Please enter your information to subscribe to the Microsoft Fabric Blog.

Thanks for subscribing to the Microsoft Fabric Blog. You’ll receive email notifications when we publish new posts.

Microsoft Fabric Updates Blog

  1. Updates
  2. April 2024

OneLake data access roles – Public Preview Announcement

The OneLake team is thrilled to announce the release of OneLake data access roles for lakehouse in public preview. Data access roles build upon the existing capabilities of OneLake’s security model to increase the granularity at which security can be applied within a Fabric data item. This feature adds an inheritable RBAC (role-based access control) model that simplifies user and permissions management for data in OneLake.

OneLake previously managed data access at the Fabric item level. Access to the OneLake data behind a Fabric item could be granted or removed for users or groups. Data access roles now allow for defining security roles that can grant access to individual OneLake folders within a Fabric item. The granted access inherits to any newly added sub-folders in a transparent manner. Role permissions and user/group assignments can be easily updated through a new folder security UX or through API calls. The security also extends to 3rd party access requests made through the OneLake APIs.

As the OneDrive for data, data access roles in OneLake mirrors the ease of use and scalability that OneDrive is known for. Permissions and role assignments are simple to understand: users have read access to a folder or they don’t. The permissions inherit to sub-folders and are discoverable by default, removing the need for traverse or execute permissions. Further, with 250 roles per lakehouse and hundreds of permissions per role, data security can be easily managed without worrying about folder security limits.

With these new capabilities, building out data architectures in Microsoft Fabric is now even easier. Data product teams can manage the fine-grained access to data resources for consumption from OneLake. This extends to shortcuts as well, reducing data copies and allowing the data owner to ensure the security and control of their data products.

OneLake data access roles for folders simplifies access management for data stored in OneLake. See steps here to get started!

FAQ:

What is changing?

User access to OneLake relied on the Fabric “ReadAll” permission included in some workspace roles or through sharing a lakehouse. For lakehouses with the OneLake data access roles preview enabled, access to OneLake does not rely on ReadAll and instead uses the RBAC role definitions to evaluate access.

Will my existing users lose access?

No, all users with ReadAll access to OneLake today will be added to a default data access role with equivalent access.

I previously granted OneLake access through the artifact share dialog, how do I grant access in the new system?

The previous approach granted access to all data in the artifact. You can continue to share the lakehouse with users like you did previously. However, in order for them to see the data in OneLake, you will go to the lakehouse, open the data access roles experience and create a role to grant the user access to the specific folders you want them to have. You can still create a role to grant users access to all items in a lakehouse.

How does this impact SQL Endpoint?

No changes. SQL Endpoint accesses lakehouse data through a fixed identity that has admin access. This means the SQL Endpoint security is separate from OneLake and controlled through SQL roles and permissions. Users that want to have access to the OneLake folders underpinning the tables can be given access through the new data access roles experience instead of through the ReadAll permission.

Is ReadAll going away?

No, ReadAll stays in Fabric and can be configured through sharing or the manage permissions page on a data item. For lakehouses with OneLake data access roles enabled, ReadAll becomes a proxy permission and does not grant access to OneLake data unless the data access roles are configured to leverage the ReadAll permission.

Is this OneSecurity?

No, the features announced as OneSecurity (currently called OneLake security for all workloads) is still in active development and you can track its progress on the public roadmap here. OneLake data access roles is an iterative feature that enables granular access control for OneLake access only, it does not apply to all workloads.

Related blog posts

OneLake data access roles – Public Preview Announcement

Blog's featured image

Mirroring Azure SQLDB – new features and what’s coming up?
September 25, 2024 by Idris Motiwala

Overview This blog will walk thru the new capabilities in Mirroring Azure SQLDB in Fabric since our public preview announcement earlier in March 2024. Today, we also announced general availability of Mirroring for Snowflake in Microsoft Fabric. To recap, the 3 key benefits of Mirroring are: Over the past few months, we’ve removed limitations to … Continue reading “Mirroring Azure SQLDB – new features and what’s coming up?”

Read more
Blog's featured image

Google Cloud Storage shortcuts and S3 Compatible shortcuts generally available
September 25, 2024 by Trevor Olson

GCS shortcuts and S3 Compatible shortcuts are now generally available. Utilize shortcuts in OneLake to quickly and easily make data accessible in Fabric. No need to set up pipelines or copy jobs, just create a shortcut and your data is immediately available in Fabric.    From your Lakehouse, select new shortcut. Choose your shortcuts type (GCS, … Continue reading “Google Cloud Storage shortcuts and S3 Compatible shortcuts generally available”

Read more