Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric certified for FREE! Don't miss your chance! Learn more

Reply
KimMW
New Member

Granular lakehouse data security with Workspace Private Links

‎01-19-2026 05:33 AM

Good afternoon!

 

The Workspace-level private links documentation says that it doesn't support Item sharing or OneLake Security (https://learn.microsoft.com/en-us/fabric/security/security-workspace-level-private-links-support). Is there any way to enforce RLS/CLS on access to Lakehouse data in a scenario where workspace-level private links are in use?

 

Thanks

 

Kim

Labels:
Message 1 of 5
312 Views
0
2 ACCEPTED SOLUTIONS
tayloramy
Super User
Super User

‎01-19-2026 06:34 AM

Hi @KimMW

 

Right now there is no nice way to enforce RLS with private links. 

 

  • OneLake Security isn't currently supported when a workspace-level private link is enabled for a workspace.

It does appear that the private link will work with the SQL Endpoint: 

Supported scenarios for workspace private links - Microsoft Fabric | Microsoft Learn

 

But that would not work when working in Notebooks or anything that accesses the data through OneLake. 

 

 

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



View solution in original post

Message 2 of 5
285 Views
deborshi_nag
Memorable Member
Memorable Member

‎01-19-2026 06:38 AM

Hello @KimMW 

 

Yes, however, OneLake Security cannot be applied directly within the Lakehouse when using workspace-level private links.


RLS/CLS enforcement at the Lakehouse storage layer is not possible in this scenario, as OneLake Security is unsupported with workspace-level private links.


Microsoft has highlighted this restriction as you rightly mention:

  • Workspace-level private links do not support OneLake Security (which includes RLS and CLS), meaning item-level and table-level access controls are not enforced at this layer. 

Consequently, OneLake Security RLS/CLS will not be effective if your configuration relies on private links.

 

Nonetheless, RLS at the model layer remains fully operational, as:

  • RLS within Semantic Models (Direct Lake / Import / DirectQuery) is managed by the Power BI engine, rather than OneLake.
  • This approach is recommended when OneLake Security is unavailable or not preferred, such as when workspace private links are in use.

This aligns with Microsoft’s guidance for implementing RLS in supported Fabric engines, including SQL Analytics Endpoint and semantic models.

 

Row-level security - Microsoft Fabric | Microsoft Learn

 

Hope this helps - please appreciate by leaving a Kudos or accepting as a Solution

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.

View solution in original post

Message 5 of 5
283 Views
4 REPLIES 4
deborshi_nag
Memorable Member
Memorable Member

‎01-19-2026 06:38 AM

Hello @KimMW 

 

Yes, however, OneLake Security cannot be applied directly within the Lakehouse when using workspace-level private links.


RLS/CLS enforcement at the Lakehouse storage layer is not possible in this scenario, as OneLake Security is unsupported with workspace-level private links.


Microsoft has highlighted this restriction as you rightly mention:

  • Workspace-level private links do not support OneLake Security (which includes RLS and CLS), meaning item-level and table-level access controls are not enforced at this layer. 

Consequently, OneLake Security RLS/CLS will not be effective if your configuration relies on private links.

 

Nonetheless, RLS at the model layer remains fully operational, as:

  • RLS within Semantic Models (Direct Lake / Import / DirectQuery) is managed by the Power BI engine, rather than OneLake.
  • This approach is recommended when OneLake Security is unavailable or not preferred, such as when workspace private links are in use.

This aligns with Microsoft’s guidance for implementing RLS in supported Fabric engines, including SQL Analytics Endpoint and semantic models.

 

Row-level security - Microsoft Fabric | Microsoft Learn

 

Hope this helps - please appreciate by leaving a Kudos or accepting as a Solution

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.
Message 5 of 5
284 Views
tayloramy
Super User
Super User

‎01-19-2026 06:34 AM

Hi @KimMW

 

Right now there is no nice way to enforce RLS with private links. 

 

  • OneLake Security isn't currently supported when a workspace-level private link is enabled for a workspace.

It does appear that the private link will work with the SQL Endpoint: 

Supported scenarios for workspace private links - Microsoft Fabric | Microsoft Learn

 

But that would not work when working in Notebooks or anything that accesses the data through OneLake. 

 

 

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



Message 2 of 5
286 Views
KimMW
New Member
In response to tayloramy

‎01-19-2026 06:38 AM

Thank you for confirming @tayloramy 

 

Given that item sharing isn't supported with Workspace Private Link, how can one use the SQL Endpoint in these scenarios to give access in this way? Does the user have to have been granted access directly to the workspace the lakehouse is in?

Message 3 of 5
282 Views
0
tayloramy
Super User
Super User
In response to KimMW

‎01-19-2026 06:40 AM

Hi @KimMW

 

Yes, I do believe that workspace access needs to be granted.  





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



Message 4 of 5
278 Views

Helpful resources

Announcements
Sticker Challenge 2026 Carousel

Join our Community Sticker Challenge 2026

If you love stickers, then you will definitely want to check out our Community Sticker Challenge!

Free Fabric Certifications

Free Fabric Certifications

Get Fabric certified for free! Don't miss your chance.

January Fabric Update Carousel

Fabric Monthly Update - January 2026

Check out the January 2026 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All