Provisioning Users and Groups Using SCIM

Databricks supports SCIM, or System for Cross-domain Identity Management, an open standard that allows you to automate user provisioning. SCIM lets you use an identity provider (IdP) like Okta or Azure Active Directory to create users in Databricks and give them the proper level of access, as well as remove access for users (deprovision them) when they leave your organization or no longer need access to Databricks. You can also invoke the Databricks SCIM API directly to manage provisioning.

The Databricks SCIM API follows version 2.0 of the SCIM protocol.

Preview

This feature is in Public Preview.

Note

You must be a Databricks administrator to configure identity providers to provision users to Databricks or to invoke the Databricks SCIM API directly.

Note

When you use SCIM provisioning, user and group attributes stored in your IdP can override changes you make using the Databricks Admin Console and Groups API. For example, if a user is assigned the Allow Cluster Creation entitlement in your IdP and you remove that entitlement using the Users tab on the Databricks Admin Console, the user will be re-granted that entitlement the next time the IdP syncs with Databricks, if the IdP is configured to provision that entitlement. The same behavior applies to groups.

This section includes the following topics:

To learn how to use the Databricks SCIM API, see SCIM API.