For enabling secure access to external database credentials in Databricks, which permissions should be configured for user groups?

Read permissions on a secret scope are essential for securely accessing external database credentials in Databricks. By granting a user group read permissions to a specific secret scope, you ensure that members of the group are allowed to retrieve secrets, such as database credentials, stored within that scope. This approach effectively leverages Databricks' secret management capabilities, allowing for secure access without exposing sensitive information.

Using secret scopes helps to manage and restrict access to credentials, enhancing security by limiting visibility only to those who need it. By requiring read permissions specifically, it ensures that users can access the credentials necessary for connections to external databases without the ability to modify or delete the secrets, thereby maintaining the integrity and confidentiality of sensitive information.

For this reason, having read permissions on a secret scope strikes the right balance between access and security, making it the correct choice for enabling secure access in Databricks environments.