/
How to Add New Users for LHO (AWS)

How to Add New Users for LHO (AWS)

Once you’ve successfully installed Lakehouse Optimizer and you have your LHO admin user working, then it’s time to add new users to LHO.

 

Let’s assume we want to grant access to 👩‍💻 Angela to login and use LHO.

 

I. Configure LHO App Login and Role Delegation

This section describes how to provide access to LHO either to an individual user or to a group via Active Directory Single Sign-On.

Active Directory authentication is configured automatically on installation. 

For more details, please refer to the following related articles:

 

First step is to add 👩‍💻 Angela as use of the managed application used by LHO.


How to add rights to a user to access LHO via AD auth
(1.) Copy the “Client ID” used by the service principal of LHO

You can find the Client ID of the environment on the Settings page // Provisioning & Permissions and scroll down to the bottom of the page where you can find this information in the “Service Principal” panel under the “Client Id” label.

image (73).png
Service Principal → Client ID

 

(2.) Open Microsoft Entra >

 

(3.) Navigate to App Registrations >

(4.) Search all applications for “client id of the environment” >

image-20240122-140703.png

Click on the name of application you found.

image-20240122-141059.png
Click on Application Name

 

(5) Manage application

  • in the top right section, click on the name of the application

    • click on the value of the label “Managed application in local directory”

  • you need to be owner of the app in order to add users

image (74).png
open Managed Application

 

This action will open the following view:

image-20240122-141220.png
Service Principal application used for LHO

 

(6) Check Assignment Required

image (75).png
Assignment Required

Based on how the Service Principal was configured, if the “Assigned required?” is set to “Yes”, then you will have to manually add user Angela to this app.

Please proceed to the following step

 

(6) Add user

  • click on the left navigation pane on “Users and groups”, or

  • click on “Assign users and groups”

image-20240122-142410.png
Open “Users and groups” page
image-20240122-142856.png
Add user/group

 

  • click on “Add user/group”

image-20240122-143113.png
select user
  • click on “Users and groups” and search for user and select user

 

image-20240122-143235.png
select role
  • click on “select a role” and select from the right section which role you want to assign

    • for more information regarding LHO roles, please refer to

    • all LHO users have as default access “LHO User” (Default Access)

image (76).png
Role assignment

 

If there are NO roles defined in the Service Principal App, then any signed in user in LHO is considered LHO Admin.

 

image-20240122-144437.png
App with roles defined

 

II. Grant Rights for Listing Databricks Workspaces

Once the previous section is complete, Angela is now able to successfully long to LHO via Active Directory authentication.

However, she still cannot see anything yet in LHO.

 

The second step is to grant reading rights for Angela in the Azure Subscription(s).

Once this section is complete, Angela will be able

  • to read all (published LHO) Databricks workspaces in a particular Subscription

  • to see the name of the Databricks workspaces, but not the content of the workspaces (ie. listing workloads)

 

(1) Open Azure Portal and navigate to Subscriptions

 

(2) Select Subscription

image-20240122-150734.png
Select desired subscription


(3) Select Access control (IAM)

image-20240122-150824.png
Subscription main view

 

(4) Add Role Assignment

image-20240122-151030.png
Add Role Assignment

 

Lakehouse Optimizer requires only read permission to list Databricks Workspaces. Therefore, in order to limit the rights only to this permission, create a custom role named BplmDatabricksReader (for example).

For example, BplmDatabricksReader is a custom role configured to provide only “List workspaces” rights for Databricks. The prebuilt Reader role provide access to too many resources which are not required by LHO to function properly.

For how to create this custom role, please see How to create a custom Role in Azure for LHO to use

 

 

image-20240122-151144.png
Custom Role
image-20240122-151159.png
Builtin Reader Role

 

(5) Select Role BplmDatabricksReader

  • click Next


(6) Select members

image-20240122-151547.png
members selection


(7) Review + Assign

 

Once this section is complete, Angela will be able to see the names of all Databricks Workspaces that are published in LHO for the selected subscription in which she was just added.

 

III. Grant Access to Databricks Content

This next section is required if Angela is not already a Databricks user.

If the Active Directory group which holds Angela’s email account is not synchronized or imported into Databricks, then Angela is not recognized as a Databricks user and Databricks will not show her any assets.

If Angela is not a user in Databricks, than you will manually have to create her as a user.

Databricks uses the email as the user identification.

Therefore, Angela must have the same email used for AD login to LHO also configured as a user in Databricks.

 

How to add Angela as a Databricks user?

image-20240131-155526.png
add a new Databricks user

(0) Open desired Databricks Workspace

(1) Open Admin Settings

(2) Open Identity and access

(3) Open Manage Users

(4) Add User

image-20240131-155724.png
enter new user

 

 

(5) Edit User

image-20240131-155833.png
edit Databricks User

By default, the newly added user will have access only to those assets that are publicly visible.

You can add the new user to other groups that you have defined in Databricks.

You can also make Angela a workspace admin which will grant access to all assets available in Databricks.

image-20240131-160207.png
make user as a workspace admin

 

Once this section is complete, Angela will be able to all Databricks Workspaces assets to which her Databricks user has acces.

If Anglela is a LHO User (regular user, not admin), then she will see only those entities to which Databricks grants her acces.

 

 

IV. Refresh LHO Authorization Cache (Optional)

If Angela was already an active LHO user on another subscription, then after configuring the access on the new subscription(s) and new workspace(s), Angela needs to go and refresh the authorization cache to see the new subscriptions and new workspaces.

To improve performance, LHO caches the list of authorized resources for each user.

image-20250205-141735.png
authorization cache

 

 

Related content