Merk
Tilgang til denne siden krever autorisasjon. Du kan prøve å logge på eller endre kataloger.
Tilgang til denne siden krever autorisasjon. Du kan prøve å endre kataloger.
Important
Lakebase Autoscaling is the latest version of Lakebase, with autoscaling compute, scale-to-zero, branching, and instant restore. For supported regions, see Region availability. If you are a Lakebase Provisioned user, see Lakebase Provisioned.
Lakebase project permissions can be managed programmatically using the standard Azure Databricks Permissions API, the Azure Databricks CLI, Azure Databricks SDKs, and Terraform.
For an overview of permission types, default permissions, and how to manage permissions in the Lakebase UI, see Manage project permissions.
Permission levels
The grantable permission levels for Lakebase projects are CAN_USE and CAN_MANAGE. CAN_CREATE is an inherited level that flows automatically from the workspace to all users and cannot be explicitly granted or revoked on a project. Attempts to grant CAN_CREATE via the API return HTTP 400.
The Permissions API identifies projects by project ID (for example, my-app). You can find this value in the project_id field of the project status returned by the Get project and List projects APIs.
Note
The project_id field is available in REST API responses but is not yet available in SDK or CLI response objects. If you are using an SDK, you can extract the project ID from the name field by removing the projects/ prefix (for example, projects/my-app becomes my-app).
REST API
Project permissions use the standard Azure Databricks Permissions API at /api/2.0/permissions/database-projects/{project_id}.
Get current permissions
curl -X GET "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
-H "Authorization: Bearer ${DATABRICKS_TOKEN}" | jq
Grant or update permissions (PATCH)
curl -X PATCH "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
-H "Authorization: Bearer ${DATABRICKS_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"access_control_list": [
{
"user_name": "user@example.com",
"permission_level": "CAN_USE"
}
]
}'
To grant permissions to a group or service principal, replace user_name with group_name or service_principal_name.
Note
PATCH is additive and cannot downgrade an existing higher permission. For example, patching CAN_USE onto a user who already holds CAN_MANAGE has no effect. To downgrade or remove a permission, use PUT instead.
Replace all explicit permissions (PUT)
Warning
PUT replaces the entire explicit ACL. Any user, group, or service principal not included in the request body loses their explicitly granted permission. Inherited permissions (such as workspace admins) are not affected.
curl -X PUT "https://${DATABRICKS_HOST}/api/2.0/permissions/database-projects/${PROJECT_ID}" \
-H "Authorization: Bearer ${DATABRICKS_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"access_control_list": [
{
"user_name": "user@example.com",
"permission_level": "CAN_MANAGE"
}
]
}'
For the full Permissions API reference, see Permissions API.
CLI
Use the databricks permissions commands (which wrap the Permissions API) to manage project permissions from the command line.
Grant or update permissions
# PROJECT_ID is your project ID (e.g., my-app).
databricks permissions update database-projects ${PROJECT_ID} \
--json '{
"access_control_list": [
{
"user_name": "user@example.com",
"permission_level": "CAN_USE"
}
]
}'
Get current permissions
databricks permissions get database-projects ${PROJECT_ID}
Note
Use databricks permissions (not databricks postgres) for project ACL management. The databricks postgres subcommand manages project resources (branches, computes, etc.), not permissions.
SDK
Use the WorkspaceClient.permissions interface in the Python, Java, or Go SDK to manage project permissions.
Python SDK
from databricks.sdk import WorkspaceClient
from databricks.sdk.service.iam import AccessControlRequest, PermissionLevel
w = WorkspaceClient()
# Your project ID (e.g., "my-app")
PROJECT_ID = "<project-id>"
# Grant CAN_USE to a user (PATCH is additive and cannot downgrade)
w.permissions.update(
request_object_type="database-projects",
request_object_id=PROJECT_ID,
access_control_list=[
AccessControlRequest(
user_name="user@example.com",
permission_level=PermissionLevel.CAN_USE,
)
],
)
# Get current permissions
permissions = w.permissions.get(
request_object_type="database-projects",
request_object_id=PROJECT_ID,
)
print(permissions)
# Revoke or downgrade: use set() (PUT), not update() (PATCH)
# update() with an empty list is a no-op; set() replaces the full explicit ACL
w.permissions.set(
request_object_type="database-projects",
request_object_id=PROJECT_ID,
access_control_list=[
# Include every identity that should retain explicit access
AccessControlRequest(
user_name="owner@example.com",
permission_level=PermissionLevel.CAN_MANAGE,
)
],
)
Java SDK
import com.databricks.sdk.WorkspaceClient;
import com.databricks.sdk.service.iam.*;
WorkspaceClient w = new WorkspaceClient();
// Your project ID (e.g., "my-app")
String projectId = "<project-id>";
// Grant CAN_USE to a user (PATCH is additive and cannot downgrade)
w.permissions().update(new UpdateObjectPermissions()
.setRequestObjectType("database-projects")
.setRequestObjectId(projectId)
.setAccessControlList(List.of(
new AccessControlRequest()
.setUserName("user@example.com")
.setPermissionLevel(PermissionLevel.CAN_USE)
))
);
// Get current permissions
ObjectPermissions permissions = w.permissions().get(
new GetPermissionRequest()
.setRequestObjectType("database-projects")
.setRequestObjectId(projectId)
);
Go SDK
import (
"github.com/databricks/databricks-sdk-go"
"github.com/databricks/databricks-sdk-go/service/iam"
)
w, _ := databricks.NewWorkspaceClient()
// Your project ID (e.g., "my-app")
projectID := "<project-id>"
// Grant CAN_USE to a user (Update is additive and cannot downgrade)
_, err := w.Permissions.Update(ctx, iam.UpdateObjectPermissions{
RequestObjectType: "database-projects",
RequestObjectId: projectID,
AccessControlList: []iam.AccessControlRequest{
{
UserName: "user@example.com",
PermissionLevel: iam.PermissionLevelCanUse,
},
},
})
// Get current permissions
permissions, err := w.Permissions.Get(ctx, iam.GetPermissionRequest{
RequestObjectType: "database-projects",
RequestObjectId: projectID,
})