How to Add New Users for LHO (AWS)
- Ciprian LUCACI
Once you’ve successfully installed Lakehouse Optimizer and you have your LHO admin user working, then it’s time to add new users to LHO.
Let’s assume we want to grant access to 👩💻 Angela to login and use LHO.
I. Configure LHO App Login and Role Delegation
This section describes how to provide access to LHO either to an individual user or to a group via Active Directory Single Sign-On.
Active Directory authentication is configured automatically on installation.
For more details, please refer to the following related articles:
First step is to add 👩💻 Angela as use of the managed application used by LHO.
How to add rights to a user to access LHO via AD auth
(1.) Copy the “Client ID” used by the service principal of LHO
You can find the Client ID of the environment on the Settings page // Provisioning & Permissions and scroll down to the bottom of the page where you can find this information in the “Service Principal” panel under the “Client Id” label.
(2.) Open Microsoft Entra >
search for “Microsoft Entra”
(3.) Navigate to App Registrations >
(4.) Search all applications for “client id of the environment” >
Click on the name of application you found.
(5) Manage application
in the top right section, click on the name of the application
click on the value of the label “Managed application in local directory”
you need to be owner of the app in order to add users
This action will open the following view:
(6) Check Assignment Required
Based on how the Service Principal was configured, if the “Assigned required?” is set to “Yes”, then you will have to manually add user Angela to this app.
Please proceed to the following step
(6) Add user
click on the left navigation pane on “Users and groups”, or
click on “Assign users and groups”
click on “Add user/group”
click on “Users and groups” and search for user and select user
click on “select a role” and select from the right section which role you want to assign
for more information regarding LHO roles, please refer to
all LHO users have as default access “LHO User” (Default Access)
If there are NO roles defined in the Service Principal App, then any signed in user in LHO is considered LHO Admin.
II. Grant Rights for Listing Databricks Workspaces
Once the previous section is complete, Angela is now able to successfully long to LHO via Active Directory authentication.
However, she still cannot see anything yet in LHO.
The second step is to grant reading rights for Angela in the Azure Subscription(s).
Once this section is complete, Angela will be able
to read all (published LHO) Databricks workspaces in a particular Subscription
to see the name of the Databricks workspaces, but not the content of the workspaces (ie. listing workloads)
(1) Open Azure Portal and navigate to Subscriptions
(2) Select Subscription
(3) Select Access control (IAM)
(4) Add Role Assignment
Lakehouse Optimizer requires only read permission to list Databricks Workspaces. Therefore, in order to limit the rights only to this permission, create a custom role named BplmDatabricksReader (for example).
For example, BplmDatabricksReader is a custom role configured to provide only “List workspaces” rights for Databricks. The prebuilt Reader role provide access to too many resources which are not required by LHO to function properly.
For how to create this custom role, please see How to create a custom Role in Azure for LHO to use
(5) Select Role BplmDatabricksReader
click Next
(6) Select members
(7) Review + Assign
Once this section is complete, Angela will be able to see the names of all Databricks Workspaces that are published in LHO for the selected subscription in which she was just added.
III. Grant Access to Databricks Content
This next section is required if Angela is not already a Databricks user.
If the Active Directory group which holds Angela’s email account is not synchronized or imported into Databricks, then Angela is not recognized as a Databricks user and Databricks will not show her any assets.
If Angela is not a user in Databricks, than you will manually have to create her as a user.
Databricks uses the email as the user identification.
Therefore, Angela must have the same email used for AD login to LHO also configured as a user in Databricks.
How to add Angela as a Databricks user?
(0) Open desired Databricks Workspace
(1) Open Admin Settings
(2) Open Identity and access
(3) Open Manage Users
(4) Add User
(5) Edit User
By default, the newly added user will have access only to those assets that are publicly visible.
You can add the new user to other groups that you have defined in Databricks.
You can also make Angela a workspace admin which will grant access to all assets available in Databricks.
Once this section is complete, Angela will be able to all Databricks Workspaces assets to which her Databricks user has acces.
If Anglela is a LHO User (regular user, not admin), then she will see only those entities to which Databricks grants her acces.
IV. Refresh LHO Authorization Cache (Optional)
If Angela was already an active LHO user on another subscription, then after configuring the access on the new subscription(s) and new workspace(s), Angela needs to go and refresh the authorization cache to see the new subscriptions and new workspaces.
To improve performance, LHO caches the list of authorized resources for each user.
