/
Lakehouse Optimizer User Roles

Lakehouse Optimizer User Roles

What roles are there in the LHO app?

LHO supports the following roles granting specific rights to users within the application:

  • User

    • Read-only access to all feature pages

    • Viewing rights for Workloads and Optimize pages governed by permissions configured in Databricks.

    • Cannot modify settings, consumption data, or telemetry processing.

  • Admin

    • Access to all feature pages, with permission to configure budget and commit thresholds.

    • Viewing rights for Workloads and Optimize pages governed by permissions configured in Databricks.

    • Full access to app settings, except for managing consumption data processing. Admin can set license, configure telemetry processing, manage incident policies, email notifications, and tags.

  • Billing Admin

    • Add-on admin permission to manage consumption data processing.

  • Executive

    • Read-only access to all feature pages, same as User role.

    • Unrestricted data access for Workloads and Optimize pages (not limited by Databricks permissions).

    • Cannot modify settings, consumption data, or telemetry processing.

2025-08-21_22h29_08-20250822-052908.png

 

 

How can I assign LHO roles to users?

 

When no roles are defined in the Service Principal app, all signed-in users in LHO are treated as LHO Admins. Therefore, it is essential to define roles in the Service Principal app in order to restrict default access permissions to the User LHO role.

Step 1: Create env variables

  1. In order to enable roles in LHO app, first set the following environment variables in .env file:

    1. ADMIN_APP_ROLE=lho_admin

    2. BILLING_ADMIN_APP_ROLE=lho_billing_admin

    3. EXECUTIVE_APP_ROLE=lho_executive

Values are user specified tags to identify different roles within LHO. These tags are then used to define each role in Active Directory > App Registrations.

If the environment variable ADMIN_APP_ROLE is not defined, then all users who access LHO via single sign-on will have LHO Admin role permissions.

 

Step 2: Create app roles

  1. Open Azure Active Directory in Azure Portal

  2. Go to App Registrations

  3. Search by Application (client) ID and click to open application

  4. Navigate to Manage > App roles

  5. Create app roles

    1. lho_admin

      • Display name = lho_admin

      • Allowed member types = Users/Groups

      • Value = lho_admin – same as the value of env variable ADMIN_APP_ROLE

      • Description = LHO Admin. Can use and configure all product features, except for managing consumption data processing

    2. lho_billing_admin

      • Display name = lho_biling_admin

      • Allowed member types = Users/Groups

      • Value =lho_biling_admin – same as the value of env variable BILLING_ADMIN_APP_ROLE

      • Description = LHO Billing Admin. Add-on permission to LHO Admin to manage consumption data processing.

    3. lho_executive

      • Display name = lho_executive

      • Allowed member types = Users/Groups

      • Value =lho_executive – same as the value of env variable EXECUTIVE_APP_ROLE

      • Description = LHO Executive. Can use all product features. Full visibility into Workloads (not restricted by Databricks permissions).

    4. lho_user
      Create only if in app Properties Assignment required? is set to Yes.
      If in app Properties assignment is not required, then all users who access LHO via single sign-on will have LHO User role by default (in addition to assigned roles).

      • Display name = lho_user

      • Allowed member types = Users/Groups

      • Value =lho_user

      • Description = LHO User. Can use all product features.

If no roles are defined in App Registrations, then all users who access LHO via single sign-on will have LHO Admin role permissions.

2025-09-22_17h13_03-20250923-001316.png
app with roles defined
2025-09-22_17h11_59-20250923-001159.png
create bplm_user only when Assignment required

 

Step 3: Assign users to app role(s)

  1. Open Azure Active Directory in Azure Portal

  2. Go to App Registrations

  3. Search by Application (client) ID and click to open application

  4. Make sure Overview is selected

  5. Click on the app name in the Managed application in local directory field. This will open the Enterprise Application view.

  6. Navigate to Manage > Users and groups

  7. Click +Add user/group

    2025-10-15_22h49_11-20251016-055038.png

  8. Select users/groups. Confirm by clicking Select button.

  9. Select a role to assign. Confirm by clicking Select button.

  10. Confirm by clicking Assign button.

  • If the user should be able to view data in Workloads regardless of permissions in Databricks, assign lho_executive role.

  • If the user should be able to configure Settings in LHO, assign lho_admin role.

  • If the user should be able to manage consumption data processing (Settings>Consumption Data page), assign also lho_biling_admin role in addition to lho_admin.

  • If in app Properties assignment is required, and the user doesn’t have either lho_executive or lho_admin role, assign lho_user role. Otherwise, no need in lho_user role, all users who access LHO via single sign-on will have LHO User role permissions.