Understanding OneLake Security with Shortcuts
OneLake allows for security to be defined once and enforced consistently across Microsoft Fabric. One of its standout features is its ability to work seamlessly with shortcuts, offering users the flexibility to access and organize data from different locations while maintaining robust security controls. In this blog post, we will look at how OneLake security is integrated with shortcuts, explain the distinction between passthrough and delegated auth modes for shortcuts, and look at an example use case.
OneLake Shortcuts: An Overview
Shortcuts in OneLake serve as virtual pointers to data stored in other locations, whether within Fabric or external platforms such as ADLS, AWS S3, etc. Instead of duplicating data, shortcuts allow users to access it efficiently while optimizing storage and reducing redundancy. However, shortcuts introduce unique considerations when it comes to security. First, let’s examine the two main auth models of OneLake shortcuts –passthrough and delegated, and how OneLake security applies to each.
Passthrough Shortcuts
OneLake shortcuts utilize the passthrough auth model. In this model, the shortcut accesses data in the target location by ‘passing’ the user’s identity to the target system. This ensures that any user accessing the shortcut is only able to see whatever they have access to in the target. In this sense, the security from the target ‘flows across’ the shortcut to restrict access in the source lakehouse.
With OneLake to OneLake shortcuts, only passthrough mode is supported. This design ensures that the source system retains full control over its data. Organizations benefit from enhanced security because there’s no need to replicate or redefine access controls for the shortcut. The simplicity of passthrough shortcuts also reduces administrative overhead since security policies only need to be maintained in one place.
However, it’s important to understand that security for OneLake shortcuts cannot be modified directly from the downstream item. Any changes to access permissions must be made at the source location. This reinforces the principle that the source remains the single point of truth for access control, ensuring consistency and minimizing the risk of misconfiguration.
Delegated Shortcuts
Many different types of shortcuts use the delegated auth mode. These shortcuts access data by using some intermediate credential, such as another user or an account key. These shortcuts allow for permission management to be separated or ‘delegated’ to another team or downstream user to manage. Delegated shortcuts always break the flow of security from one system to another. Because the security is essentially reset, all delegated shortcuts in OneLake can have OneLake security roles defined for them.
All shortcuts from OneLake to external systems like AWS S3 or Google Cloud Storage are delegated. This allows users to connect to the external system without being given direct access. OneLake security can then be configured on the shortcut to limit what data in the external system can be accessed.
Common Patterns for Using OneLake Security with Shortcuts
Shortcuts in OneLake can be leveraged in various ways to create efficient and secure data architectures. Let’s look at two common approaches for how shortcuts can be combined with OneLake security.
Hub-and-Spoke Model
The hub-and-spoke model is a powerful organizational approach for managing data access across multiple teams or departments. Here’s how it works:
- Hub: the central data repository where core datasets are stored. Security policies are meticulously defined to ensure robust control.
- Spokes: individual teams or departments access the hub’s data through shortcuts.
- Advantages: this model enables centralized governance while allowing decentralized consumption and use of data.
In this setup, OneLake to OneLake shortcuts are ideal for ensuring the hub retains control over sensitive or regulated data. Each downstream team can then only consume the data they are allowed to, but maintain freedom to create their own reports or combine the hub data with other data that they own.
Consolidating data across clouds
Organizations can use delegated shortcuts to share data securely centralize data across clouds, without copying it. In this model, data that already exists in various cloud storage accounts is consolidated in OneLake through the use of delegated shortcuts. A new lakehouse is created as the consolidation point, and each external data source is connected via a delegated shortcut.
Once the shortcuts are created, the admin can define OneLake security roles to govern access. This can be done with row or column level security, or simply by giving access to entire schemas or shortcuts. Because the shortcut is delegated it ensures no user will have direct access to the external data. Instead, they will be limited to only what the admin allows through OneLake security.
Once the data is consolidated, it can be combined with the hub-and-spoke model to create a composite architecture that keeps both upstream and downstream data safe.
Conclusion
OneLake security with shortcuts offers a dynamic and secure way to manage data access across diverse organizational structures. By understanding the distinction between passthrough and delegated auth modes for shortcuts, users can define and implement security in an optimal way.
To get started with OneLake security, sign up for an early access preview.
You can learn more about OneLake shortcuts in the OneLake shortcuts documentation .
