Insira suas informações para assinar o Blog do Microsoft Fabric.

Agradecemos por assinar o Blog do Microsoft Fabric Você receberá notificações por email quando publicarmos novas postagens.

Microsoft Fabric Updates Blog

  1. Atualizações
  2. abril 2024

OneLake data access roles – Public Preview Announcement

The OneLake team is thrilled to announce the release of OneLake data access roles for lakehouse in public preview. Data access roles build upon the existing capabilities of OneLake’s security model to increase the granularity at which security can be applied within a Fabric data item. This feature adds an inheritable RBAC (role-based access control) model that simplifies user and permissions management for data in OneLake.

OneLake previously managed data access at the Fabric item level. Access to the OneLake data behind a Fabric item could be granted or removed for users or groups. Data access roles now allow for defining security roles that can grant access to individual OneLake folders within a Fabric item. The granted access inherits to any newly added sub-folders in a transparent manner. Role permissions and user/group assignments can be easily updated through a new folder security UX or through API calls. The security also extends to 3rd party access requests made through the OneLake APIs.

As the OneDrive for data, data access roles in OneLake mirrors the ease of use and scalability that OneDrive is known for. Permissions and role assignments are simple to understand: users have read access to a folder or they don’t. The permissions inherit to sub-folders and are discoverable by default, removing the need for traverse or execute permissions. Further, with 250 roles per lakehouse and hundreds of permissions per role, data security can be easily managed without worrying about folder security limits.

With these new capabilities, building out data architectures in Microsoft Fabric is now even easier. Data product teams can manage the fine-grained access to data resources for consumption from OneLake. This extends to shortcuts as well, reducing data copies and allowing the data owner to ensure the security and control of their data products.

OneLake data access roles for folders simplifies access management for data stored in OneLake. See steps here to get started!

FAQ:

What is changing?

User access to OneLake relied on the Fabric “ReadAll” permission included in some workspace roles or through sharing a lakehouse. For lakehouses with the OneLake data access roles preview enabled, access to OneLake does not rely on ReadAll and instead uses the RBAC role definitions to evaluate access.

Will my existing users lose access?

No, all users with ReadAll access to OneLake today will be added to a default data access role with equivalent access.

I previously granted OneLake access through the artifact share dialog, how do I grant access in the new system?

The previous approach granted access to all data in the artifact. You can continue to share the lakehouse with users like you did previously. However, in order for them to see the data in OneLake, you will go to the lakehouse, open the data access roles experience and create a role to grant the user access to the specific folders you want them to have. You can still create a role to grant users access to all items in a lakehouse.

How does this impact SQL Endpoint?

No changes. SQL Endpoint accesses lakehouse data through a fixed identity that has admin access. This means the SQL Endpoint security is separate from OneLake and controlled through SQL roles and permissions. Users that want to have access to the OneLake folders underpinning the tables can be given access through the new data access roles experience instead of through the ReadAll permission.

Is ReadAll going away?

No, ReadAll stays in Fabric and can be configured through sharing or the manage permissions page on a data item. For lakehouses with OneLake data access roles enabled, ReadAll becomes a proxy permission and does not grant access to OneLake data unless the data access roles are configured to leverage the ReadAll permission.

Is this OneSecurity?

No, the features announced as OneSecurity (currently called OneLake security for all workloads) is still in active development and you can track its progress on the public roadmap here. OneLake data access roles is an iterative feature that enables granular access control for OneLake access only, it does not apply to all workloads.

Postagens relacionadas em blogs

OneLake data access roles – Public Preview Announcement

Imagem em destaque do blog

Fabric October 2025 Feature Summary
outubro 29, 2025 de Adam Saxton

This month’s update delivers key advancements across Microsoft Fabric, including enhanced security with Outbound Access Protection and Workspace-Level Private Link, smarter data engineering features like Adaptive Target File Size, and new integrations such as Data Agent in Lakehouse. Together, these improvements streamline workflows and strengthen data governance for users. Contents Events & Announcements Fabric Data … Continue reading “Fabric October 2025 Feature Summary”

Leia mais
Imagem em destaque do blog

Unlock Real-Time Intelligence with the Eventhouse Endpoint for Lakehouse
outubro 20, 2025 de Tzvia Gitlin Troyna

The Eventhouse Endpoint for Lakehouse is a powerful new capability in Microsoft Fabric that enables users to query Lakehouse tables with exceptional speed and ease, delivering real-time insights with high performance with large data volume, flexibility, advanced analytics capabilities, support for enhanced data formats such as strings and dynamic types and simplicity. Whether you’re working … Continue reading “Unlock Real-Time Intelligence with the Eventhouse Endpoint for Lakehouse”

Leia mais