Skip to content

[Feature] Perform workspace-level permission assignment by user_name, group_name, or service_principal_name #5068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Feature] Perform workspace-level permission assignment by user_name, group_name, or service_principal_name #5068

wants to merge 3 commits into from
+438 −37

Conversation

alexott
Copy link
Contributor

@alexott alexott commented Sep 30, 2025
edited
Loading

Changes

Use a previously not available API to perform permission assignment by user name, group name or SP application ID. This solves a long-standing problem with the assignment of principals by workspace administrators who don't have access to account-level APIs.

We got ok from Identity team for using this endpoint

Resolves #3412

Tests

  • make test run locally
  • relevant change in docs/ folder
  • covered with integration tests in internal/acceptance
  • tested manually
  • using Go SDK
  • using TF Plugin Framework
  • has entry in NEXT_CHANGELOG.md file

@alexott
[Feature] Perform workspace-level permission assignment by `user_name…
20e0c90 
…`, `group_name`, or `service_principal_name`

Use a previously not available API to perform permission assignment by user name, group
name or SP application ID.  This solves a long outstanding problem with assignment of
principals by workspace administrators who don't have access to account-level APIs.
@alexott alexott requested review from a team as code owners September 30, 2025 10:37
@alexott alexott requested review from mgyucht and removed request for a team September 30, 2025 10:37
@alexott alexott requested a review from Copilot September 30, 2025 14:43
Copilot
Copilot AI reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for performing workspace-level permission assignments using user_name, group_name, or service_principal_name instead of requiring the principal_id. This addresses a long-standing limitation where workspace administrators needed account-level API access to retrieve principal IDs.

  • Added new API method to handle permission assignments by name/identifier
  • Extended the resource schema to support multiple principal identification methods
  • Added comprehensive test coverage for the new functionality

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
docs/resources/permission_assignment.md Updated documentation with examples for the new name-based assignment methods
common/client.go Added PutWithResponse helper method to support API calls that need response data
access/resource_permission_assignment.go Refactored permission assignment logic to support both ID-based and name-based assignments
access/resource_permission_assignment_test.go Added comprehensive tests for new assignment methods and error handling
NEXT_CHANGELOG.md Added changelog entry for the new feature

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@alexott alexott temporarily deployed to test-trigger-is October 1, 2025 07:11 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 1, 2025

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/terraform

Inputs:

  • PR number: 5068
  • Commit SHA: dbc835bdc612c9d6a911705024701cc210b6e410

Checks will be approved automatically on success.

@alexott alexott temporarily deployed to test-trigger-is October 1, 2025 07:12 — with GitHub Actions Inactive
@alexott alexott mentioned this pull request Oct 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mgyucht mgyucht Awaiting requested review from mgyucht mgyucht is a code owner automatically assigned from databricks/eng-plat-auto-exp-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Support getting account level databricks_group for workspace admins

1 participant

@alexott