Problem
You want to manually activate or deactivate a user in your Databricks account as an account admin.
Cause
Databricks recommends managing user state via your identity provider, however there may be certain scenarios where this is not possible.
Solution
As account admin
To manually activate or deactivate a user you can use the Update user details (AWS | Azure | GCP) account API endpoint. The API call updates the user information depending on the data values provided in the header.
PATCH /api/2.0/accounts/<account-id>/scim/v2/Users/<user-id>
-
<account-id>is your Databricks account id. -
<user-id>is the user id for the user you want to activate or deactivate.
You need an OAuth token to use the account level API. Review the Manage users using the API (AWS | Azure | GCP) documentation for more details.
Step-by-step instructions
- Create a service principal (AWS | Azure | GCP) in the account console.
- Create an OAuth secret for a service principal (AWS | Azure | GCP).
- Use the service principal information to manually generate an account-level OAuth token (AWS | Azure | GCP).
- Retrieve the user ID you want to deactivate or activate. You can do this by using the List users (AWS | Azure | GCP) account level API endpoint.
Info
Alternatively, you can also get a user ID via the account console UI:
- Log on to the account console.
- Click User Management.
- Click Users.
- Enter the user name or email in the Filter Users box and click the search icon.
- Click the user name.
- In the browser URL you should see something like this:
<account-console-url>/user-management/users/<user-id>?account_id=<account-id>
- The user ID is a 16 digit number. For example, 1234567890123456.
The account console URL differs based on your cloud provider.
- Replace the
<account-console-url>,<account-id>,<user-id>, and<token>(OAuth token) values in the example code. - If you want to activate a user, replace
<true-or-false>with true. If you want to deactivate a user, replace<true-or-false>with false. - Run the code in a notebook.
Example code
This example code uses an account ID, a user ID, and an OAuth token to call the Users API endpoint and activate or deactivate a user.
%sh
# Set up the environment variables
export ACCOUNT_CONSOLE="<account-console-url>"
export OAUTH_TOKEN="<token>"
export ACCOUNT_ID=”<account-id>”
curl --request PATCH "${ACCOUNT_CONSOLE}/api/2.0/accounts/${ACCOUNT_ID}/scim/v2/Users/<user-id>” \
--header "Authorization: Bearer ${OAUTH_TOKEN}" \
--header "Content-Type: application/json" \
--data '{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "active",
"value": <true-or-false>
}
]
}'
As workspace admin
A workspace admin can activate or deactivate users at the account level via a designated API.
Example code
This example code uses a user ID to call the Update user details (AWS | Azure | GCP) workspace API endpoint and activate or deactivate a user. The token is inherited from the workspace.
You must replace <user-id> with the user ID and replace <true-or-false> with true if you want to activate a user or false if you want to deactivate a user.
Info
Activating or deactivating user accounts via this workspace API federates the identity information to the account.
%sh
# Set up the environment variables
export DATABRICKS_WORKSPACE=""
export WORKSPACE_PAT=""
# Perform the API call
curl --request PATCH "${DATABRICKS_WORKSPACE}/api/2.0/account/scim/v2/Users/<user-id>” \
--header "Authorization: Bearer ${WORKSPACE_PAT}" \
--header "Content-Type: application/scim+json" \
--data '{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "active",
"value": <action>
}
]
}'