Security and Architecture

The Lakehouse Optimizer service VM and it's resources (Azure SQL Database, Azure Storage/Tables, Azure KeyVault) will be deployed in a resource group in any subscription but ideally in the same region as all the Databricks workspaces it will monitor.

Access from LHO to the Dbx workspaces for the application requires a Service Principal with the following permissions:

1. Billing Reader in the subscriptions that include the Dbx workspaces to be monitored (for cost data)

2. Admin permission in each workspace to be monitored (alternatively a custom role that allows read-only access to all the entities in the Dbx workspace, Blueprint can provide a script to be executed daily)

Users that sign into LHO via Azure AD Single-Sign On (OAuth) will be authorized downstream by the Databricks APIs that LHO calls on their behalf, as such that users will have the same level of access to data in LHO as they have in the monitored workspaces. 

Have questions or need help getting started? Please Contact Us for further discussion. We are here to help you make the most out of your Lakehouse Optimizer experience!