Managing Users and Roles in Lakebase
Who this is for:
Architecture / Concept Overview: Managing Users and Roles in Lakebase
Lakebase access control operates at two layers: Databricks workspace identity handles authentication, while Lakebase roles handle authorization within the database.
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
A[Databricks User / Service Principal] -->|Authenticate| B[Databricks IAM]
B -->|Identity Token| C[Lakebase Connection]
C -->|Authorize| D[Lakebase Role Engine]
D -->|Check Grants| E[Schema Permissions]
D -->|Check Grants| F[Table Permissions]
D -->|Check Grants| G[Column Permissions]
A:::source
B:::governance
C:::processing
D:::governance
E:::storage
F:::storage
G:::storage
*Authentication happens through Databricks IAM, while authorization is enforced by Lakebase's role-based permission system.*
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
A[Role Hierarchy] --> B[lakebase_admin]
A --> C[app_readwrite]
A --> D[analytics_readonly]
A --> E[support_limited]
B --> F[ALL PRIVILEGES]
C --> G[SELECT, INSERT, UPDATE, DELETE]
D --> H[SELECT only]
E --> I[SELECT on specific tables]
A:::governance
B:::processing
C:::serving
D:::source
E:::ingestion
F:::processing
G:::serving
H:::source
I:::ingestion
*Define a role hierarchy that maps to organizational responsibilities, granting increasingly narrow permissions.*
Key Terms
Prerequisites and Setup
- A Lakebase project with at least one database
- Database admin privileges (typically the project creator)
- A list of Databricks users and service principals who need access
- A permissions model defining which roles need which access levels
Step-by-Step Implementation
Configuration Reference
| Permission | Scope | Description |
|---|---|---|
SELECT | Table, Column | Read data from the object |
INSERT | Table | Add new rows |
UPDATE | Table, Column | Modify existing rows |
DELETE | Table | Remove rows |
TRUNCATE | Table | Remove all rows without logging individual deletions |
REFERENCES | Table | Create foreign key constraints referencing the table |
USAGE | Schema, Sequence | Access objects within a schema or use a sequence |
CREATE | Schema | Create new tables within the schema |
ALL PRIVILEGES | Any | Grant all available permissions |
CONNECT | Database | Allow connections to the database |