamed, moved, or deleted.
- Jobs access control applies to jobs displayed in the Databricks Jobs UI and their runs. It doesn't apply to the following:
- Runs triggered by modularized or linked code in notebooks that use the permissions of the notebook. If a notebook workflow is created from a task with a Git source, you can only access the run and its related files using the
Run asidentity. - Runs submitted by API whose permissions are by default bundled with the notebooks. However, the default permissions can be overriden by setting the
access_control_listparameter in the request body.
- Runs triggered by modularized or linked code in notebooks that use the permissions of the notebook. If a notebook workflow is created from a task with a Git source, you can only access the run and its related files using the
Job owner
By default, the creator of a job has the IS OWNER permission and is the user in the job's Run as setting. Job's run as the identity of the user in the Run as setting. For more information on the Run as setting, see Run a job as a service principal.
Workspace admins can change the job owner to themselves. When ownership is transferred, the previous owner is granted the CAN MANAGE permission
Note
When the RestrictWorkspaceAdmins setting on a workspace is set to ALLOW ALL, workspace admins can change a job owner to any user or service principal in their workspace. To restrict workspace admins to only change a job owner to themselves, see Restrict workspace admins .
Configure job permissions
This section describes how to manage permissions using the workspace UI. You can also use the Permissions API or Databricks Terraform provider.
You must have CAN MANAGE or IS OWNER permission on the job in order to manage permissions on it.
In the sidebar, click Job Runs.
Click the name of a job.
In the Job details panel, click Edit permissions.
In Permission Settings, click the Select User, Group or Service Principal… drop-down menu and select a user, group, or service principal.
Click Add.
Click Save.