Manage workspace-local groups (legacy)

Article
2025-04-25

This article explains how admins create and manage legacy workspace-local groups. For an overview of account groups, the primary groups in Azure Databricks see Groups.

What are workspace-local groups?

Workspace-local groups are legacy groups. These groups are identified as having a source of Workspace. You can only use workspace-local groups in the workspace they are defined in. They cannot be assigned to additional workspaces or granted access to data in a Unity Catalog metastore. Workspace-local groups cannot be granted account-level roles or managed using account-level interfaces. To take advantage of centralized identity, Databricks recommends that you use account groups instead of workspace-local groups.

In identity federated workspaces, workspace-local groups can only be managed using the Workspace Groups API. In non-identity federated workspaces, workspace admins can also manage workspace-local groups using the workspace admin settings page.

Migrate workspace-local groups to account groups

Databricks recommends converting workspace-local groups to account groups for centralized identity administration.

Step 1: Migrate workspace-level SCIM provisioning to the account

Databricks recommends that you configure automatic identity management to sync groups from Microsoft Entra ID to Azure Databricks. If you currently have workspace-level SCIM provisioning set up for your workspaces, you must disable the workspace-level SCIM provisioner. Otherwise, workspace-level SCIM continues to create and update workspace-local groups. To configure automatic identity management, see Sync users and groups automatically from Microsoft Entra ID.

Step 2: Change the name of your workspace-local groups

Two groups in a workspace cannot have the same name. You must change the name of your workspace-local groups in order to add a new account group to the workspace with the same name. These steps recommend adding (workspace) to the group’s name.

As a workspace admin, log in to the Azure Databricks workspace.
Click your username in the top bar of the Azure Databricks workspace and select Settings.
Click the Groups tab and select the workspace-local group that you want to convert to an account group.
Under Name, add (workspace) to the end of the group’s name.
Click Save.

Step 3: Grant the account groups permissions

Grant the newly provisioned account groups access to the same functionalities their workspace-local counterparts had. For each new account group:

Grant the group access to your workspace. See Assign a group to a workspace.
Assign workspace entitlements on the new account groups, following the instructions in Manage entitlements on groups.
Use the UCX utilities group migration workflow to migrate the workspace-level groups’ permissions to workspace-level objects to the new account groups. See Step 2. Run the group migration workflow. You can also migrate permissions manually using the Permissions API.

Step 4: Delete the workspace-local groups

Now that you have migrated your workspace-local group to the account and you can delete your workspace-local groups.

On the Groups tab, select the workspace-local group that you converted to an account group.
Click x Delete and click Delete to confirm.

Manage workspace-local groups using the API

Workspace admins can add and manage workspace-local groups using the workspace-level SCIM API. In identity federated workspaces, workspace-local groups can only be managed using the API. For instructions, see Workspace Groups API.

Manage workspace-local groups using the admin settings page

Workspace admins can add and manage workspace-local groups using the workspace admin settings page in non-identity federated workspaces.

Create a workspace-local group using the admin settings page

To add a workspace-local group to a workspace using the admin settings, do the following:

As a workspace admin, log in to the Azure Databricks workspace.
Click your username in the top bar of the Azure Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to Groups, click Manage.
Click Create Group.
Enter a group name and click Create.

Group names must be unique. You cannot change a group name. If you want to change a group name, you must delete the group and recreate it with the new name.

Add members to a workspace-local group using the admin settings page

Note

You cannot add a child group to the admins group.

As a workspace admin, log in to the Azure Databricks workspace.
Click your username in the top bar of the Azure Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to Groups, click Manage.
Select the group you want to update.
On the Members tab, click Add users, groups, or service principals.
On the dialog, browse or search for the users, service principals, and groups you want to add and select them.
Click Confirm.

You might need to click the down arrow in the selector to hide the drop-down list and show the Confirm button.

Remove a user, group, or service principal from a workspace-local group

As a workspace admin, log in to the Azure Databricks workspace.
Click your username in the top bar of the Azure Databricks workspace and select Settings.
Click on the Identity and access tab.
Next to Groups, click Manage.
Select the group you want to update.
On the Members tab, find the user, group, or service principal you want to remove and click the X in the Actions column.
Click Remove Member to confirm.