Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.
The account access-control command group within the Databricks CLI contains commands to manage access rules on resources in an account.
databricks account access-control get-assignable-roles-for-resource
Get all the roles that can be granted on an account level resource. A role is grantable if the rule set on the resource can contain an access rule of the role.
databricks account access-control get-assignable-roles-for-resource RESOURCE [flags]
Arguments
RESOURCE
The resource name for which assignable roles will be listed, for example:
resource=accounts/<ACCOUNT_ID>- A resource name for the accountresource=accounts/<ACCOUNT_ID>/groups/<GROUP_ID>- A resource name for the groupresource=accounts/<ACCOUNT_ID>/servicePrincipals/<SP_ID>- A resource name for the service principalresource=accounts/<ACCOUNT_ID>/tagPolicies/<TAG_POLICY_ID>- A resource name for the tag policy
Options
Examples
The following example gets assignable roles for an account resource:
databricks account access-control get-assignable-roles-for-resource "resource=accounts/12345"
The following example gets assignable roles for a group resource:
databricks account access-control get-assignable-roles-for-resource "resource=accounts/12345/groups/67890"
databricks account access-control get-rule-set
Get a rule set by its name. A rule set is always attached to a resource and contains a list of access rules on the said resource. Currently only a default rule set for each resource is supported.
databricks account access-control get-rule-set NAME ETAG [flags]
Arguments
NAME
The ruleset name associated with the request, for example:
name=accounts/<ACCOUNT_ID>/ruleSets/default- A name for a rule set on the accountname=accounts/<ACCOUNT_ID>/groups/<GROUP_ID>/ruleSets/default- A name for a rule set on the groupname=accounts/<ACCOUNT_ID>/servicePrincipals/<SERVICE_PRINCIPAL_APPLICATION_ID>/ruleSets/default- A name for a rule set on the service principalname=accounts/<ACCOUNT_ID>/tagPolicies/<TAG_POLICY_ID>/ruleSets/default- A name for a rule set on the tag policy
ETAG
Etag used for versioning. The response is at least as fresh as the eTag provided. Etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a rule set from overwriting each other. It is strongly suggested that systems make use of the etag in the read → modify → write pattern to perform rule set updates in order to avoid race conditions that is get an etag from a GET rule set request, and pass it with the PUT update request to identify the rule set version you are updating, for example:
etag=- An empty etag can only be used in GET to indicate no freshness requirementsetag=RENUAAABhSweA4NvVmmUYdiU717H3Tgy0UJdor3gE4a+mq/oj9NjAf8ZsQ==- An etag encoded a specific version of the rule set to get or to be updated
Options
Examples
The following example gets a rule set for an account with no freshness requirements:
databricks account access-control get-rule-set "name=accounts/12345/ruleSets/default" ""
The following example gets a rule set with a specific etag version:
databricks account access-control get-rule-set "name=accounts/12345/ruleSets/default" "RENUAAABhSweA4NvVmmUYdiU717H3Tgy0UJdor3gE4a+mq/oj9NjAf8ZsQ=="
databricks account access-control update-rule-set
Replace the rules of a rule set. First, use get to read the current version of the rule set before modifying it. This pattern helps prevent conflicts between concurrent updates.
databricks account access-control update-rule-set [flags]
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body
Examples
The following example updates a rule set using JSON:
databricks account access-control update-rule-set --json '{"name": "accounts/12345/ruleSets/default", "grant_rules": [{"role": "roles/account.admin", "principals": [{"principal": "users/user@example.com"}]}], "etag": "RENUAAABhSweA4NvVmmUYdiU717H3Tgy0UJdor3gE4a+mq/oj9NjAf8ZsQ=="}'
The following example updates a rule set using a JSON file:
databricks account access-control update-rule-set --json @rule-set.json
Global flags
--debug
Whether to enable debug logging.
-h or --help
Display help for the Databricks CLI or the related command group or the related command.
--log-file string
A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.
--log-format format
The log format type, text or json. The default value is text.
--log-level string
A string representing the log format level. If not specified then the log format level is disabled.
-o, --output type
The command output type, text or json. The default value is text.
-p, --profile string
The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.
--progress-format format
The format to display progress logs: default, append, inplace, or json
-t, --target string
If applicable, the bundle target to use