databricks-enterprise-rbac
Configure Databricks enterprise SSO, Unity Catalog RBAC, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls with Unity Catalog. Trigger with phrases like "databricks SSO", "databricks RBAC", "databricks enterprise", "unity catalog permissions", "databricks SCIM".
Best use case
databricks-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Databricks enterprise SSO, Unity Catalog RBAC, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls with Unity Catalog. Trigger with phrases like "databricks SSO", "databricks RBAC", "databricks enterprise", "unity catalog permissions", "databricks SCIM".
Teams using databricks-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/databricks-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How databricks-enterprise-rbac Compares
| Feature / Agent | databricks-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Databricks enterprise SSO, Unity Catalog RBAC, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls with Unity Catalog. Trigger with phrases like "databricks SSO", "databricks RBAC", "databricks enterprise", "unity catalog permissions", "databricks SCIM".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Databricks Enterprise RBAC
## Overview
Implement enterprise access control using Unity Catalog privileges, SCIM-provisioned groups, workspace entitlements, cluster policies, and audit logging. Unity Catalog uses a three-level namespace (`catalog.schema.object`) with privilege inheritance: granting `USAGE` on a catalog cascades to schemas. Account-level SCIM syncs groups from your IdP (Okta, Azure AD, Google Workspace).
## Prerequisites
- Databricks Premium or Enterprise with Unity Catalog enabled
- Account admin access for SCIM and group management
- Identity Provider supporting SAML 2.0 and SCIM 2.0
## Instructions
### Step 1: Provision Groups via SCIM API
Sync groups from your IdP at the account level. Max 10,000 users + service principals and 5,000 groups per account.
```bash
# Create account-level groups that map to IdP teams
databricks account groups create --json '{
"displayName": "data-engineers",
"entitlements": [
{"value": "workspace-access"},
{"value": "databricks-sql-access"}
]
}'
databricks account groups create --json '{
"displayName": "data-analysts",
"entitlements": [
{"value": "workspace-access"},
{"value": "databricks-sql-access"}
]
}'
databricks account groups create --json '{
"displayName": "ml-engineers",
"entitlements": [
{"value": "workspace-access"},
{"value": "databricks-sql-access"},
{"value": "allow-cluster-create"}
]
}'
```
```python
# Assign groups to workspaces
from databricks.sdk import AccountClient
acct = AccountClient()
# Get workspace ID
workspaces = list(acct.workspaces.list())
prod_ws = next(ws for ws in workspaces if ws.workspace_name == "production")
# Assign group to workspace with permissions
acct.workspace_assignment.update(
workspace_id=prod_ws.workspace_id,
principal_id=group_id,
permissions=["USER"],
)
```
### Step 2: Unity Catalog Privilege Hierarchy
```sql
-- Privilege model: CATALOG > SCHEMA > TABLE/VIEW/FUNCTION
-- USAGE grants must cascade from catalog to schema
-- Data Engineers: full ETL access
GRANT USAGE ON CATALOG analytics TO `data-engineers`;
GRANT CREATE SCHEMA ON CATALOG analytics TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.bronze TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.silver TO `data-engineers`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-engineers`;
-- Data Analysts: read-only curated data
GRANT USAGE ON CATALOG analytics TO `data-analysts`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-analysts`;
-- ML Engineers: full ML lifecycle
GRANT USAGE ON CATALOG analytics TO `ml-engineers`;
GRANT SELECT ON SCHEMA analytics.gold TO `ml-engineers`;
GRANT ALL PRIVILEGES ON SCHEMA analytics.ml_features TO `ml-engineers`;
GRANT ALL PRIVILEGES ON SCHEMA analytics.ml_models TO `ml-engineers`;
-- Service Principal: CI/CD automation
GRANT USAGE ON CATALOG analytics TO `cicd-service-principal`;
GRANT ALL PRIVILEGES ON CATALOG analytics TO `cicd-service-principal`;
```
### Step 3: Cluster Policies by Role
```python
from databricks.sdk import WorkspaceClient
w = WorkspaceClient()
# Analyst policy: restrict to SQL warehouses and small clusters
analyst_policy = w.cluster_policies.create(
name="analyst-compute-policy",
definition="""{
"cluster_type": {
"type": "allowlist",
"values": ["all-purpose"],
"hidden": false
},
"autotermination_minutes": {
"type": "range",
"minValue": 10,
"maxValue": 30,
"defaultValue": 15
},
"num_workers": {
"type": "range",
"minValue": 0,
"maxValue": 4
},
"node_type_id": {
"type": "allowlist",
"values": ["m5.xlarge", "m5.2xlarge"]
},
"spark_conf.spark.databricks.cluster.profile": {
"type": "fixed",
"value": "singleNode"
}
}""",
)
# Assign to analysts group
w.cluster_policies.set_permissions(
cluster_policy_id=analyst_policy.policy_id,
access_control_list=[{
"group_name": "data-analysts",
"all_permissions": [{"permission_level": "CAN_USE"}],
}],
)
```
### Step 4: SQL Warehouse Permissions
```bash
# Grant warehouse access by group
databricks permissions update sql/warehouses/$WAREHOUSE_ID --json '[
{"group_name": "data-analysts", "permission_level": "CAN_USE"},
{"group_name": "data-engineers", "permission_level": "CAN_MANAGE"},
{"group_name": "ml-engineers", "permission_level": "CAN_USE"}
]'
```
### Step 5: Row-Level Security and Column Masking
```sql
-- Row filter: analysts only see their department's data
CREATE OR REPLACE FUNCTION analytics.gold.dept_filter(dept STRING)
RETURN IF(IS_ACCOUNT_GROUP_MEMBER('data-admins'), true,
dept = current_user_department());
ALTER TABLE analytics.gold.sales
SET ROW FILTER analytics.gold.dept_filter ON (department);
-- Column mask: hide email from non-engineers
CREATE OR REPLACE FUNCTION analytics.gold.mask_email(email STRING)
RETURN IF(IS_ACCOUNT_GROUP_MEMBER('data-engineers'), email,
REGEXP_REPLACE(email, '(.).*@', '$1***@'));
ALTER TABLE analytics.gold.customers
ALTER COLUMN email SET MASK analytics.gold.mask_email;
```
### Step 6: Service Principal for Automation
```python
from databricks.sdk import AccountClient
acct = AccountClient()
# Create service principal
sp = acct.service_principals.create(
display_name="cicd-pipeline",
active=True,
)
# Generate OAuth secret
secret = acct.service_principal_secrets.create(
service_principal_id=sp.id,
)
print(f"Client ID: {sp.application_id}")
print(f"Secret: {secret.secret}") # Store securely — shown only once
```
### Step 7: Audit Access Patterns
```sql
-- Who accessed what in the last 7 days
SELECT event_time, user_identity.email AS actor,
action_name, request_params
FROM system.access.audit
WHERE action_name LIKE '%Grant%' OR action_name LIKE '%Revoke%'
AND event_date > current_date() - INTERVAL 7 DAYS
ORDER BY event_time DESC;
-- Excessive privilege detection
SELECT user_identity.email, action_name, COUNT(*) AS access_count
FROM system.access.audit
WHERE event_date > current_date() - INTERVAL 30 DAYS
AND service_name = 'unityCatalog'
GROUP BY user_identity.email, action_name
HAVING COUNT(*) > 100
ORDER BY access_count DESC;
```
## Output
- Account-level groups provisioned via SCIM matching IdP teams
- Unity Catalog grants enforcing least-privilege across medallion layers
- Cluster policies restricting compute by role (analysts vs engineers)
- SQL warehouse permissions assigned per group
- Row-level security and column masking for PII protection
- Service principal for CI/CD with OAuth M2M
- Audit queries for ongoing compliance monitoring
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| `PERMISSION_DENIED` on table | Missing `USAGE` on parent catalog/schema | Grant `USAGE` at each namespace level |
| SCIM sync fails | Expired bearer token | Regenerate account-level PAT or use OAuth |
| Can't create cluster | No matching cluster policy | Assign a policy to the user's group |
| Can't see SQL warehouse | Missing `CAN_USE` grant | Add warehouse permission for the group |
| Row filter too slow | Complex subquery in filter function | Materialize permissions in a small lookup table |
## Examples
### Verify Current Permissions
```sql
SHOW GRANTS ON CATALOG analytics;
SHOW GRANTS `data-analysts` ON SCHEMA analytics.gold;
SHOW GRANTS ON TABLE analytics.gold.sales;
```
### Permission Matrix Reference
| Role | Bronze | Silver | Gold | ML | Clusters | Warehouses |
|------|--------|--------|------|----|----------|------------|
| Data Engineer | Read/Write | Read/Write | Read | - | Create (policy) | Use/Manage |
| Data Analyst | - | - | Read | - | Single-node (policy) | Use |
| ML Engineer | - | Read | Read | Read/Write | Create (policy) | Use |
| Admin | Full | Full | Full | Full | Unrestricted | Manage |
| CI/CD SP | Full | Full | Full | Full | Manage | - |
## Resources
- [Unity Catalog Privileges](https://docs.databricks.com/aws/en/data-governance/unity-catalog/manage-privileges/)
- [SCIM Provisioning](https://docs.databricks.com/aws/en/admin/users-groups/scim/)
- [Cluster Policies](https://docs.databricks.com/aws/en/admin/clusters/policy-definition)
- [Row and Column Filters](https://docs.databricks.com/aws/en/data-governance/unity-catalog/row-and-column-filters)Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
sentry-enterprise-rbac
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".