Cross-workspace access visibility for Databricks — audit who can reach what across every workspace in your account.
Project description
databricks-access-audit
Databricks gives you no native way to answer "what can this identity access across all my workspaces?" — this tool does.
The Account Console shows you one workspace at a time. INFORMATION_SCHEMA shows you one metastore at a time. Neither resolves nested group memberships. Neither tells you whether a personal grant duplicates what the group already provides.
databricks-access-audit answers cross-workspace access questions in one command, across every workspace in your account at once.
Five modes
| Mode | Command | Question it answers |
|---|---|---|
| Principal audit | --principal "alice@company.com" |
What can this user / SP / group access across every workspace? |
| Group audit | --group "data-engineers" |
What does this group access? Who has redundant personal grants? |
| Resource audit | --resource "main" |
Who has access to this catalog / schema / table / workspace? |
| Compare | --compare "alice@company.com" "bob@company.com" |
Which groups does Alice have that Bob doesn't? |
| Access provisioning | --clone-from "alice@company.com" --to "bob@company.com" |
How do I give Bob the same access as Alice? |
Install
pip install "databricks-access-audit[sdk]"
Add credentials to ~/.databrickscfg and run:
databricks-access-audit --principal "alice@company.com"
databricks-access-audit --group "data-engineers" --revoke-script
databricks-access-audit --resource "main" --output html > main_access.html
Documentation
https://lukaleet.github.io/databricks-access-audit
- Getting Started — install, credentials, first audit
- Capabilities — how each feature works
- Use Cases — offboarding, onboarding, access review, incident response, compliance
- CLI Reference — every flag documented
- Troubleshooting — common issues and fixes
Tested environments
Developed and live-tested against Azure Databricks with Unity Catalog. AWS and GCP code paths exist but haven't been confirmed against real accounts yet.
If you run this on AWS, GCP, a large multi-workspace account, or with Okta/AWS SSO as your IdP — open an issue and let us know what works and what doesn't. Every environment report improves the tool.
Development
pip install -e ".[sdk,dev]"
pytest # 570 tests, no real Databricks connection required
ruff check .
License
Apache 2.0 — see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file databricks_access_audit-0.19.0.tar.gz.
File metadata
- Download URL: databricks_access_audit-0.19.0.tar.gz
- Upload date:
- Size: 147.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
73d2c0786db2ec794c00f2a26bcae818081c5b5239b48b95b64ff5045cd9279c
|
|
| MD5 |
4be44399cc26bf2813803f6e8f5d0dea
|
|
| BLAKE2b-256 |
9854602a9a366b2ad849c57186e4b6f6c9df577ad95ffb1dbbe084a463b6f2bf
|
File details
Details for the file databricks_access_audit-0.19.0-py3-none-any.whl.
File metadata
- Download URL: databricks_access_audit-0.19.0-py3-none-any.whl
- Upload date:
- Size: 111.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c9ead40672885bb95c6d29bd0953e01dbe2224e334e08fe7087abe7b42f4fc79
|
|
| MD5 |
3f6c67486d17d4d374f48cdbd589444e
|
|
| BLAKE2b-256 |
06cbaea3ab329816338e45755708a19c745fdadc40619f70409ed138ae11334d
|
