Permission Assignment Account API

Authorization

Permission Assignment Account API endpoints are restricted to account admins.

AWS

The Account API is published on accounts.cloud.databricks.com.

Authenticate with your username and password using basic auth.

Azure

The Account API is published on accounts.azuredatabricks.net.

Authenticate using Azure Active Directory tokens - Authenticate using Azure Active Directory tokens - Azure Databricks | Microsoft Docs

GCP

The Account API is published on accounts.gcp.cloud.databricks.com.

Authenticate using Open ID Connect (OIDC) tokens - Authentication using Open ID Connect (OIDC) tokens.

Create/update permission assignment

Create or update workspace permissions for a principal. The principal must exist in the account. If you add permissions to a group, all members of the group also receive the permissions.

Path parameters

Field name	Type	Description
account_id	uuid	Databricks account ID
workspace_id	int64	Databricks workspace ID
principal_id	int64	Databricks ID of the user, service principal, or group. The principal ID can be retrieved using the SCIM API.

Request body

Field name

Type

Enum values

Description

permissions

Array<string>

“USER”

“ADMIN”

The list of workspace permissions to assign to the principal:

“USER” - Can access the workspace with basic privileges.

“ADMIN” - Can access the workspace and has workspace admin privileges to manage users and groups, workspace configurations, and more.

AWSAdministration guide | Databricks on AWS

AzureAdministration guide - Azure Databricks | Microsoft Docs

GCPAdministration guide | Databricks on Google Cloud

HTTP method	PUT
Endpoint	/api/2.0/preview/accounts/{account_id}/workspaces/{workspace_id}/permissionassignments/principals/{principal_id}
Request example	{ "permissions": ["USER"] }
Response example	200: { "permissions": ["USER"] }

Remove permission assignment

Removes all workspace permissions for a principal. When workspace permissions are removed from a user or service principal, any tokens issued to the user or service principal on the workspace are no longer authorized.

Path parameters

Field Name	Type	Description
account_id	uuid	Databricks account ID
workspace_id	int64	Databricks workspace ID
principal_id	int64	Databricks ID of the user, service principal, or group. The principal ID can be retrieved using the SCIM API.

HTTP method

DELETE

Endpoint

/api/2.0/preview/accounts/{account_id}/workspaces/{workspace_id}/permissionassignments/principals/{principal_id}

Response example

200:

{}

List permission assignments

Gets a list of principals with at least one permission in the workspace.

Path parameters

Parameter name	Type	Description
account_id	uuid	Databricks account ID
workspace_id	int64	Databricks workspace ID

HTTP method

GET

Endpoint

/api/2.0/preview/accounts/{account_id}/workspaces/{workspace_id}/permissionassignments

Response example

200:

{

"permission_assignments": [

{

"principal": {

"user_name": "user1@company.com",

"principal_id": 100001,

"display_name": "User 1"

"permissions": ["USER"]

{

"principal": {

"group_name": "Group 1",

"principal_id": 200001,

"display_name": "Group 1"

"permissions": ["USER"]

{

"principal": {

"service_principal_name": "<uuid>",

"principal_id": 300001,

"display_name": "Service Principal 1"

"permissions": ["USER"]

}

]

}

Permission Assignment Workspace API

Authorization

Permission Assignment Workspace API endpoints are restricted to account admins and workspace admins.

[AWS]

The Workspace API is published on the deployment name of your workspace.

dbc-<unique-id>.cloud.databricks.com

Authenticate using PAT tokens.

[Azure]

The Workspace API is published on the deployment name of your workspace.

adb-<workspace-id>.<random-number>.azuredatabricks.net

Authenticate using PAT tokens or Azure Active Directory tokens.

[GCP]

The Workspace API is published on the deployment name of your workspace.

<workspace-id>.<random-number>.gcp.databricks.com

Authenticate using PAT tokens or OpenID Connect tokens.

Create/update permission assignment

Create or update workspace permissions for a principal. The principal must exist in the account.

Path parameters

Field name

Type

Description

principal_id

int64

Databricks principal ID of the user, service principal, or group.

The principal ID can be retrieved using the SCIM API.

Request body

Field name

Type

Enum values

Description

permissions

Array<string>

“USER”

“ADMIN”

The list of workspace permissions to assign to the principal.

“USER” - Can access the workspace with basic privileges.

“ADMIN” - Can access the workspace and has workspace admin privileges to manage users and groups, workspace configurations, and more.

AWS: Administration guide | Databricks on AWS

Azure: Administration guide - Azure Databricks | Microsoft Docs

GCP: Administration guide | Databricks on Google Cloud

HTTP method	PUT
Endpoint	/api/2.0/preview/permissionassignments/principals/{principal_id}
Request example	{ "permissions": ["USER"] }
Response example	200: { "permissions": ["USER"] }

Remove permission assignment

Path parameters

Field name

Type

Description

principal_id

int64

Databricks ID of the user, service principal, or group.

The principal ID can be retrieved using the SCIM API.

HTTP method

DELETE

Endpoint

/api/2.0/preview/permissionassignments/principals/{principal_id}

Response example

200:

{}

List permission assignments

Gets a list of principals with at least one permission in the workspace.

HTTP method

GET

Endpoint

/api/2.0/preview/permissionassignments

Response example

200:

{

"permission_assignments": [

{

"principal": {

"user_name": "user1@company.com",

"principal_id": 100001,

"display_name": "User 1"

"permissions": ["USER"]

{

"principal": {

"group_name": "Group 1",

"principal_id": 200001,

"display_name": "Group 1"

"permissions": ["USER"]

{

"principal": {

"service_principal_name": "<uuid>",

"principal_id": 300001,

"display_name": "Service Principal 1"

"permissions": ["USER"]

}

]

}