Databricks

With Opal's integration with Databricks:

Users can request time-bound access to your Databricks groups.
Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Duo groups.
Admins can add resources from other Opal integrations to an Databricks group so a Databricks group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
All access changes are tracked in as events that you can log to Slack or export to your favorite tools.

Supported resources

You can import the following from Databricks:

You can add Databricks users and service principals to groups.

The Databricks integration does not support managing identities at the workspace level, based on Databricks' guidelines for identity federation.

To set up the Databricks integration, you must:

First, create a service principal in Databricks and create an OAuth secret for it:

Add a Databricks service principal.
Assign the service principal the Account admin role.
Create an OAuth secret for this service principal. Select Generate secret and specify any lifetime. You have to rotate this when it expires, so you might want to choose a long expiration. By default, secrets refresh every 2 years.
Save the Secret and Client ID, which you'll use in the next step.

You'll also need the following from Databricks:

Account Login URL. Use the base URL you use to log in to Databricks. For example, https://accounts.cloud.databricks.com.
Account ID. Retrieve this from your avatar in the top left corner of Databricks.

Go to Inventory > + App and find the Databricks integration. Give the integration a name, admin, description, and specify its visibility.

Enter the Account Login URL, Account ID, Client ID, and Client secret fields from the previous step, then select Save.

In the Inventory in the Databricks app, select ... > Import items to add your Databricks resources to Opal.

You can now manage access to Databricks resources in Opal.