Lakehouse Optimizer User Roles

🪪 LHO Roles


What roles are there in the LHO app?

LHO currently supports the following roles that grant specific rights in the application:

  • user

    • an Azure AD user can only access the Tenant Overview, Workspaces, Reports, Unity Catalog Migration Assessment and Incidents features of the application

    • can not modify settings or consumption or telemetry data processing schedules

    • can access cost and telemetry data on workspaces based on configured access rights

  • executive

    • all the rights of user role, plus access to cost and telemetry data on all published workspaces with no access rights restriction

    • Users with Executive role have access to all cost and activity data with no authorization rules applied

    • Executive role has no access to modify settings (same as User role).

  • admin

    • all the rights of users and executives, plus the ability to configure a Databricks Workspace to be used for analysis by users and executives,

    • can set license, configure email notifications and incidents policies

  • billing admin

    • all the rights of users, plus ability to manage consumption data loading and processing

 

 


How can I assign LHO roles to users?

(Step 1) Create env variable

In order to enable roles in LHO app, set the following environment variable for LHO app:

  • ADMIN_APP_ROLE = bplm-admin

    • bplm-admin is simply a user defined role name. Administrator can set any tag to identify the admin role type. This tag is used to define in Active Directory an App Registration Role.

    • if the env variable ADMIN_APP_ROLE is not defined, then all regular users work effectively as admin users, with full rights in the LHO app

 

(Step 2) Create app role

Open Azure Active Directory in Azure Portal → App registrations → search for client id (see more details at “How do I configure the Azure Active Directory group?”) and open application → click on App roles → Create app role with following settings:

  • Display name

    • bplm-admin

  • select Users/Groups

  • Value

    • bplm-admin

    • value must be the same as the value of env variable ADMIN_APP_ROLE

  • Description

    • any meaningful description

 

 

If there are NO roles defined in the Service Principal App, then any signed in user in LHO is considered LHO Admin.

 

 

(Step 3) Assign users to App role

From the above step, click on Overview in the opened application page.

If the from (Step 2) was closed, then Open Azure Active Directory in Azure Portal → App registrations → search for client id (see more details at “How do I configure the Azure Active Directory group?”) and open application.

Click on the link for Managed application in local directory, the link is the App name. This will open the Enterprise Application view.

Select Users and groups tab, click to Add User/Group.

This view allows you to assign users and/or groups to have the admin role in the LHO app.