Overview
One Lake is a versatile data lake solution that offers secure data storage, management, and access permissions to ensure that organizations can operate efficiently while safeguarding sensitive information. Understanding the security and data access roles within One Lake is crucial for maintaining data integrity and compliance with regulatory standards.
One Lake data access roles for folders are a new feature that allows you to use role-based access control (RBAC) on data stored in One Lake. You can create security roles that provide read access to certain folders within a Fabric item and assign them to individuals or groups. The access permissions control which folders users see when accessing the lake view of the data via the Lakehouse UX, notebooks, or One Lake API.
Security Features
Data access role security only applies to users that access One Lake directly. Fabric objects like SQL analytics endpoints, semantic models, and warehouses have their own security models and employ a delegated identity to access One Lake. Users can see different items in each workload if they have access to several items.
One Lake incorporates several security features to protect data, including:
- Encryption: Data is encrypted both at rest and in transit, ensuring that unauthorized users cannot decipher sensitive information.
- Authentication: Strong authentication mechanisms, such as multi-factor authentication (MFA), are employed to verify user identity.
- Access Controls: Role-based access controls (RBAC) allow administrators to define who can access specific data sets and perform particular operations.
Data Access Roles
1. Administrator
- Responsibilities:
- Manage user accounts and permissions.
- Configure security settings and policies.
- Monitor access logs and activities.
- Access Level: Full access to all data and administrative functions.
2. Data Steward
- Responsibilities:
- Oversee data quality and governance.
- Implement data management practices.
- Facilitate data access requests.
- Access Level: Limited access to specific datasets, primarily for quality assurance and management purposes.
3. Data Analyst
- Responsibilities:
- Analyze datasets to generate insights.
- Create and manage reports and dashboards.
- Collaborate with different teams to meet data analytics needs.
- Access Level: Access to analytical tools and datasets relevant to their analysis tasks.
4. Data Consumer
- Responsibilities:
- Utilize available data for various applications.
- Follow data usage protocols.
- Report any discrepancies in data access.
- Access Level: Restricted access to designated datasets necessary for their workflows.
How to Opt In
The preview feature for data access roles is by default deactivated in all lake houses in Fabric. Each Lakehouse has a different configuration for the preview feature. With the opt-in control, one Lakehouse can test the preview without making it available to any other lake houses or Fabric products.
You need to be an Administrator, Member, or Contributor in the workspace in order to allow the preview. To access the confirmation dialog, navigate to a Lakehouse and pick the Manage One Lake data access (preview) button in the ribbon. The External data sharing preview and the data access roles preview are incompatible. Click Continue if you’re okay with the modification. Now that the manage roles UX is open, the feature is active.
Once activated, the preview feature cannot be disabled.
Read access is still available to all users who have read rights to data in the lakehouse, in order to facilitate a seamless opt-in process. The process of migrating access involves establishing a default data access role known as “DefaultReader.” All users with the ReadAll permission, which is required to see data in the lakehouse, are included as members of this default role through the usage of virtualized role memberships. Make sure the DefaultReader role is withdrawn or the accessing users’ ReadAll permission is revoked in order to begin limiting access to those users.
How to Create a role
- Open the Lakehouse where you want to define security.
- In the right side of the Lakehouse ribbon, select Manage One Lake data access (preview).
- On the top left of the Manage OneLake data access pane, select New Role, and type the role name you want. The role name has certain restrictions:
- The role name can only contain alphanumeric characters.
- The role name must start with a letter.
- Names are case insensitive and must be unique.
- The maximum name length is 128 characters.
- Select the All-folders toggle if you want to have this role apply to all the folders in this Lakehouse.
- This selection includes any folders that are added in the future.
- Select the Selected folders if you want to only have this role apply to selected folders.
- Check the boxes next to the folders you want the role to apply to.
- Roles grant access to folders. To allow a user to access a folder, check the box next to it. If a user shouldn’t see a folder, don’t check the box.
- In the bottom left, select Save to create your role.
- In the top left, select Assign role to open the role membership pane.
- Add people, groups, or email addresses to the Add people or groups control. For more information, see Assign a member or group.
- Select Add to move your selection to Assigned users list. Selecting Add doesn’t save your selection yet.
- Select Save and wait for the notification that the roles are successfully published.
- Select the X in the top right to exit the pane.
How to Edit a role
- Open the lakehouse where you want to define security.
- In the right side of the lakehouse ribbon, select on Manage OneLake data access (preview).
- On the Manage OneLake data access pane, hover over the role you want to edit and select it.
- You can change which folders are being granted access to by selecting or deselecting the checkboxes next to each folder.
- To change the people, select Assign role. For more information, see Assign a member or group.
- To add more people, type names in the Add people or groups box and select Add.
- To remove people, select their name under Assigned users and select Remove.
- Select Save and wait for the notification that the roles are successfully published.
- Select the X in the top right to exit the pane.
How to Delete a role
- Open the lakehouse where you want to define security.
- In the right side of the lakehouse ribbon, select on Manage OneLake data access (preview).
- On the Manage OneLake data access pane, check the box next to the roles you want to delete.
- Select Delete and wait for the notification that the roles are successfully deleted.
- Select the X in the top right to exit the pane.
Assign a member or group
There are two ways to add people to a position in OneLake data access roles. Using the Add individuals or groups box on the Assign role page, users or groups can be directly added to a role. This is the primary way. Using virtual memberships based on Lakehouse permission management and the Add users feature is the second method.
By using the Add persons or group box, users can be explicitly added to a role, making them members of the position. These users appear with their photo and name displayed in the list of assigned individuals and groups.
Because of the virtual members, the role’s membership can be dynamically changed in accordance with each user’s permissions on Fabric items. Any user in the Fabric workspace with all of the chosen permissions can be added as an implicit member of the role by checking the Add users based on Lakehouse permissions box and choosing a permission. In the event that you select ReadAll, Write, for instance, all users of the Fabric workspace who possess both ReadAll and Write rights to the item will be added to the role. By looking for the value “Lakehouse permissions” under the Assigned by column in the Assigned users list, you can see which users are being added as virtual members.
These members must have their related Fabric permission withdrawn in order to be unassigned; they cannot be manually deleted.
Assign virtual members
To add virtual members, use the Add users based on Lakehouse permissions box. Select the box to open the dropdown picker to choose the Fabric permissions to virtualize. Users are virtualized if they have all of the checked permissions.
The permissions that can be used for virtualization are:
- Read
- Write
- Reshare
- Execute
- ReadAll
After selecting the permissions, select Add to update the Assigned users list with the changes. The users have text beside their name indicating that they were assigned by the lakehouse permissions. These users can’t be manually removed from the role assignment. Instead, remove the corresponding permissions from the Add users based on Lakehouse permissions control or remove the Fabric permission.
Roles in workspaces in Microsoft Fabric
You can control who can do what in a Microsoft Fabric workplace by assigning workspace roles. OneLake is topped with Microsoft Fabric workspaces, which partition the data lake into distinct containers with independent security controls. Workspace roles in Microsoft Fabric enhance the Power BI workspace roles by associating additional Microsoft Fabric features such as data integration and data exploration with current workspace roles. See Roles in workspaces in Power BI for additional details on Power BI roles.
Roles can be assigned to distribution lists, Microsoft 365 groups, security groups, and individual users. To grant access to a workspace, assign those user groups or individuals to one of the workspace roles: Admin, Member, Contributor, or Viewer. This is how workspace access is granted to users.
Microsoft Fabric workspace roles
| Capability | Admin | Member | Contributor | Viewer |
|---|---|---|---|---|
| Update and delete the workspace. | ✅ | |||
| Add or remove people, including other admins. | ✅ | |||
| Add members or others with lower permissions. | ✅ | ✅ | ||
| Allow others to reshare items.1 | ✅ | ✅ | ||
| Create or modify database mirroring items. | ✅ | ✅ | ||
| View and read content of data pipelines, notebooks, Spark job definitions, ML models and experiments, and Event streams. | ✅ | ✅ | ✅ | ✅ |
| View and read content of KQL databases, KQL query-sets, and real-time dashboards. | ✅ | ✅ | ✅ | ✅ |
| Connect to SQL analytics endpoint of Lakehouse or the Warehouse | ✅ | ✅ | ✅ | ✅ |
| Read Lakehouse and Data warehouse data and shortcuts2 with T-SQL through TDS endpoint. | ✅ | ✅ | ✅ | ✅ |
| Read Lakehouse and Data warehouse data and shortcuts2 through OneLake APIs and Spark. | ✅ | ✅ | ✅ | |
| Read Lakehouse data through Lakehouse explorer. | ✅ | ✅ | ✅ | |
| Write or delete data pipelines, notebooks, Spark job definitions, ML models, and experiments, and Event streams. | ✅ | ✅ | ✅ | |
| Write or delete Eventhouses3, KQL Querysets, Real-Time Dashboards, and schema and data of KQL Databases, Lakehouses, data warehouses, and shortcuts. | ✅ | ✅ | ✅ | |
| Execute or cancel execution of notebooks, Spark job definitions, ML models, and experiments. | ✅ | ✅ | ✅ | |
| Execute or cancel execution of data pipelines. | ✅ | ✅ | ✅ | |
| View execution output of data pipelines, notebooks, ML models and experiments. | ✅ | ✅ | ✅ | ✅ |
| Schedule data refreshes via the on-premises gateway.4 | ✅ | ✅ | ✅ | |
| Modify gateway connection settings.4 | ✅ | ✅ | ✅ |
1 Contributors and Viewers can also share items in a workspace, if they have Reshare permissions.
2 Other permissions are needed to read data from shortcut destination. Learn more about shortcut security model.
3 Other permissions are needed to perform certain operations on data in an Eventhouse. Learn more about the hybrid role-based access control model.
4 Keep in mind that you also need permissions on the gateway. Those permissions are managed elsewhere, independent of workspace roles and permissions.
Conclusion
Establishing clear security protocols and defining data access roles in One Lake is essential for maintaining a secure data environment. By implementing robust access controls and promoting responsible data usage, organizations can leverage One Lake’s capabilities while safeguarding their valuable information resources.