If you are deploying Databricks at scale then you should be aware of the following change. Databricks is changing the default entitlements for workspaces. This means that the user group will no longer have entitlements by default! I believe this is a good change, supporting the least privileged security model better. However, it has some impacts since:
โ ๏ธ No entitlements = No permissions = Not be able to work.
You can already opt in the 15th of June, and it will be enforced on September 14. So you should prepare for this.
After the change:
๐ The users group will have no entitlements. The admins group will have all workspace entitlements. Both groups’ entitlements are locked.
๐ New principals must be granted entitlements explicitly when added to a workspace.
๐ Users and admins cannot be nested as members of other groups.
According to Databricks the following actions are required:
๐ If you manage system group entitlements through automation (Terraform, Workspace SCIM APIs, or custom scripts), update your workflows to target standard account groups, not system groups. After the new behavior is enabled, attempts to modify system group entitlements will fail.
๐ If users or admins is nested as a member of another group, remove the nesting. Nesting is not permitted under the new behavior.
๐ If your SCIM sync deletes workspace groups it doesn’t recognize, update its configuration to preserve the migration clone group (users-clone-<TIMESTAMP>). If the sync removes the clone group, principals migrated to it lose their entitlements.
Timeline
๐ June 15, 2026 โ Opt-in available in workspace settings under Advanced > Access control.
๐ July 27, 2026 โ Auto-enabled for workspaces that haven’t opted in or out. Opt-out remains available.
๐ September 14, 2026 โ New behavior enforced for all workspaces. Opt-out removed.
๐ Check the official message here: https://lnkd.in/evqkb86h
#databricks #security #leastprivileged #unitycatalog
For the original LinkedIn post clickย here.
