Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. Uncategorized

OneLake data access roles APIs announcement

Following the release of OneLake data access roles in public preview, the OneLake team is excited to announce the availability of APIs for managing data access roles. These APIs can be used to programmatically manage granular data access for your lakehouses. Manage all aspects of role management such as creating new roles, editing existing ones, or changing memberships in a programmatic way. Check out the API reference to learn more.

Let’s look at an example of adding a new role using the APIs.

The dataAccessRoles API gets and sets the role definitions for a lakehouse in bulk. To start, we want to fetch the existing role definitions for our lakehouse.

The API follows the structure of:

https://api.fabric.microsoft.com/v1/workspaces/{workspace_id}/items/{item_id}/dataAccessRoles

Where {workspace_id} is the ID of your workspace, and {item_id} is the ID of the lakehouse you are defining permissions for. Once updated the final call looks like:

GET https://api.fabric.microsoft.com/v1/workspaces/355b7f70-d3ce-4b1a-8630-5adf8b8df355/items/d753e987-5645-45b6-9f01-b248a367fabd/dataAccessRoles

After calling this API we get the role definition below:

{
    "value": [
        {
            "name": "DefaultReader",
            "id": "dfb20430-869a-4ace-a442-b633f43f90af",
            "kind": "Policy",
            "decisionRules": [
                {
                    "effect": "Permit",
                    "permission": [
                        {
                            "attributeName": "Path",
                            "attributeValueIncludedIn": [
                                "*"
                            ]
                        },
                        {
                            "attributeName": "Action",
                            "attributeValueIncludedIn": [
                                "Read"
                            ]
                        }
                    ]
                }
            ],
            "members": {
                "microsoftEntraMembers": [],
                "fabricItemMembers": [
                    {
                        "sourcePath": "355b7f70-d3ce-4b1a-8630-5adf8b8df355/d753e987-5645-45b6-9f01-b248a367fabd",
                        "itemAccess": [
                            "ReadAll"
                        ]
                    }
                ]
            }
        }
    ]
}

We can then add a new role called MarketingReader that grants users access to only the marketing table in my lakehouse.

First, let’s copy the role definition for the existing role and then make the required updates.

We want the new role to be called MarketingReader, so we make that change to the name property for the new role. Next, we only want to grant access to the marketing table, so we replace the * (which gives root level access) with the path to our table. This array can take multiple string values if you want to grant access to multiple tables from a single role.

Lastly, we want to configure the members for this new role. The defaultReader role uses dynamic role membership through the fabricItemMembers block of code. Instead, we want to give a Microsoft Entra group access to this role. To do this, we remove the fabricItemMembers block, and add a new user object to the microsoftEntraMembers array. All that’s needed is to provide the tenantId and objectId for the user or group. You can look up this information using the Microsoft Graph APIs.

With our changes complete, we now have the finalized code below.

{
    "value": [
        {
            "name": "DefaultReader",
            "id": "dfb20430-869a-4ace-a442-b633f43f90af",
            "kind": "Policy",
            "decisionRules": [
                {
                    "effect": "Permit",
                    "permission": [
                        {
                            "attributeName": "Path",
                            "attributeValueIncludedIn": [
                                "*"
                            ]
                        },
                        {
                            "attributeName": "Action",
                            "attributeValueIncludedIn": [
                                "Read"
                            ]
                        }
                    ]
                }
            ],
            "members": {
                "microsoftEntraMembers": [],
                "fabricItemMembers": [
                    {
                        "sourcePath": "355b7f70-d3ce-4b1a-8630-5adf8b8df355/d753e987-5645-45b6-9f01-b248a367fabd",
                        "itemAccess": [
                            "ReadAll"
                        ]
                    }
                ]
            }
        },
        {
            "name": "MarketingReader",
            "kind": "Policy",
            "decisionRules": [
                {
                    "effect": "Permit",
                    "permission": [
                        {
                            "attributeName": "Path",
                            "attributeValueIncludedIn": [
                                "/Tables/marketing"
                            ]
                        },
                        {
                            "attributeName": "Action",
                            "attributeValueIncludedIn": [
                                "Read"
                            ]
                        }
                    ]
                }
            ],
            "members": {
                "microsoftEntraMembers": [
                    {
                        "tenantId": "fef5ca5f-150b-4270-9c4b-55e103545490",
                        "objectId": "c3ddc490-8b9f-47c5-a6d9-a686ce64b424"
                    }
                ],
                "fabricItemMembers": []
            }
        }
    ]
}

We can then PUT the payload back to our lakehouse, updating the existing role definitions to match the ones specified in the API call.

PUT https://api.fabric.microsoft.com/v1/workspaces/355b7f70-d3ce-4b1a-8630-5adf8b8df355/items/d753e987-5645-45b6-9f01-b248a367fabd/dataAccessRoles

We have now updated our role definitions and our marketing users can start accessing the marketing table in the lakehouse.

A screenshot of a computer Description automatically generated

Check out the links below for more information on OneLake data access roles and thanks for reading!

Related blog posts

OneLake data access roles APIs announcement

Blog's featured image

Solved Fabric Community posts are now available in the Fabric Help Pane
June 12, 2024 by Denyse Niwenshuti

The Fabric Help Pane provides Fabric users with a fast and efficient way to access self-help content, allowing them to resolve issues independently or direct them to create a support ticket if further help is required. Following its launch last year, we’ve heard your feedback to improve the relevance of our self-help resources. We are … Continue reading “Solved Fabric Community posts are now available in the Fabric Help Pane”

Read more
Blog's featured image

Visualize and Explore Data with Real-Time Dashboards
June 3, 2024 by Michal Bar

In today’s data-driven world, the ability to quickly explore, analyze, and derive insights from fresh, high granularity data is paramount. With the ever-increasing volume and complexity of data, organizations need powerful tools that not only streamline data exploration but also provide real-time insights. That’s why we’re thrilled to announce the public preview of Real-Time Dashboards, … Continue reading “Visualize and Explore Data with Real-Time Dashboards”

Read more