Secure Mirrored Azure Databricks Data in Fabric with OneLake security
We’re excited to announce that OneLake security capabilities have been extended to support mirrored data through Azure Mirrored Databricks Catalog. This enhancement brings the full suite of OneLake’s enterprise-grade security features to these mirrored assets, empowering organizations to manage access using table, column, or row level security across all engines.
What’s New?
With this update, Azure Mirrored Databricks Catalog items can now be enabled with OneLake security. Security at the table, column, or row level can be defined directly in each item, allowing access to be controlled at a granular level. This allows security to be defined directly over the data mirrored into OneLake so it can be securely used by downstream sources such as lakehouses, notebooks, or semantic models.
Getting started with OneLake security and Mirrored Azure Databricks Catalog
Now, with this capability, you can map Unity Catalog (UC) policies to Microsoft OneLake security by following these steps:
- Sync and Permission Entra Group in Unity Catalog: in Azure Databricks, use Automatic Identity Management to sync a Microsoft Entra ID group and grant it the necessary Unity Catalog privileges (e.g. USE, BROWSE, SELECT on the relevant catalog/tables).
- Mirror the Databricks Catalog in Fabric: create a Mirrored Azure Databricks Catalog item in Microsoft Fabric, selecting the desired catalog and its schemas/tables. This action brings those tables into Fabric as OneLake shortcuts (virtual links to the data).
- Assign OneLake Data Access Role: in the Fabric workspace, create a data access role for the newly mirrored data. Add the same Entra group to this role and grant it read access to the OneLake shortcuts corresponding to the Azure Databricks tables.
- Unified Access in Both Systems: the Entra group now has matching permissions in OneLake as it does in Unity Catalog. In other words, the Unity Catalog policies have been mapped to OneLake security, providing consistent data access experiences across Databricks and Fabric.
Example: Suppose your NorthWindSalesTeam group has permission to use and select data in the NorthWind catalog in Unity Catalog. You would mirror the NorthWind catalog into Fabric, then create a OneLake data access role (e.g. ‘SalesReadAccess’) on the mirrored Sales data and add NorthWindSalesTeam to that role. As a result, the NorthWindSalesTeam can now find and query the NorthWind data in Fabric’s OneLake under the same access policy – they will only see and access the data they are allowed to, just as in Azure Databricks. This unified approach ensures that the UC policies are reflected in OneLake security, providing consistent data governance across both platforms.
Next steps
This capability is available now in preview for table level security, and early access for row and column level security. You can get started with table level security right away by clicking ‘Manage OneLake security’ in the ribbon.
To get started with row or column level security across all engines, signup for early access of OneLake Security
