Microsoft Fabric Updates Blog

Lakehouse Sharing and Access Permission Management

Microsoft Fabric now has even more capabilities for organizations to embrace data democratization. An Admin or Member within a workspace can share a lakehouse with another recipient.

To drive collaboration, an Admin or Member could add a user or group from the tenant’s AAD to a workspace with a selected role before sharing feature was available. That granted the user or group access with corresponding permissions to all items in the workspace. But it didn’t allow them to give access just to a single thing, like a lakehouse, without exposing the rest of the workspace content.

Today with sharing capability, downstream users can access a selected lakehouse and discover it through Data Hub. For a full lakehouse experience, the user can access the corresponding SQL Endpoint and default dataset. Note that permissions received through sharing will always be Read only. You can’t grant Write permissions using sharing feature.

When sharing, you can select different options that will define permissions for consumption:

  • No additional permissions selected – this will allow a user to discover the lakehouse but access data only using SQL endpoint or default dataset with granular T-SQL GRANT access provided. That could be useful if only selected tables should be accessible for a user to use as data input, for example, as a source in dataflows.
  • Read all SQL endpoint data – like above – that allows access to data only using SQL endpoint or default dataset. But it provides “ReadData” permission to read all Delta tables without setting object-level security using T-SQL GRANT.
  • Read all Apache Spark – this provides access to all data in the lakehouse using Apache Spark. The user can access both tables and files using Lakehouse Explorer or Spark code in Notebooks. This option will give full read access to Lakehouse content without exposing the rest of the workspace items.
  • Build reports on the default dataset – allows users to build Power BI on top of the default dataset that references all tables accessible through SQL endpoint.

You can notify downstream users or groups by emailing them with an optional note by selecting the Notification option. The email will also contain a link to the shared lakehouse. Alternatively, the users can discover the shared lakehouse in Data Hub.

Once sharing is completed, the users or groups get access immediately, and the users can start using the lakehouse. To modify or remove permissions, an Admin or Member of the workspace, can select “Manage permissions” next to the lakehouse, SQL endpoint, or default dataset names in the workspace view.

  • In lakehouse permission management, you can add or remove ReadAll permission corresponding to the Read all Apache Spark option in the sharing dialog. You can also remove access from the user or group that will revoke access from the related SQL endpoint and default dataset.
  • In SQL endpoint permission management, one can add or remove ReadData permission, as in sharing the Read all SQL endpoint data option.
  • And finally, in default dataset permission management, you can add or remove Build permission that allows users to build Power BI reports on top of that dataset.

Note that modifying or revoking access changes can take up to two hours to sync. You’ll see changes in the permission management interface immediately, but it will take time for the backend and frontend to sync the changes.

To learn more about sharing, please check How lakehouse sharing works?

Related blog posts

Lakehouse Sharing and Access Permission Management

August 28, 2024 by Adi Eldar

Anomaly Detector, one of Azure AI services, enables you to monitor and detect anomalies in your time series data. This service is based on advanced algorithms, SR-CNN for univariate analysis and MTAD-GAT for multivariate analysis and is being retired by October 2026. In this blog post we will lay out a migration strategy to Microsoft Fabric, allowing … Continue reading “Advanced Time Series Anomaly Detector in Fabric”

August 26, 2024 by Anu Venkataraman

Problem Statement In the previous blog on Profiling Microsoft Fabric Spark Notebooks with Sparklens, we covered how to run Sparklens to profile and tune the performance of your spark notebooks in Microsoft Fabric. In that blog, we used a custom Sparklens JAR. The Sparklens JARs available in the Maven Central repo supports only the Spark … Continue reading “Building a Custom Sparklens JAR for Microsoft Fabric”