Docs Home
Databricks v1.56.0 published on Tuesday, Nov 12, 2024 by Pulumi
databricks.AccessControlRuleSet
Explore with Pulumi AI
This resource can be used with an account or workspace-level provider.
This resource allows you to manage access rules on Databricks account level resources. For convenience we allow accessing this resource through the Databricks account and workspace.
Currently, we only support managing access rules on service principal, group and account resources through
databricks.AccessControlRuleSet.
!> databricks.AccessControlRuleSet cannot be used to manage access rules for resources supported by databricks_permissions. Refer to its documentation for more information.
Service principal rule set usage
Through a Databricks workspace:
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const accountId = "00000000-0000-0000-0000-000000000000";
// account level group
const ds = databricks.getGroup({
displayName: "Data Science",
});
const automationSp = new databricks.ServicePrincipal("automation_sp", {displayName: "SP_FOR_AUTOMATION"});
const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", {
name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`,
grantRules: [{
principals: [ds.then(ds => ds.aclPrincipalId)],
role: "roles/servicePrincipal.user",
}],
});
import pulumi
import pulumi_databricks as databricks
account_id = "00000000-0000-0000-0000-000000000000"
# account level group
ds = databricks.get_group(display_name="Data Science")
automation_sp = databricks.ServicePrincipal("automation_sp", display_name="SP_FOR_AUTOMATION")
automation_sp_rule_set = databricks.AccessControlRuleSet("automation_sp_rule_set",
name=automation_sp.application_id.apply(lambda application_id: f"accounts/{account_id}/servicePrincipals/{application_id}/ruleSets/default"),
grant_rules=[{
"principals": [ds.acl_principal_id],
"role": "roles/servicePrincipal.user",
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accountId := "00000000-0000-0000-0000-000000000000"
// account level group
ds, err := databricks.LookupGroup(ctx, &databricks.LookupGroupArgs{
DisplayName: "Data Science",
}, nil)
if err != nil {
return err
}
automationSp, err := databricks.NewServicePrincipal(ctx, "automation_sp", &databricks.ServicePrincipalArgs{
DisplayName: pulumi.String("SP_FOR_AUTOMATION"),
})
if err != nil {
return err
}
_, err = databricks.NewAccessControlRuleSet(ctx, "automation_sp_rule_set", &databricks.AccessControlRuleSetArgs{
Name: automationSp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
return fmt.Sprintf("accounts/%v/servicePrincipals/%v/ruleSets/default", accountId, applicationId), nil
}).(pulumi.StringOutput),
GrantRules: databricks.AccessControlRuleSetGrantRuleArray{
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
pulumi.String(ds.AclPrincipalId),
},
Role: pulumi.String("roles/servicePrincipal.user"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var accountId = "00000000-0000-0000-0000-000000000000";
// account level group
var ds = Databricks.GetGroup.Invoke(new()
{
DisplayName = "Data Science",
});
var automationSp = new Databricks.ServicePrincipal("automation_sp", new()
{
DisplayName = "SP_FOR_AUTOMATION",
});
var automationSpRuleSet = new Databricks.AccessControlRuleSet("automation_sp_rule_set", new()
{
Name = automationSp.ApplicationId.Apply(applicationId => $"accounts/{accountId}/servicePrincipals/{applicationId}/ruleSets/default"),
GrantRules = new[]
{
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
ds.Apply(getGroupResult => getGroupResult.AclPrincipalId),
},
Role = "roles/servicePrincipal.user",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetGroupArgs;
import com.pulumi.databricks.ServicePrincipal;
import com.pulumi.databricks.ServicePrincipalArgs;
import com.pulumi.databricks.AccessControlRuleSet;
import com.pulumi.databricks.AccessControlRuleSetArgs;
import com.pulumi.databricks.inputs.AccessControlRuleSetGrantRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var accountId = "00000000-0000-0000-0000-000000000000";
// account level group
final var ds = DatabricksFunctions.getGroup(GetGroupArgs.builder()
.displayName("Data Science")
.build());
var automationSp = new ServicePrincipal("automationSp", ServicePrincipalArgs.builder()
.displayName("SP_FOR_AUTOMATION")
.build());
var automationSpRuleSet = new AccessControlRuleSet("automationSpRuleSet", AccessControlRuleSetArgs.builder()
.name(automationSp.applicationId().applyValue(applicationId -> String.format("accounts/%s/servicePrincipals/%s/ruleSets/default", accountId,applicationId)))
.grantRules(AccessControlRuleSetGrantRuleArgs.builder()
.principals(ds.applyValue(getGroupResult -> getGroupResult.aclPrincipalId()))
.role("roles/servicePrincipal.user")
.build())
.build());
}
}
resources:
automationSp:
type: databricks:ServicePrincipal
name: automation_sp
properties:
displayName: SP_FOR_AUTOMATION
automationSpRuleSet:
type: databricks:AccessControlRuleSet
name: automation_sp_rule_set
properties:
name: accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default
grantRules:
- principals:
- ${ds.aclPrincipalId}
role: roles/servicePrincipal.user
variables:
accountId: 00000000-0000-0000-0000-000000000000
# account level group
ds:
fn::invoke:
Function: databricks:getGroup
Arguments:
displayName: Data Science
Through AWS Databricks account:
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
const ds = new databricks.Group("ds", {displayName: "Data Science"});
const automationSp = new databricks.ServicePrincipal("automation_sp", {displayName: "SP_FOR_AUTOMATION"});
const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", {
name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`,
grantRules: [{
principals: [ds.aclPrincipalId],
role: "roles/servicePrincipal.user",
}],
});
import pulumi
import pulumi_databricks as databricks
account_id = "00000000-0000-0000-0000-000000000000"
# account level group creation
ds = databricks.Group("ds", display_name="Data Science")
automation_sp = databricks.ServicePrincipal("automation_sp", display_name="SP_FOR_AUTOMATION")
automation_sp_rule_set = databricks.AccessControlRuleSet("automation_sp_rule_set",
name=automation_sp.application_id.apply(lambda application_id: f"accounts/{account_id}/servicePrincipals/{application_id}/ruleSets/default"),
grant_rules=[{
"principals": [ds.acl_principal_id],
"role": "roles/servicePrincipal.user",
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accountId := "00000000-0000-0000-0000-000000000000"
// account level group creation
ds, err := databricks.NewGroup(ctx, "ds", &databricks.GroupArgs{
DisplayName: pulumi.String("Data Science"),
})
if err != nil {
return err
}
automationSp, err := databricks.NewServicePrincipal(ctx, "automation_sp", &databricks.ServicePrincipalArgs{
DisplayName: pulumi.String("SP_FOR_AUTOMATION"),
})
if err != nil {
return err
}
_, err = databricks.NewAccessControlRuleSet(ctx, "automation_sp_rule_set", &databricks.AccessControlRuleSetArgs{
Name: automationSp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
return fmt.Sprintf("accounts/%v/servicePrincipals/%v/ruleSets/default", accountId, applicationId), nil
}).(pulumi.StringOutput),
GrantRules: databricks.AccessControlRuleSetGrantRuleArray{
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
ds.AclPrincipalId,
},
Role: pulumi.String("roles/servicePrincipal.user"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
var ds = new Databricks.Group("ds", new()
{
DisplayName = "Data Science",
});
var automationSp = new Databricks.ServicePrincipal("automation_sp", new()
{
DisplayName = "SP_FOR_AUTOMATION",
});
var automationSpRuleSet = new Databricks.AccessControlRuleSet("automation_sp_rule_set", new()
{
Name = automationSp.ApplicationId.Apply(applicationId => $"accounts/{accountId}/servicePrincipals/{applicationId}/ruleSets/default"),
GrantRules = new[]
{
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
ds.AclPrincipalId,
},
Role = "roles/servicePrincipal.user",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Group;
import com.pulumi.databricks.GroupArgs;
import com.pulumi.databricks.ServicePrincipal;
import com.pulumi.databricks.ServicePrincipalArgs;
import com.pulumi.databricks.AccessControlRuleSet;
import com.pulumi.databricks.AccessControlRuleSetArgs;
import com.pulumi.databricks.inputs.AccessControlRuleSetGrantRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
var ds = new Group("ds", GroupArgs.builder()
.displayName("Data Science")
.build());
var automationSp = new ServicePrincipal("automationSp", ServicePrincipalArgs.builder()
.displayName("SP_FOR_AUTOMATION")
.build());
var automationSpRuleSet = new AccessControlRuleSet("automationSpRuleSet", AccessControlRuleSetArgs.builder()
.name(automationSp.applicationId().applyValue(applicationId -> String.format("accounts/%s/servicePrincipals/%s/ruleSets/default", accountId,applicationId)))
.grantRules(AccessControlRuleSetGrantRuleArgs.builder()
.principals(ds.aclPrincipalId())
.role("roles/servicePrincipal.user")
.build())
.build());
}
}
resources:
# account level group creation
ds:
type: databricks:Group
properties:
displayName: Data Science
automationSp:
type: databricks:ServicePrincipal
name: automation_sp
properties:
displayName: SP_FOR_AUTOMATION
automationSpRuleSet:
type: databricks:AccessControlRuleSet
name: automation_sp_rule_set
properties:
name: accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default
grantRules:
- principals:
- ${ds.aclPrincipalId}
role: roles/servicePrincipal.user
variables:
accountId: 00000000-0000-0000-0000-000000000000
Through Azure Databricks account:
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
const ds = new databricks.Group("ds", {displayName: "Data Science"});
const automationSp = new databricks.ServicePrincipal("automation_sp", {
applicationId: "00000000-0000-0000-0000-000000000000",
displayName: "SP_FOR_AUTOMATION",
});
const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", {
name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`,
grantRules: [{
principals: [ds.aclPrincipalId],
role: "roles/servicePrincipal.user",
}],
});
import pulumi
import pulumi_databricks as databricks
account_id = "00000000-0000-0000-0000-000000000000"
# account level group creation
ds = databricks.Group("ds", display_name="Data Science")
automation_sp = databricks.ServicePrincipal("automation_sp",
application_id="00000000-0000-0000-0000-000000000000",
display_name="SP_FOR_AUTOMATION")
automation_sp_rule_set = databricks.AccessControlRuleSet("automation_sp_rule_set",
name=automation_sp.application_id.apply(lambda application_id: f"accounts/{account_id}/servicePrincipals/{application_id}/ruleSets/default"),
grant_rules=[{
"principals": [ds.acl_principal_id],
"role": "roles/servicePrincipal.user",
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accountId := "00000000-0000-0000-0000-000000000000"
// account level group creation
ds, err := databricks.NewGroup(ctx, "ds", &databricks.GroupArgs{
DisplayName: pulumi.String("Data Science"),
})
if err != nil {
return err
}
automationSp, err := databricks.NewServicePrincipal(ctx, "automation_sp", &databricks.ServicePrincipalArgs{
ApplicationId: pulumi.String("00000000-0000-0000-0000-000000000000"),
DisplayName: pulumi.String("SP_FOR_AUTOMATION"),
})
if err != nil {
return err
}
_, err = databricks.NewAccessControlRuleSet(ctx, "automation_sp_rule_set", &databricks.AccessControlRuleSetArgs{
Name: automationSp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
return fmt.Sprintf("accounts/%v/servicePrincipals/%v/ruleSets/default", accountId, applicationId), nil
}).(pulumi.StringOutput),
GrantRules: databricks.AccessControlRuleSetGrantRuleArray{
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
ds.AclPrincipalId,
},
Role: pulumi.String("roles/servicePrincipal.user"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
var ds = new Databricks.Group("ds", new()
{
DisplayName = "Data Science",
});
var automationSp = new Databricks.ServicePrincipal("automation_sp", new()
{
ApplicationId = "00000000-0000-0000-0000-000000000000",
DisplayName = "SP_FOR_AUTOMATION",
});
var automationSpRuleSet = new Databricks.AccessControlRuleSet("automation_sp_rule_set", new()
{
Name = automationSp.ApplicationId.Apply(applicationId => $"accounts/{accountId}/servicePrincipals/{applicationId}/ruleSets/default"),
GrantRules = new[]
{
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
ds.AclPrincipalId,
},
Role = "roles/servicePrincipal.user",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Group;
import com.pulumi.databricks.GroupArgs;
import com.pulumi.databricks.ServicePrincipal;
import com.pulumi.databricks.ServicePrincipalArgs;
import com.pulumi.databricks.AccessControlRuleSet;
import com.pulumi.databricks.AccessControlRuleSetArgs;
import com.pulumi.databricks.inputs.AccessControlRuleSetGrantRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
var ds = new Group("ds", GroupArgs.builder()
.displayName("Data Science")
.build());
var automationSp = new ServicePrincipal("automationSp", ServicePrincipalArgs.builder()
.applicationId("00000000-0000-0000-0000-000000000000")
.displayName("SP_FOR_AUTOMATION")
.build());
var automationSpRuleSet = new AccessControlRuleSet("automationSpRuleSet", AccessControlRuleSetArgs.builder()
.name(automationSp.applicationId().applyValue(applicationId -> String.format("accounts/%s/servicePrincipals/%s/ruleSets/default", accountId,applicationId)))
.grantRules(AccessControlRuleSetGrantRuleArgs.builder()
.principals(ds.aclPrincipalId())
.role("roles/servicePrincipal.user")
.build())
.build());
}
}
resources:
# account level group creation
ds:
type: databricks:Group
properties:
displayName: Data Science
automationSp:
type: databricks:ServicePrincipal
name: automation_sp
properties:
applicationId: 00000000-0000-0000-0000-000000000000
displayName: SP_FOR_AUTOMATION
automationSpRuleSet:
type: databricks:AccessControlRuleSet
name: automation_sp_rule_set
properties:
name: accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default
grantRules:
- principals:
- ${ds.aclPrincipalId}
role: roles/servicePrincipal.user
variables:
accountId: 00000000-0000-0000-0000-000000000000
Through GCP Databricks account:
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
const ds = new databricks.Group("ds", {displayName: "Data Science"});
const automationSp = new databricks.ServicePrincipal("automation_sp", {displayName: "SP_FOR_AUTOMATION"});
const automationSpRuleSet = new databricks.AccessControlRuleSet("automation_sp_rule_set", {
name: pulumi.interpolate`accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default`,
grantRules: [{
principals: [ds.aclPrincipalId],
role: "roles/servicePrincipal.user",
}],
});
import pulumi
import pulumi_databricks as databricks
account_id = "00000000-0000-0000-0000-000000000000"
# account level group creation
ds = databricks.Group("ds", display_name="Data Science")
automation_sp = databricks.ServicePrincipal("automation_sp", display_name="SP_FOR_AUTOMATION")
automation_sp_rule_set = databricks.AccessControlRuleSet("automation_sp_rule_set",
name=automation_sp.application_id.apply(lambda application_id: f"accounts/{account_id}/servicePrincipals/{application_id}/ruleSets/default"),
grant_rules=[{
"principals": [ds.acl_principal_id],
"role": "roles/servicePrincipal.user",
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accountId := "00000000-0000-0000-0000-000000000000"
// account level group creation
ds, err := databricks.NewGroup(ctx, "ds", &databricks.GroupArgs{
DisplayName: pulumi.String("Data Science"),
})
if err != nil {
return err
}
automationSp, err := databricks.NewServicePrincipal(ctx, "automation_sp", &databricks.ServicePrincipalArgs{
DisplayName: pulumi.String("SP_FOR_AUTOMATION"),
})
if err != nil {
return err
}
_, err = databricks.NewAccessControlRuleSet(ctx, "automation_sp_rule_set", &databricks.AccessControlRuleSetArgs{
Name: automationSp.ApplicationId.ApplyT(func(applicationId string) (string, error) {
return fmt.Sprintf("accounts/%v/servicePrincipals/%v/ruleSets/default", accountId, applicationId), nil
}).(pulumi.StringOutput),
GrantRules: databricks.AccessControlRuleSetGrantRuleArray{
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
ds.AclPrincipalId,
},
Role: pulumi.String("roles/servicePrincipal.user"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
var ds = new Databricks.Group("ds", new()
{
DisplayName = "Data Science",
});
var automationSp = new Databricks.ServicePrincipal("automation_sp", new()
{
DisplayName = "SP_FOR_AUTOMATION",
});
var automationSpRuleSet = new Databricks.AccessControlRuleSet("automation_sp_rule_set", new()
{
Name = automationSp.ApplicationId.Apply(applicationId => $"accounts/{accountId}/servicePrincipals/{applicationId}/ruleSets/default"),
GrantRules = new[]
{
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
ds.AclPrincipalId,
},
Role = "roles/servicePrincipal.user",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Group;
import com.pulumi.databricks.GroupArgs;
import com.pulumi.databricks.ServicePrincipal;
import com.pulumi.databricks.ServicePrincipalArgs;
import com.pulumi.databricks.AccessControlRuleSet;
import com.pulumi.databricks.AccessControlRuleSetArgs;
import com.pulumi.databricks.inputs.AccessControlRuleSetGrantRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var accountId = "00000000-0000-0000-0000-000000000000";
// account level group creation
var ds = new Group("ds", GroupArgs.builder()
.displayName("Data Science")
.build());
var automationSp = new ServicePrincipal("automationSp", ServicePrincipalArgs.builder()
.displayName("SP_FOR_AUTOMATION")
.build());
var automationSpRuleSet = new AccessControlRuleSet("automationSpRuleSet", AccessControlRuleSetArgs.builder()
.name(automationSp.applicationId().applyValue(applicationId -> String.format("accounts/%s/servicePrincipals/%s/ruleSets/default", accountId,applicationId)))
.grantRules(AccessControlRuleSetGrantRuleArgs.builder()
.principals(ds.aclPrincipalId())
.role("roles/servicePrincipal.user")
.build())
.build());
}
}
resources:
# account level group creation
ds:
type: databricks:Group
properties:
displayName: Data Science
automationSp:
type: databricks:ServicePrincipal
name: automation_sp
properties:
displayName: SP_FOR_AUTOMATION
automationSpRuleSet:
type: databricks:AccessControlRuleSet
name: automation_sp_rule_set
properties:
name: accounts/${accountId}/servicePrincipals/${automationSp.applicationId}/ruleSets/default
grantRules:
- principals:
- ${ds.aclPrincipalId}
role: roles/servicePrincipal.user
variables:
accountId: 00000000-0000-0000-0000-000000000000
Group rule set usage
Refer to the appropriate provider configuration as shown in the examples for service principal rule set.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const accountId = "00000000-0000-0000-0000-000000000000";
// account level group
const ds = databricks.getGroup({
displayName: "Data Science",
});
const john = databricks.getUser({
userName: "john.doe@example.com",
});
const dsGroupRuleSet = new databricks.AccessControlRuleSet("ds_group_rule_set", {
name: `accounts/${accountId}/groups/${dsDatabricksGroup.id}/ruleSets/default`,
grantRules: [{
principals: [john.then(john => john.aclPrincipalId)],
role: "roles/group.manager",
}],
});
import pulumi
import pulumi_databricks as databricks
account_id = "00000000-0000-0000-0000-000000000000"
# account level group
ds = databricks.get_group(display_name="Data Science")
john = databricks.get_user(user_name="john.doe@example.com")
ds_group_rule_set = databricks.AccessControlRuleSet("ds_group_rule_set",
name=f"accounts/{account_id}/groups/{ds_databricks_group['id']}/ruleSets/default",
grant_rules=[{
"principals": [john.acl_principal_id],
"role": "roles/group.manager",
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accountId := "00000000-0000-0000-0000-000000000000"
// account level group
_, err := databricks.LookupGroup(ctx, &databricks.LookupGroupArgs{
DisplayName: "Data Science",
}, nil)
if err != nil {
return err
}
john, err := databricks.LookupUser(ctx, &databricks.LookupUserArgs{
UserName: pulumi.StringRef("john.doe@example.com"),
}, nil)
if err != nil {
return err
}
_, err = databricks.NewAccessControlRuleSet(ctx, "ds_group_rule_set", &databricks.AccessControlRuleSetArgs{
Name: pulumi.Sprintf("accounts/%v/groups/%v/ruleSets/default", accountId, dsDatabricksGroup.Id),
GrantRules: databricks.AccessControlRuleSetGrantRuleArray{
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
pulumi.String(john.AclPrincipalId),
},
Role: pulumi.String("roles/group.manager"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var accountId = "00000000-0000-0000-0000-000000000000";
// account level group
var ds = Databricks.GetGroup.Invoke(new()
{
DisplayName = "Data Science",
});
var john = Databricks.GetUser.Invoke(new()
{
UserName = "john.doe@example.com",
});
var dsGroupRuleSet = new Databricks.AccessControlRuleSet("ds_group_rule_set", new()
{
Name = $"accounts/{accountId}/groups/{dsDatabricksGroup.Id}/ruleSets/default",
GrantRules = new[]
{
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
john.Apply(getUserResult => getUserResult.AclPrincipalId),
},
Role = "roles/group.manager",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetGroupArgs;
import com.pulumi.databricks.inputs.GetUserArgs;
import com.pulumi.databricks.AccessControlRuleSet;
import com.pulumi.databricks.AccessControlRuleSetArgs;
import com.pulumi.databricks.inputs.AccessControlRuleSetGrantRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var accountId = "00000000-0000-0000-0000-000000000000";
// account level group
final var ds = DatabricksFunctions.getGroup(GetGroupArgs.builder()
.displayName("Data Science")
.build());
final var john = DatabricksFunctions.getUser(GetUserArgs.builder()
.userName("john.doe@example.com")
.build());
var dsGroupRuleSet = new AccessControlRuleSet("dsGroupRuleSet", AccessControlRuleSetArgs.builder()
.name(String.format("accounts/%s/groups/%s/ruleSets/default", accountId,dsDatabricksGroup.id()))
.grantRules(AccessControlRuleSetGrantRuleArgs.builder()
.principals(john.applyValue(getUserResult -> getUserResult.aclPrincipalId()))
.role("roles/group.manager")
.build())
.build());
}
}
resources:
dsGroupRuleSet:
type: databricks:AccessControlRuleSet
name: ds_group_rule_set
properties:
name: accounts/${accountId}/groups/${dsDatabricksGroup.id}/ruleSets/default
grantRules:
- principals:
- ${john.aclPrincipalId}
role: roles/group.manager
variables:
accountId: 00000000-0000-0000-0000-000000000000
# account level group
ds:
fn::invoke:
Function: databricks:getGroup
Arguments:
displayName: Data Science
john:
fn::invoke:
Function: databricks:getUser
Arguments:
userName: john.doe@example.com
Account rule set usage
Refer to the appropriate provider configuration as shown in the examples for service principal rule set.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const accountId = "00000000-0000-0000-0000-000000000000";
// account level group
const ds = databricks.getGroup({
displayName: "Data Science",
});
// account level group
const marketplaceAdmins = databricks.getGroup({
displayName: "Marketplace Admins",
});
const john = databricks.getUser({
userName: "john.doe@example.com",
});
const accountRuleSet = new databricks.AccessControlRuleSet("account_rule_set", {
name: `accounts/${accountId}/ruleSets/default`,
grantRules: [
{
principals: [john.then(john => john.aclPrincipalId)],
role: "roles/group.manager",
},
{
principals: [ds.then(ds => ds.aclPrincipalId)],
role: "roles/servicePrincipal.manager",
},
{
principals: [marketplaceAdmins.then(marketplaceAdmins => marketplaceAdmins.aclPrincipalId)],
role: "roles/marketplace.admin",
},
],
});
import pulumi
import pulumi_databricks as databricks
account_id = "00000000-0000-0000-0000-000000000000"
# account level group
ds = databricks.get_group(display_name="Data Science")
# account level group
marketplace_admins = databricks.get_group(display_name="Marketplace Admins")
john = databricks.get_user(user_name="john.doe@example.com")
account_rule_set = databricks.AccessControlRuleSet("account_rule_set",
name=f"accounts/{account_id}/ruleSets/default",
grant_rules=[
{
"principals": [john.acl_principal_id],
"role": "roles/group.manager",
},
{
"principals": [ds.acl_principal_id],
"role": "roles/servicePrincipal.manager",
},
{
"principals": [marketplace_admins.acl_principal_id],
"role": "roles/marketplace.admin",
},
])
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
accountId := "00000000-0000-0000-0000-000000000000"
// account level group
ds, err := databricks.LookupGroup(ctx, &databricks.LookupGroupArgs{
DisplayName: "Data Science",
}, nil)
if err != nil {
return err
}
// account level group
marketplaceAdmins, err := databricks.LookupGroup(ctx, &databricks.LookupGroupArgs{
DisplayName: "Marketplace Admins",
}, nil)
if err != nil {
return err
}
john, err := databricks.LookupUser(ctx, &databricks.LookupUserArgs{
UserName: pulumi.StringRef("john.doe@example.com"),
}, nil)
if err != nil {
return err
}
_, err = databricks.NewAccessControlRuleSet(ctx, "account_rule_set", &databricks.AccessControlRuleSetArgs{
Name: pulumi.Sprintf("accounts/%v/ruleSets/default", accountId),
GrantRules: databricks.AccessControlRuleSetGrantRuleArray{
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
pulumi.String(john.AclPrincipalId),
},
Role: pulumi.String("roles/group.manager"),
},
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
pulumi.String(ds.AclPrincipalId),
},
Role: pulumi.String("roles/servicePrincipal.manager"),
},
&databricks.AccessControlRuleSetGrantRuleArgs{
Principals: pulumi.StringArray{
pulumi.String(marketplaceAdmins.AclPrincipalId),
},
Role: pulumi.String("roles/marketplace.admin"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var accountId = "00000000-0000-0000-0000-000000000000";
// account level group
var ds = Databricks.GetGroup.Invoke(new()
{
DisplayName = "Data Science",
});
// account level group
var marketplaceAdmins = Databricks.GetGroup.Invoke(new()
{
DisplayName = "Marketplace Admins",
});
var john = Databricks.GetUser.Invoke(new()
{
UserName = "john.doe@example.com",
});
var accountRuleSet = new Databricks.AccessControlRuleSet("account_rule_set", new()
{
Name = $"accounts/{accountId}/ruleSets/default",
GrantRules = new[]
{
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
john.Apply(getUserResult => getUserResult.AclPrincipalId),
},
Role = "roles/group.manager",
},
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
ds.Apply(getGroupResult => getGroupResult.AclPrincipalId),
},
Role = "roles/servicePrincipal.manager",
},
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Principals = new[]
{
marketplaceAdmins.Apply(getGroupResult => getGroupResult.AclPrincipalId),
},
Role = "roles/marketplace.admin",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetGroupArgs;
import com.pulumi.databricks.inputs.GetUserArgs;
import com.pulumi.databricks.AccessControlRuleSet;
import com.pulumi.databricks.AccessControlRuleSetArgs;
import com.pulumi.databricks.inputs.AccessControlRuleSetGrantRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var accountId = "00000000-0000-0000-0000-000000000000";
// account level group
final var ds = DatabricksFunctions.getGroup(GetGroupArgs.builder()
.displayName("Data Science")
.build());
// account level group
final var marketplaceAdmins = DatabricksFunctions.getGroup(GetGroupArgs.builder()
.displayName("Marketplace Admins")
.build());
final var john = DatabricksFunctions.getUser(GetUserArgs.builder()
.userName("john.doe@example.com")
.build());
var accountRuleSet = new AccessControlRuleSet("accountRuleSet", AccessControlRuleSetArgs.builder()
.name(String.format("accounts/%s/ruleSets/default", accountId))
.grantRules(
AccessControlRuleSetGrantRuleArgs.builder()
.principals(john.applyValue(getUserResult -> getUserResult.aclPrincipalId()))
.role("roles/group.manager")
.build(),
AccessControlRuleSetGrantRuleArgs.builder()
.principals(ds.applyValue(getGroupResult -> getGroupResult.aclPrincipalId()))
.role("roles/servicePrincipal.manager")
.build(),
AccessControlRuleSetGrantRuleArgs.builder()
.principals(marketplaceAdmins.applyValue(getGroupResult -> getGroupResult.aclPrincipalId()))
.role("roles/marketplace.admin")
.build())
.build());
}
}
resources:
accountRuleSet:
type: databricks:AccessControlRuleSet
name: account_rule_set
properties:
name: accounts/${accountId}/ruleSets/default
grantRules:
- principals:
- ${john.aclPrincipalId}
role: roles/group.manager
- principals:
- ${ds.aclPrincipalId}
role: roles/servicePrincipal.manager
- principals:
- ${marketplaceAdmins.aclPrincipalId}
role: roles/marketplace.admin
variables:
accountId: 00000000-0000-0000-0000-000000000000
# account level group
ds:
fn::invoke:
Function: databricks:getGroup
Arguments:
displayName: Data Science
# account level group
marketplaceAdmins:
fn::invoke:
Function: databricks:getGroup
Arguments:
displayName: Marketplace Admins
john:
fn::invoke:
Function: databricks:getUser
Arguments:
userName: john.doe@example.com
Related Resources
The following resources are often used in the same context:
- databricks.Group
- databricks.User
- databricks.ServicePrincipal
Create AccessControlRuleSet Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AccessControlRuleSet(name: string, args?: AccessControlRuleSetArgs, opts?: CustomResourceOptions);@overload
def AccessControlRuleSet(resource_name: str,
args: Optional[AccessControlRuleSetArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def AccessControlRuleSet(resource_name: str,
opts: Optional[ResourceOptions] = None,
grant_rules: Optional[Sequence[AccessControlRuleSetGrantRuleArgs]] = None,
name: Optional[str] = None)func NewAccessControlRuleSet(ctx *Context, name string, args *AccessControlRuleSetArgs, opts ...ResourceOption) (*AccessControlRuleSet, error)public AccessControlRuleSet(string name, AccessControlRuleSetArgs? args = null, CustomResourceOptions? opts = null)
public AccessControlRuleSet(String name, AccessControlRuleSetArgs args)
public AccessControlRuleSet(String name, AccessControlRuleSetArgs args, CustomResourceOptions options)
type: databricks:AccessControlRuleSet
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AccessControlRuleSetArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AccessControlRuleSetArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AccessControlRuleSetArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AccessControlRuleSetArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AccessControlRuleSetArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var accessControlRuleSetResource = new Databricks.AccessControlRuleSet("accessControlRuleSetResource", new()
{
GrantRules = new[]
{
new Databricks.Inputs.AccessControlRuleSetGrantRuleArgs
{
Role = "string",
Principals = new[]
{
"string",
},
},
},
Name = "string",
});
example, err := databricks.NewAccessControlRuleSet(ctx, "accessControlRuleSetResource", &databricks.AccessControlRuleSetArgs{
GrantRules: databricks.AccessControlRuleSetGrantRuleArray{
&databricks.AccessControlRuleSetGrantRuleArgs{
Role: pulumi.String("string"),
Principals: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Name: pulumi.String("string"),
})
var accessControlRuleSetResource = new AccessControlRuleSet("accessControlRuleSetResource", AccessControlRuleSetArgs.builder()
.grantRules(AccessControlRuleSetGrantRuleArgs.builder()
.role("string")
.principals("string")
.build())
.name("string")
.build());
access_control_rule_set_resource = databricks.AccessControlRuleSet("accessControlRuleSetResource",
grant_rules=[{
"role": "string",
"principals": ["string"],
}],
name="string")
const accessControlRuleSetResource = new databricks.AccessControlRuleSet("accessControlRuleSetResource", {
grantRules: [{
role: "string",
principals: ["string"],
}],
name: "string",
});
type: databricks:AccessControlRuleSet
properties:
grantRules:
- principals:
- string
role: string
name: string
AccessControlRuleSet Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AccessControlRuleSet resource accepts the following input properties:
- Grant
Rules List<AccessControl Rule Set Grant Rule> The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- Name string
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- Grant
Rules []AccessControl Rule Set Grant Rule Args The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- Name string
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- grant
Rules List<AccessControl Rule Set Grant Rule> The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name String
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- grant
Rules AccessControl Rule Set Grant Rule[] The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name string
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- grant_
rules Sequence[AccessControl Rule Set Grant Rule Args] The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name str
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- grant
Rules List<Property Map> The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name String
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
Outputs
All input properties are implicitly available as output properties. Additionally, the AccessControlRuleSet resource produces the following output properties:
Look up Existing AccessControlRuleSet Resource
Get an existing AccessControlRuleSet resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AccessControlRuleSetState, opts?: CustomResourceOptions): AccessControlRuleSet@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
etag: Optional[str] = None,
grant_rules: Optional[Sequence[AccessControlRuleSetGrantRuleArgs]] = None,
name: Optional[str] = None) -> AccessControlRuleSetfunc GetAccessControlRuleSet(ctx *Context, name string, id IDInput, state *AccessControlRuleSetState, opts ...ResourceOption) (*AccessControlRuleSet, error)public static AccessControlRuleSet Get(string name, Input<string> id, AccessControlRuleSetState? state, CustomResourceOptions? opts = null)public static AccessControlRuleSet get(String name, Output<String> id, AccessControlRuleSetState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Etag string
- Grant
Rules List<AccessControl Rule Set Grant Rule> The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- Name string
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- Etag string
- Grant
Rules []AccessControl Rule Set Grant Rule Args The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- Name string
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- etag String
- grant
Rules List<AccessControl Rule Set Grant Rule> The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name String
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- etag string
- grant
Rules AccessControl Rule Set Grant Rule[] The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name string
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- etag str
- grant_
rules Sequence[AccessControl Rule Set Grant Rule Args] The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name str
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
- etag String
- grant
Rules List<Property Map> The access control rules to be granted by this rule set, consisting of a set of principals and roles to be granted to them.
!> Warning Name uniquely identifies a rule set resource. Ensure all the grant_rules blocks for a rule set name are present in one
databricks.AccessControlRuleSetresource block. Otherwise, after applying changes, users might lose their role assignment even if that was not intended.- name String
- Unique identifier of a rule set. The name determines the resource to which the rule set applies. Currently, only default rule sets are supported. The following rule set formats are supported:
accounts/{account_id}/servicePrincipals/{service_principal_application_id}/ruleSets/defaultaccounts/{account_id}/groups/{group_id}/ruleSets/defaultaccounts/{account_id}/ruleSets/default
Supporting Types
AccessControlRuleSetGrantRule, AccessControlRuleSetGrantRuleArgs
- Role string
- Role to be granted. The supported roles are listed below. For more information about these roles, refer to service principal roles, group roles or marketplace roles.
roles/servicePrincipal.manager- Manager of a service principal.roles/servicePrincipal.user- User of a service principal.roles/group.manager- Manager of a group.roles/marketplace.admin- Admin of marketplace.
- Principals List<string>
- a list of principals who are granted a role. The following format is supported:
users/{username}(also exposed asacl_principal_idattribute ofdatabricks.Userresource).groups/{groupname}(also exposed asacl_principal_idattribute ofdatabricks.Groupresource).servicePrincipals/{applicationId}(also exposed asacl_principal_idattribute ofdatabricks.ServicePrincipalresource).
- Role string
- Role to be granted. The supported roles are listed below. For more information about these roles, refer to service principal roles, group roles or marketplace roles.
roles/servicePrincipal.manager- Manager of a service principal.roles/servicePrincipal.user- User of a service principal.roles/group.manager- Manager of a group.roles/marketplace.admin- Admin of marketplace.
- Principals []string
- a list of principals who are granted a role. The following format is supported:
users/{username}(also exposed asacl_principal_idattribute ofdatabricks.Userresource).groups/{groupname}(also exposed asacl_principal_idattribute ofdatabricks.Groupresource).servicePrincipals/{applicationId}(also exposed asacl_principal_idattribute ofdatabricks.ServicePrincipalresource).
- role String
- Role to be granted. The supported roles are listed below. For more information about these roles, refer to service principal roles, group roles or marketplace roles.
roles/servicePrincipal.manager- Manager of a service principal.roles/servicePrincipal.user- User of a service principal.roles/group.manager- Manager of a group.roles/marketplace.admin- Admin of marketplace.
- principals List<String>
- a list of principals who are granted a role. The following format is supported:
users/{username}(also exposed asacl_principal_idattribute ofdatabricks.Userresource).groups/{groupname}(also exposed asacl_principal_idattribute ofdatabricks.Groupresource).servicePrincipals/{applicationId}(also exposed asacl_principal_idattribute ofdatabricks.ServicePrincipalresource).
- role string
- Role to be granted. The supported roles are listed below. For more information about these roles, refer to service principal roles, group roles or marketplace roles.
roles/servicePrincipal.manager- Manager of a service principal.roles/servicePrincipal.user- User of a service principal.roles/group.manager- Manager of a group.roles/marketplace.admin- Admin of marketplace.
- principals string[]
- a list of principals who are granted a role. The following format is supported:
users/{username}(also exposed asacl_principal_idattribute ofdatabricks.Userresource).groups/{groupname}(also exposed asacl_principal_idattribute ofdatabricks.Groupresource).servicePrincipals/{applicationId}(also exposed asacl_principal_idattribute ofdatabricks.ServicePrincipalresource).
- role str
- Role to be granted. The supported roles are listed below. For more information about these roles, refer to service principal roles, group roles or marketplace roles.
roles/servicePrincipal.manager- Manager of a service principal.roles/servicePrincipal.user- User of a service principal.roles/group.manager- Manager of a group.roles/marketplace.admin- Admin of marketplace.
- principals Sequence[str]
- a list of principals who are granted a role. The following format is supported:
users/{username}(also exposed asacl_principal_idattribute ofdatabricks.Userresource).groups/{groupname}(also exposed asacl_principal_idattribute ofdatabricks.Groupresource).servicePrincipals/{applicationId}(also exposed asacl_principal_idattribute ofdatabricks.ServicePrincipalresource).
- role String
- Role to be granted. The supported roles are listed below. For more information about these roles, refer to service principal roles, group roles or marketplace roles.
roles/servicePrincipal.manager- Manager of a service principal.roles/servicePrincipal.user- User of a service principal.roles/group.manager- Manager of a group.roles/marketplace.admin- Admin of marketplace.
- principals List<String>
- a list of principals who are granted a role. The following format is supported:
users/{username}(also exposed asacl_principal_idattribute ofdatabricks.Userresource).groups/{groupname}(also exposed asacl_principal_idattribute ofdatabricks.Groupresource).servicePrincipals/{applicationId}(also exposed asacl_principal_idattribute ofdatabricks.ServicePrincipalresource).
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
databricksTerraform Provider.