Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This feature is in Public Preview in the following regions: westus, westus2, eastus, eastus2, centralus, southcentralus, northeurope, westeurope, australiaeast, brazilsouth, canadacentral, centralindia, southeastasia, uksouth.
This page describes when and how to grant Azure Databricks users and identities privileges to a database instance.
To allow other users to use PostgreSQL to access the database instance, the databricks_superuser must create corresponding Postgres roles for them. For details on how to create Postgres roles, see Create and manage Postgres roles for Azure Databricks identities.
When and how permissions are checked
When you use Postgres syntax or connect through a PostgreSQL interface, Lakebase enforces PostgreSQL-specific access controls by using the following:
- Postgres roles
- Role memberships
- Postgres-granted permissions
In all other scenarios, Lakebase enforces Databricks-specific access controls:
- Azure Databricks identities (users, groups and service principals)
- Azure Databricks group memberships
- Workspace access control lists (ACLs)
- Unity Catalog privileges
Note
There is no automatic sync between Azure Databricks identities and memberships, and Postgres roles and memberships.
| Use case / Permission or identity | Manage database instances | Create or delete synced tables | Manage synced table pipeline | Query Postgres tables from a SQL warehouse | Query online features in feature and model serving | Query Postgres tables in PostgreSQL |
|---|---|---|---|---|---|---|
| Azure Databricks identities | x | x | x | x | x | Requires a corresponding Postgres role |
| Databricks group memberships | x | x | x | x | x | Only checked on login when logging in as a group |
| Instance ACLs | x | x | ||||
| Pipeline ACLs | Need to be a pipeline owner when reusing an existing pipeline or deleting a synced table (which edits the pipeline) | x | ||||
| UC permissions | x | x | x | |||
| Postgres roles | x | |||||
| Postgres role memberships | x | |||||
| Postgres permissions | x |
Grant instance privileges to Azure Databricks identities
A user must have specific permissions on the database instance to manage the instance and perform table operations. Workspace admins and the instance creator can assign additional permissions to any desired users, groups, or service principals in the Database instances overview page.
- Click Compute in the workspace sidebar.
- Click OLTP Database.
- Click the Permissions tab.
- Click Manage instance permissions in the upper-right.
- Enter a user, group, or service principal to grant additional privileges to.
- Select the permission you want to grant to the identity. See Database instance ACLs.
- Click + Add.
- Any workspace user can view or list database instances. Database catalog and synced table permissions are further governed by Unity Catalog metastore, catalog, schema, and table permissions. For more details, see Manage privileges in Unity Catalog.
- Click Save.