1.3.1 Configure OneLake Data Access Roles

What are OneLake data access roles?

Granular security roles that control read access to specific folders and files within a lakehouse, enabling folder/file-level security on OneLake data.

How do OneLake data access roles differ from workspace roles?

Workspace roles control access to Fabric items. OneLake data access roles control access to specific folders/files within a lakehouse's storage.

How do you create a OneLake data access role?

In Lakehouse Settings > OneLake data access, create a new role, define folder-level read permissions, then assign users or security groups.

What is the default OneLake data access behavior?

By default, all workspace users with Viewer role or above can read all data in OneLake for that workspace. Data access roles restrict this.

Do OneLake data access roles control write access?

No. They control read access only. Write access is governed by workspace roles (Contributor, Member, Admin).

Can you assign OneLake data access roles to security groups?

Yes. Roles can be assigned to individual users, Microsoft Entra security groups, or service principals.

How do data access roles interact with SQL endpoint queries?

SQL endpoint queries respect OneLake data access roles. Users only see rows from folders they have read access to.

What granularity do OneLake data access roles support?

Folder-level granularity within the lakehouse. You can grant access to specific folders under Tables or Files.

Can you have multiple data access roles on a single lakehouse?

Yes. You can create multiple roles with different folder permissions and assign different users/groups to each role.

How do OneLake data access roles affect Spark notebook queries?

Spark notebooks running under a user's identity respect data access roles. The user only reads data from folders their role permits.