Managing Users, Groups, and Service Principals
Who this is for:
Architecture / Concept Overview: Managing Users, Groups, and Service Principals
Databricks identity management operates at two levels: account-level identities are shared across workspaces, while workspace-level assignments control where each identity can operate.
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
flowchart LR
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
IDP[Identity Provider<br/>Azure AD / Okta] -->|SCIM Sync| ACCT[Databricks Account<br/>Users · Groups · SPs]
ACCT --> WS1[Workspace A<br/>Assigned identities]
ACCT --> WS2[Workspace B<br/>Assigned identities]
WS1 --> UC[Unity Catalog<br/>Permission evaluation]
WS2 --> UC
IDP:::source
ACCT:::governance
WS1:::processing
WS2:::processing
UC:::governance
*Figure 1 — Identity lifecycle: IdP syncs to the Databricks account; identities are assigned to workspaces and evaluated by Unity Catalog.*
The three identity types serve distinct purposes in the governance model.
%%{init: {"theme":"base","themeVariables":{"background":"#0B0E14","primaryTextColor":"#E0E6ED","lineColor":"#5D6470","darkMode":true,"primaryColor":"#2E4A4A","secondaryColor":"#374151","secondaryTextColor":"#E0E6ED","tertiaryColor":"#111827","tertiaryTextColor":"#E0E6ED","edgeLabelBackground":"#1f2937"}}}%%
graph TD
classDef source fill:#3F4B59,stroke:#9CA3AF,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef ingestion fill:#5A4B36,stroke:#C9A86B,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef processing fill:#535072,stroke:#8E82B4,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef storage fill:#2E4A4A,stroke:#5FAFA8,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef serving fill:#3D5550,stroke:#6BB7AA,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
classDef governance fill:#5A3F52,stroke:#C28BB0,stroke-width:2px,rx:8,ry:8,color:#E0E6ED
ID[Databricks Identities] --> USER[User<br/>Human interactive login]
ID --> GROUP[Group<br/>Collection of users and SPs]
ID --> SP[Service Principal<br/>Machine identity for automation]
USER --> USER_EX[SSO login · Personal PAT · OAuth token]
GROUP --> GROUP_EX[Synced from IdP · Nested groups · Grant target]
SP --> SP_EX[OAuth client credentials · PAT · CI/CD pipelines]
ID:::governance
USER:::processing
GROUP:::governance
SP:::ingestion
USER_EX:::processing
GROUP_EX:::governance
SP_EX:::ingestion
*Figure 2 — Three identity types: users for humans, groups for collections, service principals for automation.*
Key Terms
Prerequisites and Setup
- Account admin access to the Databricks account console
- An identity provider supporting SCIM (Azure AD, Okta, OneLogin, PingFederate)
- Unity Catalog enabled on target workspaces
- Cloud provider credentials for service principal federation (if applicable)
Step-by-Step Implementation
Configuration Reference
| Setting | Scope | Recommended Value |
|---|---|---|
| Identity federation | Account | Enabled |
| SCIM sync interval | IdP | 40 minutes (Azure AD default) |
| Group nesting | Account | Use nested groups to mirror org hierarchy |
| Service principal auth | SP | OAuth M2M (preferred over PAT) |
| PAT lifetime | Workspace | Enforce maximum lifetime via workspace admin settings |
| Workspace visibility | Account | Restrict to assigned identities only |