Microsoft Fabric Updates Blog

OneLake data access roles – Public Preview Announcement

The OneLake team is thrilled to announce the release of OneLake data access roles for lakehouse in public preview. Data access roles build upon the existing capabilities of OneLake’s security model to increase the granularity at which security can be applied within a Fabric data item. This feature adds an inheritable RBAC (role-based access control) model that simplifies user and permissions management for data in OneLake.

OneLake previously managed data access at the Fabric item level. Access to the OneLake data behind a Fabric item could be granted or removed for users or groups. Data access roles now allow for defining security roles that can grant access to individual OneLake folders within a Fabric item. The granted access inherits to any newly added sub-folders in a transparent manner. Role permissions and user/group assignments can be easily updated through a new folder security UX or through API calls. The security also extends to 3rd party access requests made through the OneLake APIs.

As the OneDrive for data, data access roles in OneLake mirrors the ease of use and scalability that OneDrive is known for. Permissions and role assignments are simple to understand: users have read access to a folder or they don’t. The permissions inherit to sub-folders and are discoverable by default, removing the need for traverse or execute permissions. Further, with 250 roles per lakehouse and hundreds of permissions per role, data security can be easily managed without worrying about folder security limits.

With these new capabilities, building out data architectures in Microsoft Fabric is now even easier. Data product teams can manage the fine-grained access to data resources for consumption from OneLake. This extends to shortcuts as well, reducing data copies and allowing the data owner to ensure the security and control of their data products.

OneLake data access roles for folders simplifies access management for data stored in OneLake. See steps here to get started!

FAQ:

What is changing?

User access to OneLake relied on the Fabric “ReadAll” permission included in some workspace roles or through sharing a lakehouse. For lakehouses with the OneLake data access roles preview enabled, access to OneLake does not rely on ReadAll and instead uses the RBAC role definitions to evaluate access.

Will my existing users lose access?

No, all users with ReadAll access to OneLake today will be added to a default data access role with equivalent access.

I previously granted OneLake access through the artifact share dialog, how do I grant access in the new system?

The previous approach granted access to all data in the artifact. You can continue to share the lakehouse with users like you did previously. However, in order for them to see the data in OneLake, you will go to the lakehouse, open the data access roles experience and create a role to grant the user access to the specific folders you want them to have. You can still create a role to grant users access to all items in a lakehouse.

How does this impact SQL Endpoint?

No changes. SQL Endpoint accesses lakehouse data through a fixed identity that has admin access. This means the SQL Endpoint security is separate from OneLake and controlled through SQL roles and permissions. Users that want to have access to the OneLake folders underpinning the tables can be given access through the new data access roles experience instead of through the ReadAll permission.

Is ReadAll going away?

No, ReadAll stays in Fabric and can be configured through sharing or the manage permissions page on a data item. For lakehouses with OneLake data access roles enabled, ReadAll becomes a proxy permission and does not grant access to OneLake data unless the data access roles are configured to leverage the ReadAll permission.

Is this OneSecurity?

No, the features announced as OneSecurity (currently called OneLake security for all workloads) is still in active development and you can track its progress on the public roadmap here. OneLake data access roles is an iterative feature that enables granular access control for OneLake access only, it does not apply to all workloads.

Related blog posts

OneLake data access roles – Public Preview Announcement

October 4, 2024 by Jason Himmelstein

We had an incredible time in our host city of Stockholm for FabCon Europe! 3,300 attendees joined us from our international community, and it was wonderful to meet so many of you in person. Throughout the week of FabCon Europe, our teams published a wealth of valuable content, and we want to ensure you have … Continue reading “Fabric Community Conference Europe Recap”

September 30, 2024 by Matt Basile

You can now delegate access to OneLake using short-lived OneLake shared access signatures (SAS). OneLake SAS make it easy to provide limited access to applications which may not support Microsoft Entra, as well as support applications serving as proxy layers between users and their data in OneLake. OneLake SAS follow security best practices for delegated … Continue reading “OneLake shared access signatures (SAS) now available in public preview”