Microsoft Fabric Updates Blog

OneLake data access roles – Public Preview Announcement

The OneLake team is thrilled to announce the release of OneLake data access roles for lakehouse in public preview. Data access roles build upon the existing capabilities of OneLake’s security model to increase the granularity at which security can be applied within a Fabric data item. This feature adds an inheritable RBAC (role-based access control) model that simplifies user and permissions management for data in OneLake.

OneLake previously managed data access at the Fabric item level. Access to the OneLake data behind a Fabric item could be granted or removed for users or groups. Data access roles now allow for defining security roles that can grant access to individual OneLake folders within a Fabric item. The granted access inherits to any newly added sub-folders in a transparent manner. Role permissions and user/group assignments can be easily updated through a new folder security UX or through API calls. The security also extends to 3rd party access requests made through the OneLake APIs.

As the OneDrive for data, data access roles in OneLake mirrors the ease of use and scalability that OneDrive is known for. Permissions and role assignments are simple to understand: users have read access to a folder or they don’t. The permissions inherit to sub-folders and are discoverable by default, removing the need for traverse or execute permissions. Further, with 250 roles per lakehouse and hundreds of permissions per role, data security can be easily managed without worrying about folder security limits.

With these new capabilities, building out data architectures in Microsoft Fabric is now even easier. Data product teams can manage the fine-grained access to data resources for consumption from OneLake. This extends to shortcuts as well, reducing data copies and allowing the data owner to ensure the security and control of their data products.

OneLake data access roles for folders simplifies access management for data stored in OneLake. See steps here to get started!

FAQ:

What is changing?

User access to OneLake relied on the Fabric “ReadAll” permission included in some workspace roles or through sharing a lakehouse. For lakehouses with the OneLake data access roles preview enabled, access to OneLake does not rely on ReadAll and instead uses the RBAC role definitions to evaluate access.

Will my existing users lose access?

No, all users with ReadAll access to OneLake today will be added to a default data access role with equivalent access.

I previously granted OneLake access through the artifact share dialog, how do I grant access in the new system?

The previous approach granted access to all data in the artifact. You can continue to share the lakehouse with users like you did previously. However, in order for them to see the data in OneLake, you will go to the lakehouse, open the data access roles experience and create a role to grant the user access to the specific folders you want them to have. You can still create a role to grant users access to all items in a lakehouse.

How does this impact SQL Endpoint?

No changes. SQL Endpoint accesses lakehouse data through a fixed identity that has admin access. This means the SQL Endpoint security is separate from OneLake and controlled through SQL roles and permissions. Users that want to have access to the OneLake folders underpinning the tables can be given access through the new data access roles experience instead of through the ReadAll permission.

Is ReadAll going away?

No, ReadAll stays in Fabric and can be configured through sharing or the manage permissions page on a data item. For lakehouses with OneLake data access roles enabled, ReadAll becomes a proxy permission and does not grant access to OneLake data unless the data access roles are configured to leverage the ReadAll permission.

Is this OneSecurity?

No, the features announced as OneSecurity (currently called OneLake security for all workloads) is still in active development and you can track its progress on the public roadmap here. OneLake data access roles is an iterative feature that enables granular access control for OneLake access only, it does not apply to all workloads.

Entradas de blog relacionadas

OneLake data access roles – Public Preview Announcement

octubre 30, 2024 por Patrick LeBlanc

Welcome to the October 2024 Update! Here are a few, select highlights of the many we have for Fabric this month. API for GraphQL support for Service Principal Names (SPNs). Introducing a powerful new feature in Lakehouses: Sorting, Filtering, and Searching capabilities. An addition to KQL Queryset that will revolutionize the way you interact with … Continue reading “Fabric October 2024 Monthly Update”

octubre 22, 2024 por Elizabeth Oldag

Shortcuts in Microsoft OneLake allow you to unify your data across domains and clouds by creating a single virtual data lake for your entire enterprise. With shortcuts, data can be reused multiple times, making it simple to consolidate data, without data movement, data duplication or changing ownership of the data. The consumption of data via … Continue reading “Use OneLake shortcuts to access data across capacities: Even when the producing capacity is paused!”