Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)!
Last updated: 28-Mar-2025
[Microsoft Fabric] OneLake Role-based access control (RBAC)
- {def} security framework that allows to manage access to resources by assigning roles to users or groups
- applies to Lakehouse Items only [1]
- restricts data access for users with Workspace Viewer or read access to a lakehouse [1]
- doesn't apply to Workspace Admins, Members, or Contributors [1]
- ⇒ supports only Read level of permissions [1]
- uses role assignments to apply permissions to its members
- assigned to
- individuals
- security groups
- Microsoft 365 groups
- distribution lists
- ⇐ every member of the user group gets the assigned role [1]
- users in multiple groups get the highest level of permission that is provided by the roles [1]
- managed through the lakehouse data access settings [1]
- when a lakehouse is created, OneLake generates a default RBAC Role named Default Readers [1]
- allows all users with ReadAll permission to read all folders in the Item [1]
- permissions always inherit to the entire hierarchy of the folder's files and subfolders [1]
- provides automatic traversal of parent items to ensure that data is easy to discover [1]
- ⇐ similar to Windows folder permissions [1]
- [shortcuts] shortcuts to other OneLake locations have specialized behavior [1]
- the access to a OneLake shortcut is determined by the target permissions of the shortcut [1]
- when listing shortcuts, no call is made to check the target access [1]
- ⇒ when listing a directory all internal shortcuts will be returned regardless of a user's access to the target [1]
- when a user tries to open the shortcut the access check will evaluate and a user will only see data they have the required permissions to see [1]
- enable you to restrict the data access in OneLake only to specific folders [1]
- {action} share a lakehouse
- grants other users or a group of users access to a lakehouse without giving access to the workspace and the rest of its items [1]
- found through
- Data Hub
- 'Shared with Me' section in Microsoft Fabrics
- [shortcuts] permissions always inherit to all Internal shortcuts where a folder is defined as target [1]
- when a user accesses data through a shortcut to another OneLake location, the identity of the calling user is used to authorize access to the data in the target path of the shortcut [1]
- ⇒ the user must have OneLake RBAC permissions in the target location to read the data [1]
- defining RBAC permissions for the internal shortcut is not allowed [1]
- must be defined on the target folder located in the target item [1]
- OneLake enables RBAC permissions only for shortcuts targeting folders in lakehouse items [1]
Previous Post <<||>> Next Post
References:
[1] Microsoft Learn (2024) Fabric: Role-based access control (RBAC) [link]
[2] Microsoft Learn (2024) Best practices for OneLake security [link]
Resources:
[R1] Microsoft Learn (2025) Fabric: What's new in Microsoft Fabric?
[link]
Acronyms:
ADLS - Azure Data Lake Storage
RBAC - Role-Based Access Control
RBAC - Role-Based Access Control
No comments:
Post a Comment