Databricks gives you no native way to answer "what can this identity access across all my workspaces?" — this tool does.
Community tool — not affiliated with or endorsed by Databricks, Inc.
The Account Console shows you one workspace at a time. INFORMATION_SCHEMA shows you one metastore at a time. Neither resolves nested group memberships. Neither tells you whether a personal grant duplicates what the group already provides.
databricks-access-audit answers cross-workspace access questions in one command, across every workspace in your account at once.
| Mode | Command | Question it answers |
|---|---|---|
| Principal audit | --principal "alice@company.com" |
What can this user / SP / group access across every workspace? |
| Group audit | --group "data-engineers" |
What does this group access? Who has redundant personal grants? |
| Resource audit | --resource "main" |
Who has access to this catalog / schema / table / workspace? |
| Compare | --compare "alice@company.com" "bob@company.com" |
Which groups does Alice have that Bob doesn't? |
| Access provisioning | --clone-from "alice@company.com" --to "bob@company.com" |
How do I give Bob the same access as Alice? |
pip install "databricks-access-audit[sdk]"Add credentials to ~/.databrickscfg and run:
databricks-access-audit --principal "alice@company.com"
databricks-access-audit --group "data-engineers" --revoke-script
databricks-access-audit --resource "main" --output html > main_access.htmlhttps://lukaleet.github.io/databricks-access-audit
- Getting Started — install, credentials, first audit
- Capabilities — how each feature works
- Use Cases — offboarding, onboarding, access review, incident response, compliance
- CLI Reference — every flag documented
- Troubleshooting — common issues and fixes
Developed and live-tested against Azure Databricks with Unity Catalog. AWS and GCP code paths exist but haven't been confirmed against real accounts yet.
If you run this on AWS, GCP, a large multi-workspace account, or with Okta/AWS SSO as your IdP — open an issue and let us know what works and what doesn't. Every environment report improves the tool.
pip install -e ".[sdk,dev]"
pytest # 570 tests, no real Databricks connection required
ruff check .Apache 2.0 — see LICENSE.