Once you’ve successfully installed Lakehouse Optimizer and you have your LHO admin user working, then it’s time to add new users to LHO.
Let’s assume we want to grant access to 👩💻 Angela to login and use LHO.
Active Directory authentication is configured automatically on installation.
For more details, please refer to the following related articles:
First step is to add 👩💻 Angela as use of the managed application used by LHO.
How to add rights to a user to access LHO via AD auth
(1.) Copy the “Client ID” used by the service principal of LHO
You can find the Client ID of the environment on the Settings page // Provisioning & Permissions and scroll down to the bottom of the page where you can find this information in the “Service Principal” panel under the “Client Id” label.
.png?version=1&modificationDate=1705075693204&cacheVersion=1&api=v2&width=760 "Blueprint Lakehouse Optimizer Documentation > How to Add New Users for LHO on Azure > image (73).png")
(2.) Open Microsoft Entra >
search for “Microsoft Entra”
(3.) Navigate to App Registrations >
(4.) Search all applications for “client id of the environment” >
Click on the name of application you found.
(5) Manage application
in the top right section, click on the name of the application
click on the value of the label “Managed application in local directory”
you need to be owner of the app in order to add users
.png?version=1&modificationDate=1705075700023&cacheVersion=1&api=v2&width=760 "Blueprint Lakehouse Optimizer Documentation > How to Add New Users for LHO on Azure > image (74).png")
This action will open the following view:
(6) Check Assignment Required
.png?version=1&modificationDate=1705075708288&cacheVersion=1&api=v2&width=760 "Blueprint Lakehouse Optimizer Documentation > How to Add New Users for LHO on Azure > image (75).png")
Based on how the Service Principal was configured, if the “Assigned required?” is set to “Yes”, then you will have to manually add user Angela to this app.
Please proceed to the following step
(6) Add user
click on the left navigation pane on “Users and groups”, or
click on “Assign users and groups”
click on “Add user/group”
click on “Users and groups” and search for user and select user
click on “select a role” and select from the right section which role you want to assign
for more information regarding LHO roles, please refer to
all LHO users have as default access “LHO User” (Default Access)
.png?version=1&modificationDate=1705075716096&cacheVersion=1&api=v2&width=760 "Blueprint Lakehouse Optimizer Documentation > How to Add New Users for LHO on Azure > image (76).png")
If there are NO roles defined in the Service Principal App, then any signed in user in LHO is considered LHO Admin. |
Once the previous section is complete, Angela is now able to successfully long to LHO via Active Directory authentication.
However, she still cannot see anything yet in LHO.
The second step is to grant reading rights for Angela in the Azure Subscription(s).
Once this section is complete, Angela will be able
to read all (published LHO) Databricks workspaces in a particular Subscription
to see the name of the Databricks workspaces, but not the content of the workspaces (ie. listing workloads)
(1) Open Azure Portal and navigate to Subscriptions
(2) Select Subscription
(3) Select Access control (IAM)
(4) Add Role Assignment
Depending on your configuration, you can either add a Custom Role or a generic Default Reader Role.
For example, BplmDatabricksReader is a custom role configured to provide only “List workspaces” rights for Databricks, while Reader role is a prebuilt role to provide read-only rights.
(5) Select Role BplmDatabricksReader
click Next
(6) Select members
(7) Review + Assign
Once this section is complete, Angela will be able to see the names of all Databricks Workspaces that are published in LHO for the selected subscription in which she was just added. |
listing workloads
listing clusters
listing assets defined in Databricks
