Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. All

OneLake data access roles – Public Preview Announcement

The OneLake team is thrilled to announce the release of OneLake data access roles for lakehouse in public preview. Data access roles build upon the existing capabilities of OneLake’s security model to increase the granularity at which security can be applied within a Fabric data item. This feature adds an inheritable RBAC (role-based access control) model that simplifies user and permissions management for data in OneLake.

OneLake previously managed data access at the Fabric item level. Access to the OneLake data behind a Fabric item could be granted or removed for users or groups. Data access roles now allow for defining security roles that can grant access to individual OneLake folders within a Fabric item. The granted access inherits to any newly added sub-folders in a transparent manner. Role permissions and user/group assignments can be easily updated through a new folder security UX or through API calls. The security also extends to 3rd party access requests made through the OneLake APIs.

As the OneDrive for data, data access roles in OneLake mirrors the ease of use and scalability that OneDrive is known for. Permissions and role assignments are simple to understand: users have read access to a folder or they don’t. The permissions inherit to sub-folders and are discoverable by default, removing the need for traverse or execute permissions. Further, with 250 roles per lakehouse and hundreds of permissions per role, data security can be easily managed without worrying about folder security limits.

With these new capabilities, building out data architectures in Microsoft Fabric is now even easier. Data product teams can manage the fine-grained access to data resources for consumption from OneLake. This extends to shortcuts as well, reducing data copies and allowing the data owner to ensure the security and control of their data products.

OneLake data access roles for folders simplifies access management for data stored in OneLake. See steps here to get started!

FAQ:

What is changing?

User access to OneLake relied on the Fabric “ReadAll” permission included in some workspace roles or through sharing a lakehouse. For lakehouses with the OneLake data access roles preview enabled, access to OneLake does not rely on ReadAll and instead uses the RBAC role definitions to evaluate access.

Will my existing users lose access?

No, all users with ReadAll access to OneLake today will be added to a default data access role with equivalent access.

I previously granted OneLake access through the artifact share dialog, how do I grant access in the new system?

The previous approach granted access to all data in the artifact. You can continue to share the lakehouse with users like you did previously. However, in order for them to see the data in OneLake, you will go to the lakehouse, open the data access roles experience and create a role to grant the user access to the specific folders you want them to have. You can still create a role to grant users access to all items in a lakehouse.

How does this impact SQL Endpoint?

No changes. SQL Endpoint accesses lakehouse data through a fixed identity that has admin access. This means the SQL Endpoint security is separate from OneLake and controlled through SQL roles and permissions. Users that want to have access to the OneLake folders underpinning the tables can be given access through the new data access roles experience instead of through the ReadAll permission.

Is ReadAll going away?

No, ReadAll stays in Fabric and can be configured through sharing or the manage permissions page on a data item. For lakehouses with OneLake data access roles enabled, ReadAll becomes a proxy permission and does not grant access to OneLake data unless the data access roles are configured to leverage the ReadAll permission.

Is this OneSecurity?

No, the features announced as OneSecurity (currently called OneLake security for all workloads) is still in active development and you can track its progress on the public roadmap here. OneLake data access roles is an iterative feature that enables granular access control for OneLake access only, it does not apply to all workloads.

Related blog posts

OneLake data access roles – Public Preview Announcement

Blog's featured image

Microsoft’s vision of an open data lake ecosystem: Open lakes, not walled gardens
April 25, 2024 by Josh Caplan

In today’s data-driven world, enterprise data estates contain many data sources for a variety of reasons, including differences in type of usage (operational vs. analytic), differences in ownership, and the presence of legacy infrastructure that is part of a corporate merger or acquisition. In addition, enterprises constantly acquire and refresh data from external sources. For … Continue reading “Microsoft’s vision of an open data lake ecosystem: Open lakes, not walled gardens”

Read more
Blog's featured image

Public Preview of OneLake shortcuts to S3-compatible data sources
April 11, 2024 by Matthew Hicks

Microsoft OneLake is a unified data lake for all of your organization’s data. With OneLake shortcuts, you can reference data in different locations and have that data logically represented within OneLake, with no data movement or duplication. With the recent announcement of shortcuts to Google Cloud Storage, you can use shortcuts to seamlessly bring in … Continue reading “Public Preview of OneLake shortcuts to S3-compatible data sources”

Read more