Granular APIs for OneLake security (Preview)
Microsoft Fabric continues to expand the OneLake security surface with new granular REST API support for role management, giving developers and platform teams far more control over how security policies are created, retrieved, and managed programmatically. In addition to the existing batch role API, Fabric now offers discrete Create, Get, and Delete role APIs, making it easier to build incremental, automation-friendly security workflows that align with modern DevOps and governance practices.
Previously, managing security roles through the API required submitting full role collections as a single batch. While this model works well for bulk operations, it can be cumbersome for applications that need to make targeted updates or respond dynamically to change. With the new granular APIs, clients can now interact with roles individually—retrieving a single role, updating or creating a role definition, or deleting a role—without needing to reason about the entire role set for an item.
The new Get role API enables clients to fetch a specific security role by name, allowing tooling and services to inspect current policy state before taking action. This is especially useful for validation, auditing, and drift detection scenarios, where understanding the effective permissions of a single role is required without pulling the full configuration.
For authoring and updates, the Create / Update role API allows callers to define or modify a role independently, including its decision rules and member assignments. Roles can express fine-grained permissions, such as scoped read access to specific tables or paths, and can include Microsoft Entra principals directly. This unlocks cleaner CI/CD pipelines, where individual security changes can be deployed, reviewed, and rolled back just like application code—without needing to reapply unrelated role definitions.
The Delete role API completes the lifecycle by enabling safe and explicit removal of roles that are no longer needed. This makes it easier to keep security configurations clean over time, particularly in dynamic environments where workloads, users, and policies evolve continuously.
Together, these APIs are designed for builders who need precision, composability, and automation: SaaS partners integrating Fabric security into their control planes, enterprises managing policy as code, and teams building internal tooling for governance at scale. The existing batch API remains available for bulk operations, while the new granular APIs offer a simpler and more flexible model for day‑to‑day role management.
This update is part of our broader investment in making OneLake security open, interoperable, and developer‑first, ensuring that security in Fabric can integrate naturally with external systems, pipelines, and governance tools. As always, we’re excited to see how customers and partners use these new capabilities to build more secure and automated data platforms on Fabric.
To learn more, refer to the OneLake security API reference.
