Dashboards: registry of Databricks AI/BI (Lakeview) dashboards¶

The Dashboards module is Datahub's home for the Databricks Lakeview dashboards your teams have already built. It doesn't author dashboards — it imports the published ones from your Databricks workspace, organises them into groups with role-based access, and renders them inside Datahub via the official @databricks/aibi-client SDK so users get a native viewing experience without leaving the platform.

If your organisation has invested in Lakeview dashboards but struggles with discoverability, governance, and consistent access, this is where they belong.

It's the read-only counterpart to Insights, which lets you author dashboards inside Datahub.

When to choose this¶

Use Dashboards when you want to:

Surface published Lakeview dashboards to the right business users without sharing Databricks workspace access.
Group dashboards by region, business unit, country, or topic — and gate access by role group.
Star the dashboards you use most so they pin to the top of the gallery.
Ask Genie about a dashboard in natural language — "What was revenue in Q4?" — through the platform's Genie chat panel.
Audit which users opened which dashboard, when.

You do not need this module to:

Build new dashboards from inside Datahub — that's Insights.
Embed any dashboard outside Databricks (Power BI, Tableau, …) — Lakeview only.
Use Databricks PAT integrations for embedding — embedding requires Service Principal or OAuth U2M.

What Dashboards looks like¶

Surface	Where	What you see
Gallery	`/dashboards`	Card grid filtered by your group access. Each card: name, group badge, star toggle, description. Group filter dropdown. Starred dashboards pin to the top.
Group management	`/dashboards/groups`	Managers can create / edit / delete groups and assign role groups.
Viewer	`/dashboards/{id}`	Embedded SDK rendering of the Lakeview dashboard. Ask Genie button on the toolbar opens a slide-in chat panel.
Import modal	Gallery → Import	Pick a Service-Principal-or-OAuth-U2M workspace → list of published dashboards not yet imported → assign to a group → import.

Concepts¶

Concept	What it is
Workspace	A registered Databricks workspace integration (must be Service Principal or OAuth U2M for import / embedding; PAT is blocked).
Dashboard	A reference to a published Databricks Lakeview dashboard — name, description, embed URL, owning group.
Group	A logical collection of dashboards (e.g. EMEA, Finance, Customer Success). Each group is mapped to one or more Datahub role groups.
Group access	The mapping from a dashboard group → role groups → users. Readers see only dashboards in groups they have access to. Managers see all.
Star	A per-user favourite that pins the dashboard to the top of the gallery.
Genie space	The Databricks Genie space companion to a dashboard. Auto-discovered if Genie is enabled on the dashboard, or admin-overridable per dashboard via `genie_space_id`.
Genie conversation	A natural-language Q&A session about a dashboard. Powered by Databricks' Genie Conversation API; proxied through the platform using the workspace credentials.

Setup — what an admin needs to do once¶

Prereq	Where	Why
Databricks integration	`/admin/integrations` → Databricks	Service Principal or OAuth U2M. PAT is blocked from import + embedding.
Embedding enabled in the workspace	Databricks workspace settings	Embedding must be on; the destination domain must be approved. The platform calls `embedding-status` to surface the policy and approved domains.
Roles	`/rolegroups`	`dashboards.read` — view gallery + open the viewer (filtered by group access). `dashboards.manage` — import, edit, deactivate, manage groups + group access.
Groups	`/dashboards/groups`	Create groups for the access model you want; map each to role groups.
(Optional) Genie space override	`/dashboards/{id}` admin form	If auto-discovery doesn't find the right Genie space, set the ID manually.

The platform seeds a default group on install and assigns existing dashboards to it.

Importing a dashboard¶

The import flow:

/dashboards → Import.
Pick the Databricks workspace (Service Principal or OAuth U2M; PAT integrations don't appear).
The platform calls Databricks Lakeview to list published dashboards not yet registered. Unpublished dashboards are filtered out.
Select dashboards → assign to a group (existing or inline create).
Import → the platform fetches each dashboard's published version (to get the embed URL) and persists the reference locally. No Databricks-side mutation.

To deregister, use Delete on the dashboard row — Datahub forgets the reference; the dashboard remains in Databricks untouched.

Group-based access¶

The access model is intentionally simple:

Role	What they see
`dashboards.read` (Reader)	Only dashboards in groups they have access to via their role groups.
`dashboards.manage` (Manager)	All dashboards across all groups.

So an EMEA Finance Reader who's in the EMEA Finance role group sees only the dashboards in groups mapped to that role group. A Manager sees everything.

Group assignments are managed at /dashboards/groups; role-group → group mappings are the source of truth.

Embedding¶

The viewer uses the official @databricks/aibi-client SDK with a 3-step OAuth token-minting flow:

All-apis token. Native OIDC for Databricks-managed Service Principals; Azure AD for Azure-managed Service Principals.
Dashboard tokeninfo with the user's email as external_viewer_id — generates the custom_claim Databricks requires for scoped embedding.
Scoped embedding token via client_credentials + Basic auth (native) or OIDC token-exchange (Azure AD).

The external_viewer_id is the user's email from the JWT — so per-user Databricks audit trails work.

If a Service Principal flow isn't available, the viewer falls back to a plain iframe via the embed URL (PAT integrations don't get this option since import is blocked for them).

For OAuth U2M:

Discovery, import, Genie — run under the calling user's Databricks identity (per-user UC RLS + per-user audit).
Embedding — intentionally not relaxed; embedded dashboards still mint under the SP because the embedding identity model is per-organisation. So per-user UC RLS does not extend to dashboards rendered via the embedding token. If you need per-user RLS, build the dashboard in Insights where the calling user's identity does run the SQL.

Asking Genie¶

If a dashboard has a companion Genie space:

Ask Genie button on the viewer toolbar opens a slide-in chat panel.
Type a natural-language question; the platform proxies to Databricks Genie Conversation API using the workspace credentials.
Genie returns generated SQL + tabular results. The platform polls until the message completes.
Past conversations are listed in the panel; you can re-open a conversation, ask follow-ups, or start a new one.
Rate limit during Public Preview: 5 queries / min / workspace.

Genie conversations are ephemeral on the Databricks side — Datahub doesn't persist the message bodies, only the metadata you need to navigate them.

Limitations¶

Limit	Why	Workaround
Lakeview only — no Power BI, Tableau, Looker.	First-class focus.	Other BI tools may follow; for now, link out from a Page or a Data Product.
PAT integrations can't import or embed.	The 3-step token flow needs SP or OAuth identity.	Switch the integration to Service Principal or OAuth U2M.
Per-user RLS doesn't apply to embedded dashboards.	Embedding mints under the SP.	Use Insights for per-user RLS.
Genie is rate-limited (5 / min / workspace) during Public Preview.	Databricks limit.	Throttle queries; wait.
Datahub doesn't author Lakeview dashboards.	Out of scope.	Author in Databricks; import the published version.
Genie answers depend on the Genie space's quality.	Databricks owns Genie.	Tune the Genie space in Databricks (table descriptions, sample questions).
Group access is binary per-group.	Simple model.	Create more granular groups if you need finer slicing.

Audit & compliance¶

Question a CISO might ask	Where to look
"Who can see this dashboard?"	Dashboard → group → role-group access.
"Who opened this dashboard last week?"	Embedding mints with `external_viewer_id = user.email` — Databricks audit shows per-user opens. The platform also logs viewer opens.
"Whose Databricks identity ran the queries inside this dashboard?"	Embedding: the workspace SP. OAuth U2M discovery / import / Genie: the calling user. Embedding never honours per-user RLS.
"Did anyone import a dashboard they shouldn't?"	`dashboards.manage` is required for import; auditable.
"Where does Genie data go?"	Genie API on the registered Databricks workspace; the platform proxies — no third party involved.
"Can a user star a dashboard they don't have access to?"	No — star endpoints are gated on the same access model.

Troubleshooting¶

Symptom	Likely cause	Fix
Workspace doesn't appear in import modal	PAT integration.	Switch to Service Principal or OAuth U2M.
Embedding shows blank / "domain not approved"	Workspace embedding policy hasn't approved this domain.	Add `*.datahub.nl` (or your tenant domain) in Databricks workspace settings → Embedding.
Embedding fails with token error	The 3-step token flow rejected; commonly Azure AD SP without token-exchange enabled.	Enable token-exchange on the SP, or fall back to native Databricks OIDC SP.
Genie button missing	Dashboard has no companion Genie space.	Set `genie_space_id` manually on the dashboard's admin form.
Genie throws 429	Rate limit (5 / min / workspace).	Throttle; spread workload across workspaces.
Star icon doesn't toggle	Backend cache lag.	Refresh; if persistent, file a ticket.
Per-user RLS not applied	Expected — embedded dashboards mint under the SP.	Build in Insights for per-user RLS.
412 `DATABRICKS_OAUTH_CONSENT_REQUIRED` on import / Genie	OAuth U2M consent missing.	The UI prompts to re-consent.