Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.
Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.
The permissions command group within the Databricks CLI allows you to manage access control for various users on different objects, including the following:
- Apps permissions Manage which users can manage or use apps.
- Cluster permissions Manage which users can manage, restart, or attach to clusters.
- Cluster policy permissions Manage which users can use cluster policies.
- Pipeline permissions Manage which users can view, manage, run, cancel, or own a pipeline.
- Job permissions Manage which users can view, manage, trigger, cancel, or own a job.
- MLflow experiment permissions Manage which users can read, edit, or manage MLflow experiments.
- MLflow registered model permissions Manage which users can read, edit, or manage MLflow registered models.
- Password permissions Manage which users can use password login when SSO is enabled.
- Instance Pool permissions Manage which users can manage or attach to pools.
- Repo permissions Manage which users can read, run, edit, or manage a repo.
- Serving endpoint permissions Manage which users can view, query, or manage a serving endpoint.
- SQL warehouse permissions Manage which users can use or manage SQL warehouses.
- Token permissions — Manage which users can create or use tokens.
- Workspace object permissions Manage which users can read, run, edit, or manage alerts, dbsql-dashboards, directories, files, notebooks and queries.
For the mapping of the required permissions for specific actions or abilities and other important information, see Access Control.
To manage access control on service principals, use Account Access Control Proxy.
databricks permissions get
Get the permissions of an object. Objects can inherit permissions from their parent objects or root object.
databricks permissions get REQUEST_OBJECT_TYPE REQUEST_OBJECT_ID [flags]
Arguments
REQUEST_OBJECT_TYPE
The type of the request object. Can be one of the following: alerts, authorization, clusters, cluster-policies, dashboards, dbsql-dashboards, directories, experiments, files, instance-pools, jobs, notebooks, pipelines, queries, registered-models, repos, serving-endpoints, or warehouses.
REQUEST_OBJECT_ID
The id of the request object.
Options
Examples
The following example gets permissions for a specific job:
databricks permissions get jobs 12345
The following example gets permissions for a cluster:
databricks permissions get clusters cluster-id-123
The following example gets permissions for a notebook:
databricks permissions get notebooks /Users/someone@example.com/my-notebook
databricks permissions set
Set object permissions.
Sets permissions on an object, replacing existing permissions if they exist. Deletes all direct permissions if none are specified. Objects can inherit permissions from their parent objects or root object.
databricks permissions set REQUEST_OBJECT_TYPE REQUEST_OBJECT_ID [flags]
Arguments
REQUEST_OBJECT_TYPE
The type of the request object. Can be one of the following: alerts, authorization, clusters, cluster-policies, dashboards, dbsql-dashboards, directories, experiments, files, instance-pools, jobs, notebooks, pipelines, queries, registered-models, repos, serving-endpoints, or warehouses.
REQUEST_OBJECT_ID
The id of the request object.
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body
Examples
The following example sets permissions for a job using JSON:
databricks permissions set jobs 12345 --json '{"access_control_list": [{"user_name": "someone@example.com", "permission_level": "CAN_MANAGE"}]}'
The following example sets permissions for a cluster using a JSON file:
databricks permissions set clusters cluster-id-123 --json @permissions.json
databricks permissions update
Update object permissions.
Updates the permissions on an object. Objects can inherit permissions from their parent objects or root object.
databricks permissions update REQUEST_OBJECT_TYPE REQUEST_OBJECT_ID [flags]
Arguments
REQUEST_OBJECT_TYPE
The type of the request object. Can be one of the following: alerts, authorization, clusters, cluster-policies, dashboards, dbsql-dashboards, directories, experiments, files, instance-pools, jobs, notebooks, pipelines, queries, registered-models, repos, serving-endpoints, or warehouses.
REQUEST_OBJECT_ID
The id of the request object.
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body
Examples
The following example updates permissions for a job:
databricks permissions update jobs 12345 --json '{"access_control_list": [{"user_name": "someone@example.com", "permission_level": "CAN_VIEW"}]}'
The following example updates permissions for a pipeline:
databricks permissions update pipelines pipeline-id-456 --json @update-permissions.json
databricks permissions get-permission-levels
Get the permission levels that a user can have on an object.
databricks permissions get-permission-levels REQUEST_OBJECT_TYPE REQUEST_OBJECT_ID [flags]
Arguments
REQUEST_OBJECT_TYPE
The type of the request object. Can be one of the following: alerts, authorization, clusters, cluster-policies, dashboards, dbsql-dashboards, directories, experiments, files, instance-pools, jobs, notebooks, pipelines, queries, registered-models, repos, serving-endpoints, or warehouses.
REQUEST_OBJECT_ID
The id of the request object.
Options
Examples
The following example gets available permission levels for a job:
databricks permissions get-permission-levels jobs 12345
The following example gets available permission levels for a cluster:
databricks permissions get-permission-levels clusters cluster-id-123
Global flags
--debug
Whether to enable debug logging.
-h or --help
Display help for the Databricks CLI or the related command group or the related command.
--log-file string
A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.
--log-format format
The log format type, text or json. The default value is text.
--log-level string
A string representing the log format level. If not specified then the log format level is disabled.
-o, --output type
The command output type, text or json. The default value is text.
-p, --profile string
The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.
--progress-format format
The format to display progress logs: default, append, inplace, or json
-t, --target string
If applicable, the bundle target to use