Databricks Roles Full Reference Matrix
Databricks Roles – Full Reference Matrix
This table includes Workspace Roles, Account Roles, and Unity Catalog Roles with exact capabilities.
| Role |
Category |
Capabilities / Permissions |
Notes |
| Workspace Admin |
Workspace |
- Manage users and groups
- Assign workspace roles
- Create/manage clusters
- Restart/terminate all clusters
- Create/manage jobs and workflows
- Create SQL warehouses
- Manage secrets, libraries, instance profiles
- Access DBFS (read/write)
- Run notebooks and jobs
|
Full control of workspace; does NOT grant automatic data access in Unity Catalog |
| User |
Workspace |
- Create/edit/run own notebooks
- Create/run jobs
- Create clusters (if allowed by cluster policies)
- Access DBFS (read/write)
- Use SQL warehouses (if permitted)
|
Cannot manage other users or workspace settings |
| Can Manage / Job Creator |
Workspace |
- Create/manage own jobs and clusters
- Run notebooks
- Upload files to DBFS
|
Limited admin; cannot manage other users or workspace-wide settings |
| Viewer |
Workspace |
- Read-only access to notebooks, dashboards
- View clusters and jobs
- Read access to DBFS (if allowed)
|
No write permissions |
| Account Admin |
Account |
- Create and delete workspaces
- Assign workspace admins
- Manage metastore assignments
- Access account-wide audit logs
- Manage billing / usage
|
Full control over account; workspace-level roles must still be respected |
| Billing / Support Roles |
Account |
- View usage and billing
- Access technical support
|
Cannot manage workspace or data; read-only account permissions |
| Metastore Admin |
Unity Catalog |
- Create catalogs and schemas
- Create storage credentials and external locations
- Assign catalog-level permissions
- Grant/revoke data access
|
Full control over UC metadata; does NOT give workspace admin rights |
| Catalog Owner |
Unity Catalog |
- Manage catalog and contained schemas
- Grant/revoke access at catalog level
|
Limited to one catalog; cannot manage other catalogs |
| Schema Owner |
Unity Catalog |
- Manage schema and contained tables/views
- Grant/revoke access at schema level
|
Cannot manage catalog-level permissions |
| Volume Owner |
Unity Catalog |
- Manage managed volumes (file storage)
- Grant/revoke access to volumes
|
Access to volume paths only |
| Data Access Roles (SELECT / MODIFY / USAGE) |
Unity Catalog |
- Read/write/query specific tables, views, volumes
- Can be granted granular privileges via grants
|
Applied per-object; separate from workspace admin rights |
No comments:
Post a Comment