Microsoft Fabric Updates Blog

Fine-grained ReadWrite access to data with OneLake security (Preview)

Introduction to ReadWrite access

Support for ReadWrite access controls within lakehouse items is a powerful new capability, now available in preview. This enhancement gives data owners the ability to grant precise write permissions to users—without requiring elevated workspace roles like Admin or Member. With ReadWrite access, workspace viewers or users with only Read access can now write data to specific tables and folders in a lakehouse, while remaining restricted from creating or managing Fabric items. This is a major step forward in enabling secure, collaborative workflows that align with the principle of least privilege.

Previously, write access in OneLake was tied to Fabric workspace roles, meaning that anyone who needed to write data also had broad permissions to manage artifacts. With the introduction of ReadWrite permissions in OneLake security, organizations can now decouple data write access from control-plane permissions, allowing for more nuanced and secure access patterns.

ReadWrite access enables users to perform all OneLake write operations—including uploading, deleting, renaming, and editing files—through Spark notebooks, the OneLakeFileExplorer, or OneLake APIs. The permission also supports shortcut CRUD operations, making it easier to democratize data without creating copies. Write operations through the Lakehouse UX for viewers is not supported at this time but will be coming later.

Example scenario

Let’s review an example architecture for using ReadWrite permissions with OneLake security. A company has a central lakehouse it uses to store both structured and unstructured data. Part of the data processing requires users to upload loan applications to the lakehouse so they can be processed via an AI agent. Another set of users needs to use Spark notebooks to create new tables in the lakehouse based on the application data that the agent outputs to the Processed folder. Thanks to the ReadWrite permission, this is now easily doable!

The admin for the lakehouse starts by creating a OneLake security role. They choose the permissions for the role and select ReadWrite and then choose the Applications folder for a specific bank branch. Next, add the branch managers to the role, granting them the associated permissions. Using OneLake file explorer they can now upload the necessary documents to this specific folder. However, the ability to upload data to any other locations in the lakehouse is not available.

Further, the shared CityLoans table can be managed through a separate Read role and even have RLS applied so that each branch manager can only see rows for their specific branch. The branch managers now have a mix of Read and ReadWrite access to the lakehouse in order to perform their jobs.