topic Re: Lakehouse sharing without workspace access causes 403 in Data Engineering

Lakehouse sharing without workspace access causes 403

fatma_akyol — Tue, 30 Dec 2025 08:19:18 GMT

Hello,

We created a OneLake security role and granted access to specific tables.
Then we shared the Lakehouse with the same user using Read and ReadAll permissions via
Lakehouse → Manage permissions.

The user does NOT have any workspace role (Viewer/Contributor).

According to the official Microsoft documentation, Lakehouse data can be shared
without granting workspace access:
https://learn.microsoft.com/en-us/fabric/data-engineering/lakehouse-sharing

However, when the user tries to open the from the OneLake Catalog,
they receive the following error:

"User is not authorized to perform this operation. (403)"

Questions:

1. Is workspace access still required to open a Lakehouse from OneLake Catalog UI, even when the Lakehouse is shared directly?

2. How can we share lakehouse without workspace-level access?

Any clarification or guidance would be appreciated.

Re: Lakehouse sharing without workspace access causes 403

ismail_ozturk — Tue, 30 Dec 2025 08:34:54 GMT

Hello,

I have faced this issue so many times but I could not find any solution except giving viewer acces in workspace. I think there is something a bug or misunderstanding.

Happy new year

Re: Lakehouse sharing without workspace access causes 403

deborshi_nag — Tue, 30 Dec 2025 10:38:16 GMT

Hello @fatma_akyol

Lakehouse sharing should work without giving the user any workspace role—but a 403 can still happen depending on how OneLake security and the SQL Analytics endpoint are configured.

Prerequisite for ReadAll

ReadAll is an additional permission that only works on top of either Read (item-level sharing) or a workspace Viewer role. You already granted Read (good), so this prerequisite should be satisfied.

OneLake security (preview) changes the access model

If you turned on Manage OneLake security (preview) for the lakehouse, users must be in a data access role to see data; users not in a role “see no data in that item.” A default role (DefaultReader) is created to keep existing read access for users who had ReadAll; if you removed ReadAll and didn’t add the user to a role, they may get 403 trying to browse/open via OneLake Catalog.

SQL Analytics endpoint identity mode

With OneLake table/folder security enabled, the lakehouse’s SQL Analytics endpoint must be set to “User’s identity mode” (Security tab). If it’s still using a fixed/delegated identity, authorization can fail for users without workspace roles, leading to 403.

How to Fix

Verify sharing permissions on the Lakehouse
- In Lakehouse → … → Manage permissions → Direct access, confirm the user/group has Read (not just ReadAll).
- If you rely on ReadAll for Spark, keep Read as well; ReadAll alone doesn’t grant lakehouse data access.
If OneLake security (preview) is ON, add the user to a data access role
- Go to Lakehouse → Manage OneLake security (preview).
- Create/choose a role and grant Read (and optionally ReadWrite if needed).
- Add the user/group to that role and include the specific tables/folders they should access.
- Ensure they’re not still in the DefaultReader role if you intend to restrict them; otherwise, they keep full read access.
Switch the SQL Analytics endpoint to “User’s identity mode”
- Open the SQL Analytics endpoint → Settings → Security and set User’s identity mode.
- This is required for OneLake table/folder security scenarios to authorize the actual user, not a fixed owner identity.

Hope this fixes your problem, kindly appreciate giving a Kudos or accept as a Solution!

Re: Lakehouse sharing without workspace access causes 403

fatma_akyol — Tue, 30 Dec 2025 10:49:11 GMT

Hello @deborshi_nag ,

Thank you for your response.

The user has Read, ReadAll, and SubscribeOneLakeEvents permissions.
We assigned the user to a OneLake security role and granted access to specific tables within this role.
Additionally, "User’s identity mode is enabled" on the SQL Analytics Endpoint.

We have already applied all of the recommendations mentioned above; however, the issue still persists.

Thank you.

Re: Lakehouse sharing without workspace access causes 403

deborshi_nag — Tue, 30 Dec 2025 11:19:33 GMT

Have you removed the user from the DefaultReader role?

Re: Lakehouse sharing without workspace access causes 403

fatma_akyol — Tue, 30 Dec 2025 11:33:31 GMT

Yes. We removed

Re: Lakehouse sharing without workspace access causes 403

deborshi_nag — Tue, 30 Dec 2025 12:00:18 GMT

The user should open the lakehouse from Browse → Shared with me and from OneLake Catalog. The item appears when sharing is configured correctly.

Let me know if you're getting the error here.

Re: Lakehouse sharing without workspace access causes 403

fatma_akyol — Tue, 30 Dec 2025 13:28:11 GMT

The user can see the Lakehouse in the Shared with me section of the OneLake Catalog.
However, when the user tries to open the Lakehouse from the catalog, a 403 – Not authorized error is returned.
Despite this, the user can access the SQL Analytics Endpoint without any issues from catalog.

Re: Lakehouse sharing without workspace access causes 403

v-achippa — Wed, 07 Jan 2026 05:56:25 GMT

Hi @fatma_akyol,

Thank you for reaching out to Microsoft Fabric Community.

Thank you @deborshi_nag and @ismail_ozturk for the prompt response.

This is expected behaviour in microsoft fabric. While Lakehouse data access can be shared without workspace roles using item level sharing but the lakehouse UI still requires workspace permissions.

Currently there is no supported way to open the lakehouse UI without granting at least Viewer access to the workspace. Your configuration is correct and the 403 error is expected.

I recommend submitting your detailed feedback and ideas through Microsoft's official feedback channels. Feedback submitted through these channels is frequently reviewed by the product teams and can contribute to meaningful improvements.

Fabric Ideas - Microsoft Fabric Community

Thanks and regards,

Anjan Kumar Chippa

Re: Lakehouse sharing without workspace access causes 403

v-achippa — Mon, 12 Jan 2026 04:32:36 GMT

Hi @fatma_akyol,

As we haven’t heard back from you, we wanted to kindly follow up to check if your issue is resolved? If not have you raised this in the ideas forum?

Thanks and regards,

Anjan Kumar Chippa

Re: Lakehouse sharing without workspace access causes 403

fatma_akyol — Mon, 12 Jan 2026 12:45:29 GMT

Hello,

We opened a support ticket with Microsoft. According to their response, workspace permissions are required to view a Lakehouse from the OneLake Catalog and Explorer UI. To open and view Lakehouse tables in the Fabric UI, a user must have one of the following workspace roles: Contributor, Member, or Admin. So the problem is resolved.

Re: Lakehouse sharing without workspace access causes 403

v-achippa — Tue, 13 Jan 2026 10:58:59 GMT

Hi @fatma_akyol,

Thank you for confirming that the issue is resolved now. Thank you for being part of Microsoft Fabric Community.

Thanks and regards,

Anjan Kumar Chippa