Is it possible to assign permissions automatically to groups for newly created components in Databricks?

Question

I have assigned some permissions to databricks groups for existing Azure databricks components i.e. cluster & Jobs. Is it any way that we automatically assign permissions to newly created cluster & Jobs? I notice online documentation that only for existing components we can able to assign permissions. Imagine if we add new job and anyone can able to access it and run it! I understand, we have cluster policy to restrict number of workers or specific runtime to use but the permissions to groups i.e. CAN_MANAGE or CAN_MANAGE_RUN. I expect these permissions should automatically setup once new components created.

Sorry if it is a stupid question. Do we have any way to do it?

Answer 1

I tried to reproduce from my end.

Code:

resource "azurerm_databricks_workspace" "example" {
  name                = "databricks-test"
  resource_group_name = data.azurerm_resource_group.example.name
  location            = data.azurerm_resource_group.example.location
  sku                 = "standard"

  tags = {
    Environment = "Production"
  }
}

resource "databricks_group" "my_group" {
  display_name               = "SomekavyaGroup"
  allow_cluster_create       = true
  allow_instance_pool_create = true
}

resource "databricks_user_role" "my_user_account_admin" {
  user_id = databricks_group.my_group.id
  role    = "account_admin"
}

 

Through terraform automation, we need to define groups and assign and define roles particularly or loop through defined groups and then run so that groups and roles and assigned simultaneously .But Its possible only , when we define the logic for the incoming users

But according to documentation role could be a pre-defined role such as account admin, or an instance profile ARN.

In other cases check servicePrincipal resource type - Microsoft Graph v1.0 | Microsoft Learn to microsoft graph to assign roles.