https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5189963#M16440 <P>HI&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/688040">@VictorMed</a>,</P> <P>Checking in to see if your issue has been resolved. let us know if you still need any assistance.</P> <P><LI-WRAPPER></LI-WRAPPER></P> <P>&nbsp;</P> <P>Thank you.</P> Thu, 28 May 2026 11:43:24 GMT v-saisrao-msft 2026-05-28T11:43:24Z https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5184538#M16259 <P>Hi All,</P><P>&nbsp;</P><P>We want to share company-wide data across multiple teams in a centralised lakehouse with schemas.</P><P>&nbsp;</P><P>Our current approach has been:</P><OL><LI>New Workspace where only the admin security group has a role (admin)</LI><LI>Created 3 new security groups that are mutually exclusive (Executive, SLT, Employees)</LI><LI>Created a new Lakehouse with a schema created and named after each security group</LI><LI>Directly shared the lakehouse with each security group, with only read permissions</LI><LI>Deleted DefaultReader role</LI><LI>Created a OneLake security role for each security group with only access to their schema</LI><LI>Created a custom DB role in SQL security to grant access to their schema and deny select to the other 2 schemas</LI><LI>Revoke select to all schemas from public</LI></OL><P>&nbsp;</P><P>With the above steps, I have test accounts in each security group, and currently, they can't access the lakehouse or SQL endpoint via portal or SSMS.</P><P>&nbsp;</P><P>If sharing the workspace with viewer access, all accounts have access, bypassing SQL security, which defeats the purpose of the solution.</P><P>&nbsp;</P><P>Am I missing something?&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Victor</P> Mon, 18 May 2026 10:52:22 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5184538#M16259 VictorMed 2026-05-18T10:52:22Z https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5184649#M16268 <P>I think that 4.&nbsp; only gives "read" access to semantic data, not the actual data.&nbsp; You need to specifically grant readall for the data.</P> Mon, 18 May 2026 12:58:26 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5184649#M16268 lbendlin 2026-05-18T12:58:26Z https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5185467#M16286 <P>Hello&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/688040">@VictorMed</a>,<BR /><SPAN>Looks like the issue is the difference between workspace access and SQL security.</SPAN><SPAN><BR /></SPAN><SPAN>Your schema permissions only affect the SQL endpoint, but once users get Viewer access to the workspace, they can access the Lakehouse more broadly through the Fabric portal.</SPAN><SPAN><BR /></SPAN><SPAN>Also worth checking the removal of the DefaultReader role, since that can break normal Lakehouse access.</SPAN><SPAN><BR /></SPAN><SPAN>From what I have seen, Fabric still does not fully support strict schema isolation inside a single shared Lakehouse in the same way SQL Server does.</SPAN><SPAN><BR /></SPAN><SPAN>Most people end up separating access using different Lakehouses, workspaces, or semantic models instead.<BR /><BR />Docs:<BR /><A title="Data security overview" href="https://learn.microsoft.com/en-us/fabric/onelake/security/get-started-security" target="_self">Data security overview</A>&nbsp;<BR /><A title="SQL granular permissions in Microsoft Fabric" href="https://learn.microsoft.com/en-us/fabric/data-warehouse/sql-granular-permissions" target="_self">SQL granular permissions in Microsoft Fabric</A>&nbsp;</SPAN></P> Tue, 19 May 2026 14:36:19 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5185467#M16286 Olufemi7 2026-05-19T14:36:19Z https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5188160#M16351 <P>HI&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/688040">@VictorMed</a>,</P> <P>Have you had a chance to review the solution we shared by <a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/100342">@lbendlin</a>&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/843006">@Olufemi7</a>? If the issue persists, feel free to reply so we can help further.</P> <P><LI-WRAPPER></LI-WRAPPER></P> <P>&nbsp;</P> <P>Thank you.</P> Mon, 25 May 2026 04:27:58 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5188160#M16351 v-saisrao-msft 2026-05-25T04:27:58Z https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5189963#M16440 <P>HI&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/688040">@VictorMed</a>,</P> <P>Checking in to see if your issue has been resolved. let us know if you still need any assistance.</P> <P><LI-WRAPPER></LI-WRAPPER></P> <P>&nbsp;</P> <P>Thank you.</P> Thu, 28 May 2026 11:43:24 GMT https://community.fabric.microsoft.com/t5/Data-Engineering/Hub-Workspace-with-Centralised-Lakehouse/m-p/5189963#M16440 v-saisrao-msft 2026-05-28T11:43:24Z