Granting System Table and Workspace Discovery Access
Note:Consider the following:
| • | This feature is available as an early-access capability for Databricks on AWS. Customers receive access automatically and do not need to contact Flexera Support to enable it. We’re actively working to improve this capability, and your feedback is welcome. |
| • | The Databricks bill connect is only available for Databricks on AWS. Support for other cloud vendors will be added in future releases. |
To allow Flexera One to read Databricks billing and compute data and to automatically discover all eligible workspaces, you must grant the service principal access to the required system tables in each workspace and to the workspace discovery tables in the entry-point workspace.
Granting Compute, Billing, and Lakeflow System Schema Access (All Workspaces)
To allow the service principal to query Databricks Unity Catalog compute, billing, and lakeflow system tables, you must grant it catalog, schema, and table-level privileges in each workspace.
For each workspace, open an SQL Editor and run the following SQL commands:
GRANT USE CATALOG ON CATALOG system TO `<service_principal_client_id>`;
GRANT USE SCHEMA ON SCHEMA system.compute TO `<service_principal_client_id>`;
GRANT SELECT ON TABLE system.compute.clusters TO `<service_principal_client_id>`;
GRANT SELECT ON TABLE system.compute.warehouses TO `<service_principal_client_id>`;
GRANT USE SCHEMA ON SCHEMA system.lakeflow TO `<service_principal_client_id>`;
GRANT SELECT ON TABLE system.lakeflow.jobs TO `<service_principal_client_id>`;
GRANT SELECT ON TABLE system.lakeflow.pipelines TO `<service_principal_client_id>`;
GRANT USE SCHEMA ON SCHEMA system.billing TO `<service_principal_client_id>`;
GRANT SELECT ON TABLE system.billing.list_prices TO `<service_principal_client_id>`;
GRANT SELECT ON TABLE system.billing.usage TO `<service_principal_client_id>`;
This enables the service principal to query all required compute, billing, and lakeflow system tables.
Note:You can grant the service principal access at the catalog level instead of specifying individual schema or table permissions.
To grant broad access, run the following commands in the SQL Editor:
GRANT USE CATALOG ON CATALOG system TO `<service_principal_client_id>`;
GRANT USE SCHEMA ON CATALOG system TO `<service_principal_client_id>`;
GRANT SELECT ON CATALOG system TO `<service_principal_client_id>`;
Granting Workspace Discovery Access
Flexera automatically discovers workspaces for ingestion if:
| • | The workspace is accessible to the configured service principal. |
| • | The workspace contains at least one SQL warehouse tagged as: created_for: flexera. |
To enable this auto-discovery, you must grant the service principal access in the entry-point workspace.
These commands must be executed only in the entry-point workspace.
| 1. | In the entry-point workspace, open an SQL Editor. |
| 2. | Run the following SQL commands: |
GRANT USE SCHEMA ON SCHEMA system.access TO `<service_principal_client_id>`;
GRANT SELECT ON TABLE system.access.workspaces_latest TO `<service_principal_client_id>`;