Configure Databricks enterprise SSO, Unity Catalog RBAC, and organization management. Use when implementing SSO integration, configuring role-based permissions, or setting up organization-level controls with Unity Catalog. Trigger with phrases like "databricks SSO", "databricks RBAC", "databricks enterprise", "unity catalog permissions", "databricks SCIM".
From databricks-packnpx claudepluginhub nickloveinvesting/nick-love-plugins --plugin databricks-packThis skill is limited to using the following tools:
Guides Payload CMS config (payload.config.ts), collections, fields, hooks, access control, APIs. Debugs validation errors, security, relationships, queries, transactions, hook behavior.
Designs, audits, and improves analytics tracking systems using Signal Quality Index for reliable, decision-ready data in marketing, product, and growth.
Enforces A/B test setup with gates for hypothesis locking, metrics definition, sample size calculation, assumptions checks, and execution readiness before implementation.
Implement access control across Databricks using Unity Catalog privileges, workspace-level entitlements, and SCIM-provisioned groups. Unity Catalog enforces a three-level namespace (catalog.schema.table) with privilege inheritance, so granting USAGE on a catalog cascades to its schemas.
# Provision groups that map to IdP teams
databricks account groups create --json '{
"displayName": "data-engineers",
"entitlements": [{"value": "workspace-access"}, {"value": "databricks-sql-access"}]
}'
databricks account groups create --json '{
"displayName": "data-analysts",
"entitlements": [{"value": "workspace-access"}, {"value": "databricks-sql-access"}]
}'
-- Data Engineers: full ETL access to bronze/silver, read gold
GRANT USAGE ON CATALOG analytics TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.bronze TO `data-engineers`;
GRANT CREATE, MODIFY, SELECT ON SCHEMA analytics.silver TO `data-engineers`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-engineers`;
-- Analysts: read-only on curated gold tables
GRANT USAGE ON CATALOG analytics TO `data-analysts`;
GRANT SELECT ON SCHEMA analytics.gold TO `data-analysts`;
{
"name": "analyst-serverless-only",
"definition": {
"cluster_type": { "type": "fixed", "value": "sql" },
"autotermination_minutes": { "type": "range", "maxValue": 30 },
"num_workers": { "type": "range", "maxValue": 4 }
}
}
Assign the policy to data-analysts so they cannot spin up expensive GPU clusters.
databricks permissions update sql/warehouses WAREHOUSE_ID --json '[
{"group_name": "data-analysts", "permission_level": "CAN_USE"},
{"group_name": "data-engineers", "permission_level": "CAN_MANAGE"}
]'
SELECT event_time, user_identity.email, action_name, request_params
FROM system.access.audit
WHERE action_name LIKE '%Grant%' OR action_name LIKE '%Revoke%'
AND event_date > current_date() - INTERVAL 30 DAYS
ORDER BY event_time DESC;
| Issue | Cause | Solution |
|---|---|---|
PERMISSION_DENIED on table | Missing USAGE on parent catalog/schema | Grant USAGE at each namespace level |
| SCIM sync fails | Expired bearer token | Regenerate account-level PAT |
| Cluster start blocked | No matching cluster policy | Assign a permissive policy to the group |
| Cannot see SQL warehouse | Missing CAN_USE grant | Add warehouse permission for the group |
Basic usage: Apply databricks enterprise rbac to a standard project setup with default configuration options.
Advanced scenario: Customize databricks enterprise rbac for production environments with multiple constraints and team-specific requirements.