w.permissions: Permissions

class databricks.sdk.service.iam.PermissionsAPI

Permissions API are used to create read, write, edit, update and manage access for various users on different objects and endpoints.

  • [Cluster permissions](:service:clusters) — Manage which users can manage, restart, or attach to

clusters.

  • [Cluster policy permissions](:service:clusterpolicies) — Manage which users can use cluster

policies.

  • [Delta Live Tables pipeline permissions](:service:pipelines) — Manage which users can view,

manage, run, cancel, or own a Delta Live Tables pipeline.

  • [Job permissions](:service:jobs) — Manage which users can view, manage, trigger, cancel, or own a

job.

  • [MLflow experiment permissions](:service:experiments) — Manage which users can read, edit, or

manage MLflow experiments.

  • [MLflow registered model permissions](:service:modelregistry) — Manage which users can read, edit,

or manage MLflow registered models.

  • [Password permissions](:service:users) — Manage which users can use password login when SSO is

enabled.

  • [Instance Pool permissions](:service:instancepools) — Manage which users can manage or attach to

pools.

  • [Repo permissions](repos) — Manage which users can read, run, edit, or manage a repo.

  • [Serving endpoint permissions](:service:servingendpoints) — Manage which users can view, query, or

manage a serving endpoint.

  • [SQL warehouse permissions](:service:warehouses) — Manage which users can use or manage SQL

warehouses.

  • [Token permissions](:service:tokenmanagement) — Manage which users can create or use tokens.

  • [Workspace object permissions](:service:workspace) — Manage which users can read, run, edit, or

manage directories, files, and notebooks.

For the mapping of the required permissions for specific actions or abilities and other important information, see [Access Control].

Note that to manage access control on service principals, use [Account Access Control Proxy](:service:accountaccesscontrolproxy).

[Access Control]: https://docs.databricks.com/security/auth-authz/access-control/index.html

get(request_object_type: str, request_object_id: str) ObjectPermissions

Usage:

import time

from databricks.sdk import WorkspaceClient

w = WorkspaceClient()

notebook_path = f'/Users/{w.current_user.me().user_name}/sdk-{time.time_ns()}'

obj = w.workspace.get_status(path=notebook_path)

levels = w.permissions.get_permission_levels(request_object_type="notebooks",
                                             request_object_id="%d" % (obj.object_id))

Get object permissions.

Gets the permissions of an object. Objects can inherit permissions from their parent objects or root object.

Parameters:

  • request_object_type – str The type of the request object. Can be one of the following: authorization, clusters, cluster-policies, directories, experiments, files, instance-pools, jobs, notebooks, pipelines, registered-models, repos, serving-endpoints, or warehouses.

  • request_object_id – str The id of the request object.

Returns:

ObjectPermissions

get_permission_levels(request_object_type: str, request_object_id: str) GetPermissionLevelsResponse

Usage:

import time

from databricks.sdk import WorkspaceClient

w = WorkspaceClient()

notebook_path = f'/Users/{w.current_user.me().user_name}/sdk-{time.time_ns()}'

obj = w.workspace.get_status(path=notebook_path)

levels = w.permissions.get_permission_levels(request_object_type="notebooks",
                                             request_object_id="%d" % (obj.object_id))

Get object permission levels.

Gets the permission levels that a user can have on an object.

Parameters:

  • request_object_type – str <needs content>

  • request_object_id – str <needs content>

Returns:

GetPermissionLevelsResponse

set(request_object_type: str, request_object_id: str [, access_control_list: Optional[List[AccessControlRequest]]]) ObjectPermissions

Usage:

import time

from databricks.sdk import WorkspaceClient
from databricks.sdk.service import iam

w = WorkspaceClient()

notebook_path = f'/Users/{w.current_user.me().user_name}/sdk-{time.time_ns()}'

group = w.groups.create(display_name=f'sdk-{time.time_ns()}')

obj = w.workspace.get_status(path=notebook_path)

_ = w.permissions.set(request_object_type="notebooks",
                      request_object_id="%d" % (obj.object_id),
                      access_control_list=[
                          iam.AccessControlRequest(group_name=group.display_name,
                                                   permission_level=iam.PermissionLevel.CAN_RUN)
                      ])

# cleanup
w.groups.delete(id=group.id)

Set object permissions.

Sets permissions on an object. Objects can inherit permissions from their parent objects or root object.

Parameters:

  • request_object_type – str The type of the request object. Can be one of the following: authorization, clusters, cluster-policies, directories, experiments, files, instance-pools, jobs, notebooks, pipelines, registered-models, repos, serving-endpoints, or warehouses.

  • request_object_id – str The id of the request object.

  • access_control_list – List[AccessControlRequest] (optional)

Returns:

ObjectPermissions

update(request_object_type: str, request_object_id: str [, access_control_list: Optional[List[AccessControlRequest]]]) ObjectPermissions

Update object permissions.

Updates the permissions on an object. Objects can inherit permissions from their parent objects or root object.

Parameters:

  • request_object_type – str The type of the request object. Can be one of the following: authorization, clusters, cluster-policies, directories, experiments, files, instance-pools, jobs, notebooks, pipelines, registered-models, repos, serving-endpoints, or warehouses.

  • request_object_id – str The id of the request object.

  • access_control_list – List[AccessControlRequest] (optional)

Returns:

ObjectPermissions