Skip to main content

OneLake Security in Microsoft Fabric

Overview

OneLake, the unified data lake for Microsoft Fabric, centralizes and secures all data across domains and workspaces. It introduces a unified security layer that enforces governance, compliance, and access control directly at the data level — regardless of the tool or engine used to access the data.

This chapter outlines OneLake security principles, components, and best practices for implementation in enterprise environments.

Security Pillars

OneLake security is founded on the following core principles:

  • Zero Trust Architecture: Enforces least-privilege access and assumes breach.
  • Unified Access Control: Integration with Microsoft Entra ID for identity and access management.
  • Row-level and Column-level Security: Data masking and fine-grained access policies.
  • Auditability and Monitoring: Full observability with Microsoft Purview, Fabric Monitoring, and Defender for Cloud.
  • Data Encryption: At rest (via platform-managed keys) and in transit (TLS 1.2+).
  • Data Loss Prevention (DLP): Classification and labeling via Microsoft Purview sensitivity labels.

OneLake Security Components

  • Domains & Workspaces: Define access boundaries and RBAC scopes.
  • Items (Lakehouses, Warehouses, KQL DBs, Notebooks, Pipelines): Inherit workspace-level permissions but can be overridden with item-level access control.
  • OneLake Shortcuts: Shared datasets linked across domains, governed by the original data owner's permissions.
  • Microsoft Entra ID (Azure AD): Handles user, group, and service principal authentication.
  • Microsoft Purview: Provides classification, lineage, sensitivity labeling, and DLP.
  • Access Policies: Defined via workspaces or item scopes, using roles like Viewer, Contributor, Member, Admin.
  • Use Microsoft Entra Groups to manage access at scale.
  • Apply Sensitivity Labels consistently at the data item level.
  • Implement RBAC at the workspace level and override at item level where needed.
  • Leverage shortcuts judiciously and validate downstream access implications.
  • Monitor data access via Fabric Monitoring and Microsoft Sentinel integration.
  • Periodically review access logs and remove stale permissions.

Visual Architecture

This diagram illustrates how OneLake workspaces and items are secured within and across domains using RBAC and shortcut permissions.

Learn More

OneLake Security Overview

Introduction

OneLake is Microsoft Fabric’s unified data lake, offering a hierarchical storage system comparable to Azure Data Lake Storage Gen2 or a file system. However, OneLake introduces Fabric-specific semantics at each hierarchy level — such as Workspaces, Items, and Folders — to align data governance with Microsoft Fabric's collaborative and domain-oriented model. This document outlines how security is enforced within OneLake using workspace roles, item-level permissions, data access roles, and the new OneLake Security (preview).

OneLake Hierarchy and Access Model

The OneLake folder structure aligns tightly with the Fabric workspace model:

OneLake/
  ├── Workspace/
  │     └── Item/
  │            └── Folders/
  • Workspace: A container for collaboration and governance. All items live inside a workspace.
  • Item: A Lakehouse, Warehouse, KQL DB, or Dataset, each representing a data-bound unit.
  • Folders: Substructures within items, used for managing files and logical datasets.

Access to data is controlled at each layer using either workspace roles or item-level permissions.

Workspace Permissions

Workspaces are the primary unit of access control. They define roles that cascade permissions down to all items inside the workspace:

RoleAdd AdminsAdd MembersWrite Data & Create ItemsRead Data
Admin
Member
Contributor
Viewer

Use Microsoft Entra security groups to assign workspace roles at scale.

Item Permissions

You can share individual items directly with users or groups without making them workspace members. This gives them visibility to that item only.

PermissionView MetadataAccess via SQLAccess via OneLake
Read
ReadData
ReadAll✅*

* With the new OneLake data access roles, ReadAll only works if the DefaultReader role is used or properly mapped.

Item permissions are managed via the "Manage permissions" pane in the item settings.

Compute-Level Permissions (SQL)

SQL compute engines enforce row-level and column-level security (RLS/CLS). You can:

  • Restrict access to schemas and tables.
  • Apply GRANT SELECT ON TABLE to users or roles.
  • Ensure a user has only ReadData or ReadAll, not both, to avoid conflicting views.

Note: Permissions via SQL endpoints differ from OneLake file APIs. Access to SQL does not imply OneLake access.

OneLake Security (Preview)

The OneLake Security feature (limited preview) provides fine-grained RBAC across folders, tables, rows, and columns. Each role includes:

  • Data: Defined scopes (tables or folders).
  • Permissions: Read/Write per scope.
  • Members: Users or groups.
  • Constraints: Row/column filters (e.g. Region = 'CH').

Admins and Members can configure roles in the item UI or via automation (future API support).

Mermaid Diagram – Security Flow

OneLake Data Access Roles (Preview)

A predecessor to OneLake Security, this feature defines read-only access to folders. Roles are defined at the folder level and are ideal for restricting visibility in lakehouse UIs, APIs, or Notebooks.

  • Contributors will lose access to this config starting August 2025.
  • To access shortcuts, users need ReadAll on the target item.

Shortcut Security

Shortcuts inherit access from the target item, not the referencing item. When accessed via APIs, the owner’s identity is used, not the caller’s — impacting Power BI or T-SQL scenarios.

Authentication

OneLake uses Microsoft Entra ID for authentication:

  • Supports users, groups, and service principals.
  • Requires tenant admin approval to enable SPNs (Service Principal Names).
  • Automatically integrates with Microsoft Entra tokens from Fabric tools.

Audit Logs

OneLake logs administrative operations via audit logs. These logs:

  • Show actions like CreateFile, DeleteFile.
  • Are accessible via the Fabric Admin Portal.
  • Do not include read operations or activity via compute engines.

Encryption and Networking

At Rest

  • All data is encrypted using Microsoft-managed keys (FIPS 140-2).
  • Customer-managed keys (CMK) not yet supported.

In Transit

  • Encrypted via TLS 1.2+, prefers TLS 1.3.
  • Cross-service traffic uses Microsoft’s backbone.

External Access Control

Tenant admins can enable or block OneLake access for external apps (e.g., custom ADLS-based tools). This is controlled in the Admin Portal > OneLake Settings.

Summary

Security LayerScopeTool
Workspace RolesWorkspace-wideFabric UI
Item PermissionsIndividual item levelManage Permissions panel
OneLake SecurityTables, Folders, RowsPreview Feature
Data Access RolesFolder-level read accessFolder Access UI
SQL Compute AccessTables, RLS, CLSSQL Analytics Endpoint

Learn More

Contributors