Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fabric Data Days Monthly is back. Join us on March 26th for two expert-led sessions on 1) Getting Started with Fabric IQ and 2) Mapping & Spacial Analytics in Fabric. Register now

Reply
KimMW
Regular Visitor

Granular lakehouse data security with Workspace Private Links

‎01-19-2026 05:33 AM

Good afternoon!

 

The Workspace-level private links documentation says that it doesn't support Item sharing or OneLake Security (https://learn.microsoft.com/en-us/fabric/security/security-workspace-level-private-links-support). Is there any way to enforce RLS/CLS on access to Lakehouse data in a scenario where workspace-level private links are in use?

 

Thanks

 

Kim

Labels:
Message 1 of 5
420 Views
0
2 ACCEPTED SOLUTIONS
tayloramy
Super User
Super User

‎01-19-2026 06:34 AM

Hi @KimMW

 

Right now there is no nice way to enforce RLS with private links. 

 

  • OneLake Security isn't currently supported when a workspace-level private link is enabled for a workspace.

It does appear that the private link will work with the SQL Endpoint: 

Supported scenarios for workspace private links - Microsoft Fabric | Microsoft Learn

 

But that would not work when working in Notebooks or anything that accesses the data through OneLake. 

 

 

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



View solution in original post

Message 2 of 5
393 Views
deborshi_nag
Resident Rockstar
Resident Rockstar

‎01-19-2026 06:38 AM

Hello @KimMW 

 

Yes, however, OneLake Security cannot be applied directly within the Lakehouse when using workspace-level private links.


RLS/CLS enforcement at the Lakehouse storage layer is not possible in this scenario, as OneLake Security is unsupported with workspace-level private links.


Microsoft has highlighted this restriction as you rightly mention:

  • Workspace-level private links do not support OneLake Security (which includes RLS and CLS), meaning item-level and table-level access controls are not enforced at this layer. 

Consequently, OneLake Security RLS/CLS will not be effective if your configuration relies on private links.

 

Nonetheless, RLS at the model layer remains fully operational, as:

  • RLS within Semantic Models (Direct Lake / Import / DirectQuery) is managed by the Power BI engine, rather than OneLake.
  • This approach is recommended when OneLake Security is unavailable or not preferred, such as when workspace private links are in use.

This aligns with Microsoft’s guidance for implementing RLS in supported Fabric engines, including SQL Analytics Endpoint and semantic models.

 

Row-level security - Microsoft Fabric | Microsoft Learn

 

Hope this helps - please appreciate by leaving a Kudos or accepting as a Solution

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.

View solution in original post

Message 5 of 5
391 Views
4 REPLIES 4
deborshi_nag
Resident Rockstar
Resident Rockstar

‎01-19-2026 06:38 AM

Hello @KimMW 

 

Yes, however, OneLake Security cannot be applied directly within the Lakehouse when using workspace-level private links.


RLS/CLS enforcement at the Lakehouse storage layer is not possible in this scenario, as OneLake Security is unsupported with workspace-level private links.


Microsoft has highlighted this restriction as you rightly mention:

  • Workspace-level private links do not support OneLake Security (which includes RLS and CLS), meaning item-level and table-level access controls are not enforced at this layer. 

Consequently, OneLake Security RLS/CLS will not be effective if your configuration relies on private links.

 

Nonetheless, RLS at the model layer remains fully operational, as:

  • RLS within Semantic Models (Direct Lake / Import / DirectQuery) is managed by the Power BI engine, rather than OneLake.
  • This approach is recommended when OneLake Security is unavailable or not preferred, such as when workspace private links are in use.

This aligns with Microsoft’s guidance for implementing RLS in supported Fabric engines, including SQL Analytics Endpoint and semantic models.

 

Row-level security - Microsoft Fabric | Microsoft Learn

 

Hope this helps - please appreciate by leaving a Kudos or accepting as a Solution

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.
Message 5 of 5
392 Views
tayloramy
Super User
Super User

‎01-19-2026 06:34 AM

Hi @KimMW

 

Right now there is no nice way to enforce RLS with private links. 

 

  • OneLake Security isn't currently supported when a workspace-level private link is enabled for a workspace.

It does appear that the private link will work with the SQL Endpoint: 

Supported scenarios for workspace private links - Microsoft Fabric | Microsoft Learn

 

But that would not work when working in Notebooks or anything that accesses the data through OneLake. 

 

 

 





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



Message 2 of 5
394 Views
KimMW
Regular Visitor
In response to tayloramy

‎01-19-2026 06:38 AM

Thank you for confirming @tayloramy 

 

Given that item sharing isn't supported with Workspace Private Link, how can one use the SQL Endpoint in these scenarios to give access in this way? Does the user have to have been granted access directly to the workspace the lakehouse is in?

Message 3 of 5
390 Views
0
tayloramy
Super User
Super User
In response to KimMW

‎01-19-2026 06:40 AM

Hi @KimMW

 

Yes, I do believe that workspace access needs to be granted.  





If you found this helpful, consider giving some Kudos.
If I answered your question or solved your problem, mark this post as the solution!

Proud to be a Super User!



Message 4 of 5
386 Views

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

February Fabric Update Carousel

Fabric Monthly Update - February 2026

Check out the February 2026 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Kudoed Authors
View All