https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920947#M14630 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/1381761">@KimMW</a>,&nbsp;</P><P>&nbsp;</P><P>Right now there is no nice way to enforce RLS with private links.&nbsp;</P><P>&nbsp;</P><UL><LI><STRONG>OneLake Security</STRONG><SPAN>&nbsp;</SPAN>isn't currently supported when a workspace-level private link is enabled for a workspace.</LI></UL><P>It does appear that the private link will work with the SQL Endpoint:&nbsp;<BR /><BR /><A href="https://learn.microsoft.com/en-us/fabric/security/security-workspace-level-private-links-support?tabs=fabric-portal-1%2Cfabric-portal-2%2Cfabric-portal-3%2Cfabric-portal-4%2Cfabric-portal-5%2Cfabric-portal-6%2Cfabric-portal-7%2Cfabric-portal-8%2Cfabric-portal-9%2Cfabric-portal-10%2Cfabric-portal-11%2Cfabric-portal-12%2Cfabric-portal-13%2Cfabric-portal-14#sql-endpoint-support" target="_blank">Supported scenarios for workspace private links - Microsoft Fabric | Microsoft Learn</A></P><P>&nbsp;</P><P>But that would not work when working in Notebooks or anything that accesses the data through OneLake.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 19 Jan 2026 14:34:04 GMT tayloramy 2026-01-19T14:34:04Z https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920885#M14627 <P>Good afternoon!</P><P>&nbsp;</P><P>The Workspace-level private links documentation says that it doesn't support Item sharing or OneLake Security (<A href="https://learn.microsoft.com/en-us/fabric/security/security-workspace-level-private-links-support" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/fabric/security/security-workspace-level-private-links-support</A>).&nbsp;Is there any way to enforce RLS/CLS on access to Lakehouse data in a scenario where workspace-level private links are in use?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Kim</P> Mon, 19 Jan 2026 13:33:07 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920885#M14627 KimMW 2026-01-19T13:33:07Z https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920947#M14630 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/1381761">@KimMW</a>,&nbsp;</P><P>&nbsp;</P><P>Right now there is no nice way to enforce RLS with private links.&nbsp;</P><P>&nbsp;</P><UL><LI><STRONG>OneLake Security</STRONG><SPAN>&nbsp;</SPAN>isn't currently supported when a workspace-level private link is enabled for a workspace.</LI></UL><P>It does appear that the private link will work with the SQL Endpoint:&nbsp;<BR /><BR /><A href="https://learn.microsoft.com/en-us/fabric/security/security-workspace-level-private-links-support?tabs=fabric-portal-1%2Cfabric-portal-2%2Cfabric-portal-3%2Cfabric-portal-4%2Cfabric-portal-5%2Cfabric-portal-6%2Cfabric-portal-7%2Cfabric-portal-8%2Cfabric-portal-9%2Cfabric-portal-10%2Cfabric-portal-11%2Cfabric-portal-12%2Cfabric-portal-13%2Cfabric-portal-14#sql-endpoint-support" target="_blank">Supported scenarios for workspace private links - Microsoft Fabric | Microsoft Learn</A></P><P>&nbsp;</P><P>But that would not work when working in Notebooks or anything that accesses the data through OneLake.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 19 Jan 2026 14:34:04 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920947#M14630 tayloramy 2026-01-19T14:34:04Z https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920950#M14632 <P>Hello&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/1381761">@KimMW</a>&nbsp;</P><P>&nbsp;</P><P>Yes, however, OneLake Security cannot be applied directly within the Lakehouse when using workspace-level private links.</P><P><BR />RLS/CLS enforcement at the Lakehouse storage layer is not possible in this scenario, as OneLake Security is unsupported with workspace-level private links.</P><P><BR />Microsoft has highlighted this restriction as you rightly mention:</P><UL><LI>Workspace-level private links do not support OneLake Security (which includes RLS and CLS), meaning item-level and table-level access controls are not enforced at this layer.&nbsp;</LI></UL><P>Consequently, OneLake Security RLS/CLS will not be effective if your configuration relies on private links.</P><P>&nbsp;</P><P>Nonetheless, RLS at the model layer remains fully operational, as:</P><UL><LI>RLS within Semantic Models (Direct Lake / Import / DirectQuery) is managed by the Power BI engine, rather than OneLake.</LI><LI>This approach is recommended when OneLake Security is unavailable or not preferred, such as when workspace private links are in use.</LI></UL><P>This aligns with Microsoft’s guidance for implementing RLS in supported Fabric engines, including SQL Analytics Endpoint and semantic models.</P><P>&nbsp;</P><P><A title="https://learn.microsoft.com/en-us/fabric/onelake/security/row-level-security" href="https://learn.microsoft.com/en-us/fabric/onelake/security/row-level-security" target="_blank" rel="noreferrer noopener">Row-level security - Microsoft Fabric | Microsoft Learn</A></P><P>&nbsp;</P><P>Hope this helps - please appreciate by leaving a <STRONG>Kudos</STRONG> or accepting as a <STRONG>Solution</STRONG>!&nbsp;</P> Mon, 19 Jan 2026 14:38:00 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920950#M14632 deborshi_nag 2026-01-19T14:38:00Z https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920951#M14633 <P>Thank you for confirming&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/1340679">@tayloramy</a>&nbsp;</P><P>&nbsp;</P><P>Given that item sharing isn't supported with Workspace Private Link, how can one use the SQL Endpoint in these scenarios to give access in this way? Does the user have to have been granted access directly to the workspace the lakehouse is in?</P> Mon, 19 Jan 2026 14:38:27 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920951#M14633 KimMW 2026-01-19T14:38:27Z https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920953#M14635 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/1381761">@KimMW</a>,&nbsp;</P><P>&nbsp;</P><P>Yes, I do believe that workspace access needs to be granted.&nbsp;&nbsp;</P> Mon, 19 Jan 2026 14:40:27 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Granular-lakehouse-data-security-with-Workspace-Private-Links/m-p/4920953#M14635 tayloramy 2026-01-19T14:40:27Z