We have a service account that we want to use to create a shortcut from Lakehouse Source, located in Workspace Source, to Lakehouse Target, located in Workspace Target. The admin of Workspace Source and Lakehouse Source has restricted this service account’s access so that it can only access the dbo schema and specifically tables A, B and C within that schema. However, Lakehouse Source contains many more tables spread across different schemas.

Is it possible for the service account to access tables A, B and C from the dbo schema of the Lakehouse Source via both the Lakehouse and the SQL Endpoint, and successfully create shortcuts for those same tables into Lakehouse Target in Workspace Target? The intended behaviour is that everyone who has access to Workspace B should inherit exactly the same level of access as the service account, nothing less, in this case. Is this achievable?

I’ve already tried several approaches:

The User X is admin in the Workspace Target.

I started by not granting User X access to the Workspace Source. I created a role with User X in Manage OneLake data access (preview) to give access only to the three required tables, without enabling any of the advanced settings. I also tested with the reshare option ticked in the advanced settings under the Manage OneLake data access (preview) section of the source Lakehouse, but this did not work.

In the Manage permissions section of the same Lakehouse, I added User X without selecting any permission checkboxes. This also failed. I then tested variations where I ticked "Read all Apache Spark and subscribe to events", but the result was always the same.

I also granted the following access on the SQL endpoint:

GRANT SELECT ON dbo.dim_part TO [user_x];
GRANT SELECT ON dbo.dim_partsource TO [user_x];
GRANT SELECT ON dbo.dim_site TO [user_x];

Despite all attempts, I consistently encountered the same error when trying to create a shortcut. It’s important to note that User X is also the owner of the source Lakehouse:

{
"error": {
"code": "Forbidden",
"message": "User is not authorized to perform current operation for workspace 'Workspace Source', artifact 'Lakehouse Source'.",
"target": null,
"details": null
}
}

To work around this, I tried granting User X viewer access on the workspace, but this didn’t solve the issue either.
One relevant point: Lakehouse Schemas (Public Preview) is not enabled on the source Lakehouse, although it is enabled on the target Lakehouse. I’ve also tested with the target Lakehouse having this setting disabled, but the error still occurs.
Given all of the above, could you confirm whether it is possible to create a shortcut from a source Lakehouse with restricted table access, into a target Lakehouse, and if so, what are the correct steps to achieve this?

@Microsoft @Fabric @microsoftfabric