Access control settings are disabled by default on workspaces that are upgraded from the Standard plan to the Premium plan. Once an access control setting is enabled, it can not be disabled. For more information, see Access controls lists can be enabled on upgraded workspaces.
Access control lists overview
In Azure Databricks, you can use access control lists (ACLs) to configure permission to access workspace level objects. Workspace admins have the CAN MANAGE permission on all objects in their workspace, which gives them the ability to manage permissions on all objects in their workspaces. Users automatically have the CAN MANAGE permission for objects that they create.
You can manage workspace object permissions by adding objects to folders. Objects in a folder inherit all permissions settings of that folder. For example, a user that has the CAN RUN permission on a folder has CAN RUN permission on the alerts in that folder. To learn about organizing objects into folders, see Workspace browser.
AI/BI dashboard ACLs
Ability
NO PERMISSIONS
CAN VIEW/CAN RUN
CAN EDIT
CAN MANAGE
View dashboard and results
x
x
x
Interact with widgets
x
x
x
Refresh the dashboard
x
x
x
Edit dashboard
x
x
Clone dashboard
x
x
x
Publish dashboard snapshot
x
x
Modify permissions
x
Delete dashboard
x
Alerts ACLs
Ability
NO PERMISSIONS
CAN RUN
CAN MANAGE
See in alert list
x
x
View alert and result
x
x
Manually trigger alert run
x
x
Subscribe to notifications
x
x
Edit alert
x
Modify permissions
x
Delete alert
x
Compute ACLs
Important
Users with CAN ATTACH TO permissions can view the service account
keys in the log4j file. Use caution when granting this permission level.
Secrets are not redacted from a cluster's Spark driver log stdout and stderr streams. To protect sensitive data, by default, Spark driver logs are viewable only by users with CAN MANAGE permission on job, single user access mode, and shared access mode clusters. To allow users with CAN ATTACH TO or CAN RESTART permission to view the logs on these clusters, set the following Spark configuration property in the cluster configuration: spark.databricks.acl.needAdminPermissionToViewLogs false.
On No Isolation Shared access mode clusters, the Spark driver logs can be viewed by users with CAN ATTACH TO or CAN MANAGE permission. To limit who can read the logs to only users with the CAN MANAGE permission, set spark.databricks.acl.needAdminPermissionToViewLogs to true.
See Spark configuration to learn how to add Spark properties to a cluster configuration.
Legacy dashboard ACLs
Ability
NO PERMISSIONS
CAN VIEW
CAN RUN
CAN EDIT
CAN MANAGE
See in dashboard list
x
x
x
x
View dashboard and results
x
x
x
x
Refresh query results in the dashboard (or choose different parameters)
This table describes how to control access to feature tables in workspaces that are not enabled for Unity Catalog. If your workspace is enabled for Unity Catalog, use Unity Catalog privileges instead.
Note
Feature Store access control does not govern access to the underlying Delta table, which is governed by table access control.
This table describes how to control access to registered models in workspaces that are not enabled for Unity Catalog. If your workspace is enabled for Unity Catalog, use Unity Catalog privileges instead.
Ability
NO PERMISSIONS
CAN READ
CAN EDIT
CAN MANAGE STAGING VERSIONS
CAN MANAGE PRODUCTION VERSIONS
CAN MANAGE
View model details, versions, stage transition requests, activities, and artifact download URIs
x
x
x
x
x
Request a model version stage transition
x
x
x
x
x
Add a version to a model
x
x
x
x
Update model and version description
x
x
x
x
Add or edit tags
x
x
x
x
Transition model version between stages
x
x
x
Approve a transition request
x
x
x
Cancel a transition request
x
Rename model
x
Modify permissions
x
Delete model and model versions
x
Notebook ACLs
Ability
NO PERMISSIONS
CAN READ
CAN RUN
CAN EDIT
CAN MANAGE
View cells
x
x
x
x
Comment
x
x
x
x
Run via %run or notebook workflows
x
x
x
x
Attach and detach notebooks
x
x
x
Run commands
x
x
x
Edit cells
x
x
Modify permissions
x
Pool ACLs
Ability
NO PERMISSIONS
CAN ATTACH TO
CAN MANAGE
Attach cluster to pool
x
x
Delete pool
x
Edit pool
x
Modify permissions
x
Query ACLs
Ability
NO PERMISSIONS
CAN VIEW
CAN RUN
CAN EDIT
CAN MANAGE
View own queries
x
x
x
x
See in query list
x
x
x
x
View query text
x
x
x
x
View query result
x
x
x
x
Refresh query result (or choose different parameters)