請輸入您的資訊以訂閱 Microsoft Fabric 部落格。

感謝訂閱 Microsoft Fabric 部落格。當我們發佈新文章時,您會收到電子郵件通知。

Microsoft Fabric Updates Blog

  1. 更新
  2. All

OneLake data access roles APIs announcement

Following the release of OneLake data access roles in public preview, the OneLake team is excited to announce the availability of APIs for managing data access roles. These APIs can be used to programmatically manage granular data access for your lakehouses. Manage all aspects of role management such as creating new roles, editing existing ones, or changing memberships in a programmatic way. Check out the API reference to learn more.

Let’s look at an example of adding a new role using the APIs.

The dataAccessRoles API gets and sets the role definitions for a lakehouse in bulk. To start, we want to fetch the existing role definitions for our lakehouse.

The API follows the structure of:

https://api.fabric.microsoft.com/v1/workspaces/{workspace_id}/items/{item_id}/dataAccessRoles

Where {workspace_id} is the ID of your workspace, and {item_id} is the ID of the lakehouse you are defining permissions for. Once updated the final call looks like:

GET https://api.fabric.microsoft.com/v1/workspaces/355b7f70-d3ce-4b1a-8630-5adf8b8df355/items/d753e987-5645-45b6-9f01-b248a367fabd/dataAccessRoles

After calling this API we get the role definition below:

{
    "value": [
        {
            "name": "DefaultReader",
            "id": "dfb20430-869a-4ace-a442-b633f43f90af",
            "kind": "Policy",
            "decisionRules": [
                {
                    "effect": "Permit",
                    "permission": [
                        {
                            "attributeName": "Path",
                            "attributeValueIncludedIn": [
                                "*"
                            ]
                        },
                        {
                            "attributeName": "Action",
                            "attributeValueIncludedIn": [
                                "Read"
                            ]
                        }
                    ]
                }
            ],
            "members": {
                "microsoftEntraMembers": [],
                "fabricItemMembers": [
                    {
                        "sourcePath": "355b7f70-d3ce-4b1a-8630-5adf8b8df355/d753e987-5645-45b6-9f01-b248a367fabd",
                        "itemAccess": [
                            "ReadAll"
                        ]
                    }
                ]
            }
        }
    ]
}

We can then add a new role called MarketingReader that grants users access to only the marketing table in my lakehouse.

First, let’s copy the role definition for the existing role and then make the required updates.

We want the new role to be called MarketingReader, so we make that change to the name property for the new role. Next, we only want to grant access to the marketing table, so we replace the * (which gives root level access) with the path to our table. This array can take multiple string values if you want to grant access to multiple tables from a single role.

Lastly, we want to configure the members for this new role. The defaultReader role uses dynamic role membership through the fabricItemMembers block of code. Instead, we want to give a Microsoft Entra group access to this role. To do this, we remove the fabricItemMembers block, and add a new user object to the microsoftEntraMembers array. All that’s needed is to provide the tenantId and objectId for the user or group. You can look up this information using the Microsoft Graph APIs.

With our changes complete, we now have the finalized code below.

{
    "value": [
        {
            "name": "DefaultReader",
            "id": "dfb20430-869a-4ace-a442-b633f43f90af",
            "kind": "Policy",
            "decisionRules": [
                {
                    "effect": "Permit",
                    "permission": [
                        {
                            "attributeName": "Path",
                            "attributeValueIncludedIn": [
                                "*"
                            ]
                        },
                        {
                            "attributeName": "Action",
                            "attributeValueIncludedIn": [
                                "Read"
                            ]
                        }
                    ]
                }
            ],
            "members": {
                "microsoftEntraMembers": [],
                "fabricItemMembers": [
                    {
                        "sourcePath": "355b7f70-d3ce-4b1a-8630-5adf8b8df355/d753e987-5645-45b6-9f01-b248a367fabd",
                        "itemAccess": [
                            "ReadAll"
                        ]
                    }
                ]
            }
        },
        {
            "name": "MarketingReader",
            "kind": "Policy",
            "decisionRules": [
                {
                    "effect": "Permit",
                    "permission": [
                        {
                            "attributeName": "Path",
                            "attributeValueIncludedIn": [
                                "/Tables/marketing"
                            ]
                        },
                        {
                            "attributeName": "Action",
                            "attributeValueIncludedIn": [
                                "Read"
                            ]
                        }
                    ]
                }
            ],
            "members": {
                "microsoftEntraMembers": [
                    {
                        "tenantId": "fef5ca5f-150b-4270-9c4b-55e103545490",
                        "objectId": "c3ddc490-8b9f-47c5-a6d9-a686ce64b424"
                    }
                ],
                "fabricItemMembers": []
            }
        }
    ]
}

We can then PUT the payload back to our lakehouse, updating the existing role definitions to match the ones specified in the API call.

PUT https://api.fabric.microsoft.com/v1/workspaces/355b7f70-d3ce-4b1a-8630-5adf8b8df355/items/d753e987-5645-45b6-9f01-b248a367fabd/dataAccessRoles

We have now updated our role definitions and our marketing users can start accessing the marketing table in the lakehouse.

A screenshot of a computer Description automatically generated

Check out the links below for more information on OneLake data access roles and thanks for reading!

相關部落格文章

OneLake data access roles APIs announcement

部落格的精選影像

Tag your data to enrich item curation and discovery
9月 27, 2024 作者: Naama Tsafrir

Introducing tags – now in public preview. When it comes to data discovery and management, the modern data estate presents a set of daunting challenges for organizations and admins. An explosion in data sources coupled with rapid movement to the cloud is accommodating admins of all type, as well as CDOs and data stewards busy. … Continue reading “Tag your data to enrich item curation and discovery”

閱讀更多資訊
部落格的精選影像

Announcing the new Terraform Provider for Microsoft Fabric (Public Preview)
9月 26, 2024 作者: Evelina Alroy-Brin

A new Terraform Provider for Microsoft Fabric is now in public preview. This provider empowers users to automate and streamline their deployment and management processes in a declarative manner. With the Terraform Provider for Microsoft Fabric, users can: Enhance Governance and Compliance: Establish and enforce processes, mitigate risks, identify and rectify infrastructure drifts, use policies … Continue reading “Announcing the new Terraform Provider for Microsoft Fabric (Public Preview)”

閱讀更多資訊