I am planning to enable SCIM provisioning for my Azure Databricks resource. It is mentioned in the MS Doc that it is always recommended to enable SCIM at the account level and not at the individual workspace level So now if i enable SCIM provisioning for Databricks at the account level and register an application in Azure AD how do i give access to various groups to individual workspaces
Say i create a group --> "Finance-Admin" and add this group to the Azure AD application, then members belonging to this group will get access to Databricks.
But what if i want to create two groups, "Finance-Admin" and another "Finance-Users"
Now i want to give "Finance-Admin" users permission to the Finance workspace so that they can create clusters and add node pools
For the users for the "Finance-Users" group i want to only give permission to restart clusters in Finance workspace
So how do i do these things if i am using Terraform to provision clusters and provide cluster permissions also using IaC
Is this achievable with SCIM provisioning at the account level or whatever i am trying to achieve i need to do SCIM provisioning at the Workspace level ?
Yes, it's possible to do that using account-level SCIM synchronization - SCIM connector will sync groups and users into the Account Console, and then you can assign groups to the specific workspaces. With Databricks Terraform provider account-level users/groups are assigned to workspaces using the mws_permission_assignment resource.