Problem
As a Databricks workspace admin, you may notice that some users in your admin group only have the Reader role assigned in your Azure portal. You don’t expect the Reader role to have administrative privileges in Databricks.
Cause
This behavior occurs when the user with a Reader role has additional Azure role assignments, either directly or through group membership, that include the required permissions to manage the Databricks workspace.
According to Microsoft’s documentation, a user with one of the following Azure portal built-in roles are automatically made Databricks workspace admins when they launch the workspace from the Azure portal.
- Contributor
- Owner
- Any custom role that includes the required Azure admin permissions
For details on the required Azure admin permissions, review the Azure Databricks administration introduction documentation.
For more information on users, review the Manage users documentation.
Solution
Review and adjust role assignments in the Azure portal.
- In the Azure portal, navigate to the resource group or subscription level where the Databricks workspace is deployed.
- Click Access control (IAM).
- Locate the user or group which should not appear in the Databricks workspace admin group.
- Review all role assignments for the user or group, including inherited and group-based roles.
- Review the current configuration and refer to the official documentation to ensure it is set up correctly based on your requirements.
For additional details, see the “What are workspace admins?” section of the Azure Databricks administration introduction documentation.