Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
OneLake security enables you to apply role-based access control (RBAC) to your data stored in OneLake. You can define security roles that grant read access to specific folders within a Fabric item, then assign these roles to users or groups. Roles can also contain row or column level security to further limit access. The OneLake security permissions determine what data that user can see across all experiences in Fabric.
Fabric users with Write and Reshare permissions (generally Admin and Member workspace users) can get started by creating OneLake security roles to grant access to only specific folders or tables in a Fabric data item. To grant access to data in an item, add users to a data access role. Users that aren't part of a data access role see no data in that item.
Prerequisites
To configure OneLake security, you must be an Admin or Member in the workspace, or have Write and Reshare permissions. Role creation and membership assignment take effect as soon as the role is saved, so make sure you want to grant access before adding someone to a role.
The table below outlines which data items support OneLake security.
| Fabric item | Status | Supported permissions |
|---|---|---|
| Lakehouse | Private Preview | Read, ReadWrite |
| Azure Databricks Mirrored Catalog | Private Preview | Read |
How to opt in
OneLake security is currently in private preview and as a result is disabled by default. The preview feature is configured on a per-item basis. The opt-in control allows for a single item to try the preview without enabling it on any other Fabric items.
The preview feature can't be turned off once enabled.
- Navigate to a lakehouse and select Manage OneLake security (preview).
- Review the confirmation dialog. The data access roles preview isn't compatible with the External data sharing preview. If you're ok with the change, select Continue.
To ensure a smooth opt-in experience, all users with read permission to data in the item continue to have read access through a default data access role called DefaultReader. Using virtualized role memberships, all users that had the necessary permissions to view data in the lakehouse (the ReadAll permission) are included as members of this default role. To start restricting access to those users, delete the DefaultReader role or remove the ReadAll permission from the accessing users.
Important
Make sure that any users that are included in a data access role are removed from the DefaultReader role. Otherwise they maintain full access to the data.
What types of data can be secured?
Use OneLake security roles to manage OneLake read access to any tables or folders in an item. Access to tables can be further restricted using row and/or column level security. Any security set applies to access from all engines in Fabric. For more information, see the data access control model.
Create a role
Use the following steps to create a OneLake security role.
Open the Fabric item where you want to define security.
Select Manage OneLake security (preview) from the item menu.
On the OneLake security (preview) pane, select New.
Provide a name for the new role that meets the following guidelines:
- The role name can only contain alphanumeric characters.
- The role name must start with a letter.
- Names are case insensitive and must be unique.
- The maximum name length is 128 characters.
If you want this role to apply to all of the tables and files in this lakehouse, select the All data toggle.
This selection also provides access to any folders that are added in the future.
If you want this role to apply only to a selected group of tables and folders, select the Selected data toggle. Then, use the following steps to define the approved data for this role.
Select Browse Lakehouse. (or the equivalent for the item you are working with)
Expand the Tables and Files directories to view data in your lakehouse.
Check the boxes next to the tables and files that you want the role to apply to.
Select Add data to add the selected items to your role.
Use the Add members to your role textbox to manually enter the names or email addresses of users that you want to include in the role. Or, select Advanced configuration and follow the guidance in Assign virtual members.
To add members manually:
- Enter the name or email address of a user.
- Select the correct name from the suggested list.
- Select the check icon to confirm your selection, or the X icon to clear the selection.
Review the Preview role summaries.
- To edit the data preview, select Browse Lakehouse and update the selected tables and folders.
- To remove a user from the members preview, select more options (...) next to their name, then Remove from role.
Select Create role and wait for the notification that the role was successfully published.
Edit a role
Use the following steps to edit an existing OneLake security role.
Open the item where you want to define security.
Select Manage OneLake security (preview) from the item menu.
On the OneLake security (preview) pane, select the role that you want to edit.
This action opens the role details page, which includes two tabs: Data in role and Members in role.
Review the information in the Data in role tab:
This tab shows all of the data that the members of the role can access.
The Data column shows the name of the tables or folders that are part of the role access. You can expand and collapse schemas to view the items underneath. Hovering over an entry shows the full path of the table or folder. Hovering over the ... will give you options to configure Row-level security or Column-level security. The row level security and column level security guides provide more information on how that works.
The Type column tells you the type of item that was selected. The values are either: Schema, Table, or Folder.
The Permissions column shows what permission is granted by the role to each item. Currently, only Read is supported.
The Data access column indicates whether any row or column level restrictions are applied to the item. An icon with a lock and horizontal lines indicates row level security is applied, while an icon with a lock and vertical lines indicates column level security is applied.
To edit the data included in the role, select Add data.
This action opens the table and folder selection dialog.
Check and uncheck tables or folders to add or remove them from the role.
Select Add data to confirm your selections.
Select the Members in role tab to view the members of the role.
The Members column shows the profile picture and name of the member.
The Type column indicates whether the member is a User or Group.
The Added using column denotes whether a user was added via their Email as a member of the role, or included as part of a lakehouse permissions group. For more information about adding users using item permissions, see Assign virtual members.
To edit the members of the role, select Add members.
To add members manually, enter a name or email in the Add members to your role textbox. Select the correct name from the suggested list. Then, select the check icon to confirm your selection, or select the X icon to clear the selection.
To remove users from the role, select more options (...) next to their name and select Remove from role.
Making any changes to role membership updates the role immediately. A notification notes the success or failure of any changes.
Delete a role
Use the following steps to delete a OneLake data access role.
Open the lakehouse where you want to define security.
Select Manage OneLake security (preview) from the Lakehouse menu.
On the OneLake security (preview) pane, check the box next to the roles you want to delete.
Select Delete and wait for the notification that the roles are successfully deleted.
Assign a member or group
OneLake security role supports two methods of adding users to a role. The main method is by adding users or groups directly to a role using the Add people or groups box on the Assign role page. The second is by creating virtual memberships with permission groups using the Advanced configuration control.
Adding users directly to a role adds the users as explicit members of the role. These users show up with their name and picture shown in the Members list.
The virtual members allow for the membership of the role to be dynamically adjusted based on the Fabric item permissions of the users. By selecting Advanced configuration and selecting a permission, you add any user in the Fabric workspace who has all of the selected permissions as an implicit member of the role. For example, if you chose ReadAll, Write then any user of the Fabric workspace that has ReadAll and Write permissions to the item would be included as a member of the role. You can see which users are being added by a permission group by looking at the Added using column in the Members in role tab. These members can't be manually removed directly. To remove a member that was added through a permission group, remove the permission group from the role.
Regardless of which membership type you use, OneLake security roles support adding individual users, Microsoft Entra groups, and security principals.
Assign virtual members
The permissions that can be used for virtual members are:
- Read
- Write
- Reshare
- Execute
- ReadAll
To assign users with permission groups, use the following steps:
Select the name of the role you want to assign members to.
On the role details page, select the Members in role tab.
Select Add members.
Select Advanced configuration.
In the Permission groups box, select the checkbox next to each permission that you want to include users for.
Each permission group shows a count of how many users are included in that group.
Selecting multiple permission groups includes users with all of the selected required permissions.
Select Add to include the groups and save the role.