Managing data access in enterprise environments often means juggling competing needs. Finance teams need full visibility into budget data. Department managers need access to their own metrics but not others. External partners need specific reports without seeing underlying customer information. OneLake Security in Microsoft Fabric solves this challenge with role-based access control that works down to individual folders, tables, rows, and columns.
The security enforcement remains consistent across all Fabric workloads, whether users query through SQL, run Spark notebooks, or build Power BI reports. This eliminates the risk of data exposure through different access points. Organizations can start with broad workspace permissions and add granular controls only where needed, making security both comprehensive and manageable.
TL:DR OneLake Security in Microsoft Fabric lets you control data access through role-based permissions. You can restrict access to specific folders and tables, apply row and column level filters, and assign users to security roles. The feature works across all Fabric compute engines, ensuring consistent security enforcement. While workspace and item permissions are generally available, OneLake Security roles are currently in preview for Lakehouses and Azure Databricks Mirrored Catalogs.
What Makes OneLake Security Different Understanding Control Plane vs Data Plane Security in OneLake works on two levels. Control plane permissions let you manage resources like creating workspaces, sharing items, and editing settings. Data plane permissions control what data users can actually see and query. This separation matters because someone might need to manage a lakehouse without seeing all the data inside it, or view specific data without any management privileges.
OneLake’s Hierarchical Structure OneLake organizes security in three layers:
Workspace level – controls access to all items in that workspace Item level – controls access to specific lakehouses or datasets Folder level – controls access to specific tables and files Permissions flow downward. Someone with workspace admin access automatically gets data access too. But you can override this with OneLake Security roles to restrict what data they see.
Getting Started with Microsoft Fabric Workspace Roles The Four Roles That Run Your Workspace Every Fabric workspace comes with four roles. Pick the one that matches what each person needs to do.
1. Admin (The Full Access Role) Complete control over workspace and all items Can add other admins and members Can edit OneLake security settings Reads and writes all data 2. Member (The Builder Role) Edits OneLake security settings Creates items and writes data Can’t add admins or delete the workspace Reads all data by default 3. Contributor (The Creator Role) Creates items and writes data Can’t touch security settings Can’t manage who’s in the workspace 4. Viewer (The Read-Only Role) Sees workspace items but nothing else Gets no data access unless you grant it through OneLake Security roles Can’t create or change anything Using Security Groups for Easier Management Assigning workspace roles to Microsoft Entra security groups simplifies administration. You add or remove people from the security group, and their Fabric access updates automatically. This beats managing individual user permissions, especially for large teams.
What makes Microsoft Fabric compelling is that security and analytics scale together. OneLake Security gives enterprises granular control without added complexity. Kanerika’s proven expertise means our clients skip the trial-and-error phase and move straight to production-ready implementations.
Amit Chandak, Chief Analytics Officer at Kanerika & Microsoft MVP
Item Level Permissions in Microsoft Fabric You Need to know Direct Item Access Through Sharing You can share individual items with users who are not workspace members. They only see that specific item, nothing else in the workspace.
Three permission types control what shared users can do:
Read – see item metadata only, no data access ReadData – access data through SQL endpoints ReadAll – access data through OneLake (file system access) Managing Permissions for Individual Items The Manage Permissions page shows who has access to each item. You can add users, remove access, and change permission levels without touching workspace roles. Different item types support different permission combinations.
Permission Type See Item Metadata Access Through SQL Endpoint Access Through File System Read Yes No No ReadData No Yes No ReadAll No No Yes*
How to Drive Greater Analytics ROI with Microsoft Fabric Migration Services Leverage Kanerika’s Microsoft Fabric migration services to modernize your data platform, ensure smooth ETL, and enable AI-ready analytics
Learn More
OneLake Security Roles for Granular Data Control What Are OneLake Security Roles OneLake Security roles give you fine-grained control over data access. Currently in preview, this feature works for Lakehouses and Azure Databricks Mirrored Catalogs. The security you set applies consistently across all Fabric engines, from Spark to SQL to Power BI.
Important Note About Preview Status OneLake Security is in preview and requires opt-in for each lakehouse. Once you enable it, you cannot turn it off. The preview is not compatible with external data sharing. Before opting in, make sure you understand these limitations.
Four Components of Every Security Role Each OneLake Security role contains four elements:
Data – Which folders and tables users can access Permissions – Read or ReadWrite access levels Members – Which users and groups belong to the role Constraints – Row level or column level filters to further restrict data
Admins, Members, and Contributors bypass OneLake Security roles. They can read and write all data regardless of role membership. Security roles only affect Viewers and users with Read permission.
The DefaultReader Role When you opt into OneLake Security preview, a DefaultReader role automatically creates. This role includes everyone with ReadAll permission, maintaining their existing access. You can edit or delete this role to start restricting data access.
Creating Your First Security Role Creating a role takes just a few steps. Open your lakehouse, select Manage OneLake Security, and click New.
Role requirements:
Name must start with a letter Only alphanumeric characters allowed Maximum 128 characters Names are case insensitive
Choose your permission level. Read gives query access. ReadWrite adds the ability to modify data through Spark notebooks, OneLake APIs, and file explorer.
Select your data scope. All Data grants access to everything in the lakehouse, including future additions. Selected Data lets you choose specific tables and folders.
Add members by typing names or emails, or use advanced configuration for virtual memberships. Review the preview, then create the role. Changes take effect immediately.
Editing and Managing Existing Roles Each role has two tabs. Data in Role shows what tables and folders are included. Members in Role shows who has access.
To modify included data: Select the role Click Add Data Check or uncheck tables and folders Confirm your selections Hover over a table in the Data tab Click the three dots Select Row-level security or Column-level security Define your filter conditions
Member changes apply instantly. Add new members through the Members tab or remove existing ones. The role updates as soon as you save.
Deleting Roles When No Longer Needed Select the roles you want to remove from the OneLake Security pane. Click Delete and confirm. Users lose access immediately when their role is deleted.
Workspace Role Manage Admins Manage Members Configure Security Build & Modify View Data Delete Workspace Admin Yes Yes Yes Yes Yes Yes Member No Yes Yes Yes Yes No Contributor No No No Yes Yes No Viewer No No No No No* No
Tableau to Power BI Migration: Benefits, Process, and Best Practices Learn how to move from Tableau to Power BI with clear steps, real benefits , and practical tips to keep reports accurate and users on board.
Learn More
Advanced Member Assignment Options Two Ways to Add Users to Roles You can add members directly by name or email. They show up in the members list with their profile picture. This works well for specific individuals or small groups.
Virtual memberships work differently. They automatically include users based on their Fabric item permissions. This keeps role membership synchronized with your existing permission structure.
How Virtual Memberships Work Select Advanced Configuration when adding members. Choose from five permission groups:
Read Write Reshare Execute ReadAll
Users need all selected permissions to qualify for the role. For example, selecting Read and Write includes only users with both permissions. The member count updates automatically as permissions change.
Viewing Virtual Members The Added Using column shows how each member joined the role. Email means direct assignment. Permission group names mean virtual membership. You cannot remove virtual members directly. Remove the permission group from the role instead.
Additional Security Features in OneLake 1. Shortcut Security Considerations OneLake shortcuts inherit security from their source. If you create a shortcut to another lakehouse, security roles from that source lakehouse control access. Users need proper permissions in the original location to access data through shortcuts.
2. Authentication with Microsoft Entra ID OneLake uses Microsoft Entra ID for all authentication. Tools automatically pass user identity to OneLake, which checks it against your configured permissions.
Service principals need special enablement:
Tenant admin must enable service principal support Can enable for entire tenant or specific security groups Check Developer Settings in tenant admin portal 3. Tracking Access with Audit Logs Audit logs track operations like CreateFile and DeleteFile. View them through the Track User Activities feature in Fabric admin settings. Note that audit logs do not include read requests or access through Fabric workloads.
4. Encryption and Network Security Your data gets encrypted automatically. At rest, Microsoft-managed keys protect all OneLake data with FIPS 140-2 compliant encryption. You can add your own customer-managed keys for an extra protection layer.
In transit, all data uses TLS 1.2 minimum. Fabric negotiates to TLS 1.3 when possible. All traffic between Microsoft services stays on the Microsoft global network.
Private links add another security option. Configure them through Fabric security settings to keep traffic off the public internet.
5. Controlling External Application Access Tenant admins control whether outside applications can access OneLake data. This setting lives in the OneLake section of admin portal tenant settings.
Turn it on for:
Custom applications using ADLS APIs OneLake file explorer access Third party tools connecting to OneLake
Turn it off to restrict access to internal Fabric apps only. Users can still work in Spark, Data Engineering , and Data Warehouse.
Microsoft Fabric Data Agents: Everything You Need to Know Learn how Microsoft Fabric Data Agents automate data operations, improve governance, and help teams manage analytics workflows more efficiently.
Learn More
Key Benefits of OneLake Security in Microsoft Fabric for Users 1. Consistent Security Across All Engines Set permissions once and they apply everywhere. Whether users access data through Spark notebooks, SQL queries, or Power BI reports , the same security rules enforce automatically. No need to configure separate permissions for each tool or worry about data leaking through different access points.
2. Granular Control Over Sensitive Data Control access down to specific rows and columns, not just entire tables. Finance teams see their department budgets while sales teams see theirs. Customer service accesses client names and order history but never sees payment details. This precision protects sensitive information without blocking legitimate work.
3. Simplified Permission Management Virtual role memberships sync automatically with existing Fabric permissions. When someone joins a team or changes roles, their data access updates without manual intervention. Security groups eliminate the need to manage individual user permissions, saving hours of administrative work and reducing errors.
4. Better Compliance and Governance Meet regulatory requirements with enforceable data access controls. Audit logs track who accessed what data and when. Row and column level security ensures only authorized personnel see protected information. Organizations demonstrate compliance through clear, documented security policies that apply uniformly across all data access methods.
5. Reduced Risk of Data Exposure Layered security prevents accidental data leaks. Viewers get no data access by default until explicitly granted through security roles. Even workspace admins can be restricted from seeing sensitive information while maintaining their management capabilities. This separation between administrative control and data access protects your most valuable information.
Best Practices for OneLake Security 1. Start Simple, Add Complexity Later Begin with workspace roles. Move to item permissions for specific sharing needs. Use OneLake Security roles only when you need granular data control. This layered approach makes security easier to understand and manage.
2. Use Groups Instead of Individual Users Assign permissions to security groups, not individual people. When someone joins or leaves a team, update the security group. Their Fabric access updates automatically across all roles and workspaces.
3. Review DefaultReader Before Restricting Access The DefaultReader role gives all ReadAll users full data access. Check who has ReadAll permission before you enable OneLake Security preview. Edit or delete DefaultReader to start enforcing restrictions.
4. Avoid Redundant Permissions Users in multiple roles get the combined permissions of all their roles. If someone has both workspace Member access and a data access role, the Member access wins. They see all data regardless of role restrictions.
5. Test Changes with Small Groups First Create test roles with a few trusted users. Verify they see the right data before rolling out to larger teams. Role changes apply immediately, so testing prevents accidental data exposure or lockouts.
6. Audit Role Memberships Regularly Schedule quarterly reviews of who belongs to each role. Remove people who changed teams or left the company. Check that virtual memberships still align with your security requirements.
7.Document Your Security Model Write down which roles exist, what data they protect, and why they were created. Include contact information for role owners. This documentation helps new admins understand your security setup and makes troubleshooting faster.
Microsoft Fabric Raises the Bar Again: The Undisputed #1 Analytics Platform Learn why Microsoft Fabric is the #1 analytics platform with AI-powered insights and unified data.
Learn More
Kanerika: The #1 Choice for Expert Microsoft Fabric implementation and Migration Services Enterprises need a partner who understands both the technical depth of Microsoft Fabric and the business challenges of data modernization. Kanerika brings certified expertise, proven implementations, and specialized tools that accelerate your Fabric adoption.
Recognized Microsoft Partnership and Credentials Kanerika holds three key Microsoft distinctions that matter for Fabric implementations.
Microsoft Data & AI Solutions Partner status confirms our track record across complex data modernization projects. Featured Microsoft Fabric Partner recognition highlights our capability to deliver high-quality, scalable implementations that meet Microsoft’s delivery standards.
Our team includes DP-600 (Fabric Analytics Engineer) and DP-700 (Data Engineer) certified professionals, a Microsoft MVP, and Superusers with deep platform knowledge. This ensures every implementation leverages Fabric’s latest capabilities.
We’re also an official FAIAD (Fabric Analyst in a Day) and RTIAD (Real-Time Intelligence in a Day) delivery partner, recognized by Microsoft to conduct certified training sessions and knowledge transfer programs.
Featured at Microsoft Ignite 2025 Microsoft featured Kanerika’s Azure to Fabric Migration Accelerator as a workload migration partner at Ignite 2025. This recognition validates our automated migration approach and technical innovation in the Fabric ecosystem.
Specialized Azure and Analytics Expertise Beyond Fabric, Kanerika holds Data Warehouse Migration to Azure specialization and Analytics on Azure advanced specialization. These credentials demonstrate proven capability in cloud data platforms and enterprise analytics, giving us the foundation to design complete end-to-end solutions on Fabric.
Automating Migration from Legacy and Fragmented Systems to Microsoft Fabric
Moving from SSIS/SSRS/SSAS, Informatica, and Azure Data Factory/Synapse Analytics to Microsoft Fabric typically takes months and require extensive resources. Kanerika’s migration accelerators cut this timeline to weeks through intelligent automation .
What our accelerators handle:
Schema conversions and data type mappings Dependency relationship preservation Business logic retention during conversion Connection reconfiguration and runtime updates Workspace organization in Fabric
The automation reduces manual effort, eliminates human error, and maintains business continuity throughout the migration. Enterprises get faster implementation with lower operational overhead and minimized downtime risk.
Kanerika’s AI Agent and Migration Accelerator Now Available as Fabric Workloads Azure to Fabric Migration Workload This workload automates the conversion of Azure Data Factory and Synapse Analytics pipelines directly into Fabric components. It connects to your Azure subscription, analyzes existing pipelines and dependencies, then converts Azure activities into Fabric equivalents while preserving your orchestration logic.
The tool reconfigures connections automatically, updates integration runtimes to data gateways, and organizes converted pipelines into proper Fabric workspaces. Migration that used to require months of manual work now completes in weeks.
Karl: AI Agent for Instant Data Insights Karl integrates directly into Microsoft Fabric as a workload, adding conversational intelligence to your lakehouse data. Team members ask questions in plain English and get AI-powered answers in seconds. No SQL knowledge required.
Final Thoughts OneLake Security gives you precise control over data access in Microsoft Fabric. The layered approach lets you start with broad workspace permissions and drill down to specific tables, rows, and columns as needed. Security roles work consistently across all Fabric compute engines, so you set permissions once and they apply everywhere.
The preview features show Microsoft’s commitment to enterprise-grade security. Row level and column level filtering, virtual role memberships, and integration with Microsoft Entra ID give you the tools needed for compliance and governance. Start with simple workspace roles, test OneLake Security roles with small groups, and expand as you learn what works best for your organization.
Getting the full value from Microsoft Fabric means more than just understanding the features. It requires partnering with a firm like Kanerika that has deep platform expertise, proven implementation experience, and the technical capability to architect secure, scalable solutions tailored to your business needs.
FAQs What is OneLake Security in Microsoft Fabric? OneLake Security is a role-based access control system in Microsoft Fabric that controls who can access data stored in OneLake. It applies security consistently across all Fabric compute engines including Spark, SQL, and Power BI. Currently in preview, it supports Lakehouses and Azure Databricks Mirrored Catalogs.
What is the difference between control plane and data plane permissions in OneLake? Control plane permissions manage administrative tasks like creating workspaces, sharing items, and editing settings. Data plane permissions control what data users can actually query and view. A user can have admin control over a lakehouse without seeing the data inside it, depending on how permissions are configured.
How do OneLake Security roles work in Microsoft Fabric? OneLake Security roles define which folders and tables users can access, what permissions they have, and any row or column level restrictions. Roles are assigned to users or groups and apply across all Fabric engines. Workspace Admins, Members, and Contributors bypass these roles and access all data by default.
Is OneLake Security in Microsoft Fabric generally available? Workspace and item-level permissions in Microsoft Fabric are generally available. OneLake Security roles, which enable granular folder, row, and column level access control, are currently in preview. The preview supports Lakehouses and Azure Databricks Mirrored Catalogs and requires opt-in on a per-item basis.
What is the DefaultReader role in OneLake Security? The DefaultReader role is automatically created when you enable OneLake Security preview on a lakehouse. It includes all users with ReadAll permission, maintaining their existing data access. To start restricting data access, you need to edit or delete the DefaultReader role and configure specific security roles instead.
Can OneLake Security restrict access to specific rows and columns in Microsoft Fabric? Yes. OneLake Security roles support row-level security and column-level security in addition to folder and table access control. Row-level filters restrict which records users can see within a table. Column-level security hides specific fields entirely. Both can be configured from the Data in Role tab within the security settings.
How does OneLake Security handle authentication in Microsoft Fabric? OneLake uses Microsoft Entra ID for all authentication. Tools and compute engines automatically pass user identity to OneLake, which maps it against configured permissions. Service principals are also supported but require tenant administrator enablement through the Developer Settings section of the Fabric admin portal before they can be used.
What happens to data access when OneLake Security roles are deleted in Microsoft Fabric? When an OneLake Security role is deleted, users assigned to that role immediately lose their data access. If users are part of multiple roles, they retain access granted by remaining roles. Workspace Admins, Members, and Contributors are not affected by role deletion and continue to access all data regardless.
