Lakehouse Sharing and Access Permission Management
Microsoft Fabric now has even more capabilities for organizations to embrace data democratization. An Admin or Member within a workspace can share a lakehouse with another recipient.
To drive collaboration, an Admin or Member could add a user or group from the tenant’s AAD to a workspace with a selected role before sharing feature was available. That granted the user or group access with corresponding permissions to all items in the workspace. But it didn’t allow them to give access just to a single thing, like a lakehouse, without exposing the rest of the workspace content.
Today with sharing capability, downstream users can access a selected lakehouse and discover it through Data Hub. For a full lakehouse experience, the user can access the corresponding SQL Endpoint and default dataset. Note that permissions received through sharing will always be Read only. You can’t grant Write permissions using sharing feature.
When sharing, you can select different options that will define permissions for consumption:
- No additional permissions selected – this will allow a user to discover the lakehouse but access data only using SQL endpoint or default dataset with granular T-SQL GRANT access provided. That could be useful if only selected tables should be accessible for a user to use as data input, for example, as a source in dataflows.
- Read all SQL endpoint data – like above – that allows access to data only using SQL endpoint or default dataset. But it provides “ReadData” permission to read all Delta tables without setting object-level security using T-SQL GRANT.
- Read all Apache Spark – this provides access to all data in the lakehouse using Apache Spark. The user can access both tables and files using Lakehouse Explorer or Spark code in Notebooks. This option will give full read access to Lakehouse content without exposing the rest of the workspace items.
- Build reports on the default dataset – allows users to build Power BI on top of the default dataset that references all tables accessible through SQL endpoint.
You can notify downstream users or groups by emailing them with an optional note by selecting the Notification option. The email will also contain a link to the shared lakehouse. Alternatively, the users can discover the shared lakehouse in Data Hub.
Once sharing is completed, the users or groups get access immediately, and the users can start using the lakehouse. To modify or remove permissions, an Admin or Member of the workspace, can select “Manage permissions” next to the lakehouse, SQL endpoint, or default dataset names in the workspace view.
- In lakehouse permission management, you can add or remove ReadAll permission corresponding to the Read all Apache Spark option in the sharing dialog. You can also remove access from the user or group that will revoke access from the related SQL endpoint and default dataset.
- In SQL endpoint permission management, one can add or remove ReadData permission, as in sharing the Read all SQL endpoint data option.
- And finally, in default dataset permission management, you can add or remove Build permission that allows users to build Power BI reports on top of that dataset.
Note that modifying or revoking access changes can take up to two hours to sync. You’ll see changes in the permission management interface immediately, but it will take time for the backend and frontend to sync the changes.
To learn more about sharing, please check How lakehouse sharing works?