Access Control Lists (ACLs) for Workspace Objects
Who this is for:
Architecture / Concept Overview: Access Control Lists (ACLs) for Workspace Objects
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
Admin[Workspace Admin] --> ACLConfig[ACL Configuration]
ACLConfig --> Notebooks[Notebook Permissions]
ACLConfig --> Folders[Folder Permissions]
ACLConfig --> Clusters[Cluster Permissions]
ACLConfig --> Jobs[Job Permissions]
ACLConfig --> MLflow[MLflow Permissions]
Notebooks --> Users[Users & Groups]
Folders --> Users
Clusters --> Users
Jobs --> Users
MLflow --> Users
Admin:::governance
ACLConfig:::processing
Notebooks:::source
Folders:::source
Clusters:::ingestion
Jobs:::storage
MLflow:::serving
Users:::source
*Workspace ACL hierarchy: admins configure permissions per object type, which cascade to users and groups.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
NoPerms[NO PERMISSIONS] --> Read[CAN READ]
Read --> Run[CAN RUN]
Run --> Edit[CAN EDIT]
Edit --> Manage[CAN MANAGE]
Manage --> Owner[IS OWNER]
NoPerms:::source
Read:::ingestion
Run:::processing
Edit:::storage
Manage:::serving
Owner:::governance
*Permission levels are cumulative — each higher level includes all permissions of the levels below it.*
Key Terms
Prerequisites and Setup
- Databricks workspace with Premium tier (ACLs require Premium+)
- Workspace admin access to enable access control
- Users and groups provisioned via SCIM or manual creation
- Workspace access control enabled in admin settings
Step-by-Step Implementation
Configuration Reference
| Object Type | Available Permissions | Inheritance |
|---|---|---|
| Notebook | CAN_READ, CAN_RUN, CAN_EDIT, CAN_MANAGE | From parent folder |
| Folder | CAN_READ, CAN_RUN, CAN_EDIT, CAN_MANAGE | From parent folder |
| Cluster | CAN_ATTACH_TO, CAN_RESTART, CAN_MANAGE | None |
| Job | CAN_VIEW, CAN_MANAGE_RUN, IS_OWNER, CAN_MANAGE | None |
| Experiment | CAN_READ, CAN_EDIT, CAN_MANAGE | From parent folder |
| Registered Model | CAN_READ, CAN_EDIT, CAN_MANAGE_STAGING_VERSIONS, CAN_MANAGE_PRODUCTION_VERSIONS, CAN_MANAGE | None |
| SQL Warehouse | CAN_USE, CAN_MONITOR, CAN_MANAGE, IS_OWNER | None |