Metadata-Version: 2.4
Name: databricks-access-audit
Version: 0.23.0
Summary: Cross-workspace access visibility for Databricks — audit who can reach what across every workspace in your account.
Author: Lukasz Maron
License: Apache-2.0
Project-URL: Homepage, https://github.com/lukaleet/databricks-access-audit
Project-URL: Issues, https://github.com/lukaleet/databricks-access-audit/issues
Project-URL: Changelog, https://github.com/lukaleet/databricks-access-audit/blob/main/CHANGELOG.md
Keywords: databricks,unity-catalog,scim,audit,permissions,security,principal,compliance,soc2,escalation,identity,snapshot,diff,access-review,offboarding,governance,workspace
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: requests>=2.33.0; python_version >= "3.10"
Requires-Dist: requests>=2.28; python_version < "3.10"
Provides-Extra: sdk
Requires-Dist: databricks-sdk<2.0,>=0.20.0; extra == "sdk"
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Requires-Dist: pytest-cov; extra == "dev"
Requires-Dist: responses>=0.23; extra == "dev"
Requires-Dist: ruff; extra == "dev"
Requires-Dist: bandit>=1.7; extra == "dev"
Requires-Dist: pip-audit>=2.7; extra == "dev"
Provides-Extra: notebook
Requires-Dist: pyspark>=3.4; extra == "notebook"
Provides-Extra: docs
Requires-Dist: mkdocs-material>=9.0; extra == "docs"
Provides-Extra: all
Requires-Dist: databricks-access-audit[dev,docs,notebook,sdk]; extra == "all"
Dynamic: license-file

# databricks-access-audit

> Databricks gives you no native way to answer *"what can this identity access across all my workspaces?"* — this tool does.

[![CI](https://img.shields.io/github/actions/workflow/status/lukaleet/databricks-access-audit/ci.yml?branch=main&label=CI)](https://github.com/lukaleet/databricks-access-audit/actions/workflows/ci.yml)
[![PyPI](https://img.shields.io/pypi/v/databricks-access-audit)](https://pypi.org/project/databricks-access-audit/)
[![Python 3.9+](https://img.shields.io/badge/python-3.9%2B-blue.svg)](https://www.python.org/downloads/)
[![License: Apache 2.0](https://img.shields.io/badge/license-Apache%202.0-green.svg)](LICENSE)

The Account Console shows you one workspace at a time. `INFORMATION_SCHEMA` shows you one metastore at a time. Neither resolves nested group memberships. Neither tells you whether a personal grant duplicates what the group already provides.

`databricks-access-audit` answers cross-workspace access questions in one command, across every workspace in your account at once.

## Five modes

| Mode | Command | Question it answers |
|---|---|---|
| **Principal audit** | `--principal "alice@company.com"` | What can this user / SP / group access across every workspace? |
| **Group audit** | `--group "data-engineers"` | What does this group access? Who has redundant personal grants? |
| **Resource audit** | `--resource "main"` | Who has access to this catalog / schema / table / workspace? |
| **Compare** | `--compare "alice@company.com" "bob@company.com"` | Which groups does Alice have that Bob doesn't? |
| **Access provisioning** | `--clone-from "alice@company.com" --to "bob@company.com"` | How do I give Bob the same access as Alice? |

## Install

```bash
pip install "databricks-access-audit[sdk]"
```

Add credentials to `~/.databrickscfg` and run:

```bash
databricks-access-audit --principal "alice@company.com"
databricks-access-audit --group "data-engineers" --revoke-script
databricks-access-audit --resource "main" --output html > main_access.html
```

## Documentation

**[https://lukaleet.github.io/databricks-access-audit](https://lukaleet.github.io/databricks-access-audit)**

- [Getting Started](https://lukaleet.github.io/databricks-access-audit/getting-started/) — install, credentials, first audit
- [Capabilities](https://lukaleet.github.io/databricks-access-audit/capabilities/) — how each feature works
- [Use Cases](https://lukaleet.github.io/databricks-access-audit/use-cases/offboarding/) — offboarding, onboarding, access review, incident response, compliance
- [CLI Reference](https://lukaleet.github.io/databricks-access-audit/reference/cli/) — every flag documented
- [Troubleshooting](https://lukaleet.github.io/databricks-access-audit/troubleshooting/) — common issues and fixes

## Tested environments

Developed and live-tested against Azure Databricks with Unity Catalog. AWS and GCP code paths exist but haven't been confirmed against real accounts yet.

If you run this on AWS, GCP, a large multi-workspace account, or with Okta/AWS SSO as your IdP — [open an issue](https://github.com/lukaleet/databricks-access-audit/issues) and let us know what works and what doesn't. Every environment report improves the tool.

## Development

```bash
pip install -e ".[sdk,dev]"
pytest          # 570 tests, no real Databricks connection required
ruff check .
```

## License

Apache 2.0 — see [LICENSE](LICENSE).
