Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Data Days is here! Join us now for 60+ days of learning, challenges, and connection. Learn more

Reply
VictorMed
Frequent Visitor

Hub Workspace with Centralised Lakehouse

‎05-18-2026 03:52 AM

Hi All,

 

We want to share company-wide data across multiple teams in a centralised lakehouse with schemas.

 

Our current approach has been:

  1. New Workspace where only the admin security group has a role (admin)
  2. Created 3 new security groups that are mutually exclusive (Executive, SLT, Employees)
  3. Created a new Lakehouse with a schema created and named after each security group
  4. Directly shared the lakehouse with each security group, with only read permissions
  5. Deleted DefaultReader role
  6. Created a OneLake security role for each security group with only access to their schema
  7. Created a custom DB role in SQL security to grant access to their schema and deny select to the other 2 schemas
  8. Revoke select to all schemas from public

 

With the above steps, I have test accounts in each security group, and currently, they can't access the lakehouse or SQL endpoint via portal or SSMS.

 

If sharing the workspace with viewer access, all accounts have access, bypassing SQL security, which defeats the purpose of the solution.

 

Am I missing something? 

 

Thanks,

Victor

Labels:
Message 1 of 5
317 Views
1 ACCEPTED SOLUTION
Olufemi7
Solution Sage
Solution Sage

‎05-19-2026 07:36 AM

Hello @VictorMed,
Looks like the issue is the difference between workspace access and SQL security.
Your schema permissions only affect the SQL endpoint, but once users get Viewer access to the workspace, they can access the Lakehouse more broadly through the Fabric portal.
Also worth checking the removal of the DefaultReader role, since that can break normal Lakehouse access.
From what I have seen, Fabric still does not fully support strict schema isolation inside a single shared Lakehouse in the same way SQL Server does.
Most people end up separating access using different Lakehouses, workspaces, or semantic models instead.

Docs:
Data security overview 
SQL granular permissions in Microsoft Fabric 

View solution in original post

Message 3 of 5
243 Views
4 REPLIES 4
v-saisrao-msft
Community Support
Community Support

‎05-28-2026 04:43 AM

HI @VictorMed,

Checking in to see if your issue has been resolved. let us know if you still need any assistance.

 

Thank you.

Message 5 of 5
94 Views
0
v-saisrao-msft
Community Support
Community Support

‎05-24-2026 09:27 PM

HI @VictorMed,

Have you had a chance to review the solution we shared by @lbendlin @Olufemi7? If the issue persists, feel free to reply so we can help further.

 

Thank you.

Message 4 of 5
130 Views
0
Olufemi7
Solution Sage
Solution Sage

‎05-19-2026 07:36 AM

Hello @VictorMed,
Looks like the issue is the difference between workspace access and SQL security.
Your schema permissions only affect the SQL endpoint, but once users get Viewer access to the workspace, they can access the Lakehouse more broadly through the Fabric portal.
Also worth checking the removal of the DefaultReader role, since that can break normal Lakehouse access.
From what I have seen, Fabric still does not fully support strict schema isolation inside a single shared Lakehouse in the same way SQL Server does.
Most people end up separating access using different Lakehouses, workspaces, or semantic models instead.

Docs:
Data security overview 
SQL granular permissions in Microsoft Fabric 

Message 3 of 5
244 Views
lbendlin
Super User
Super User

‎05-18-2026 05:58 AM

I think that 4.  only gives "read" access to semantic data, not the actual data.  You need to specifically grant readall for the data.

Message 2 of 5
280 Views
0

Helpful resources

Announcements
Fabric Data Days is here Carousel

Fabric Data Days 2026

Don't miss out on Data Days, June 15 through August 7. Learn Fabric, Power BI, SQL, AI and more.

June Fabric Update Carousel

Fabric Monthly Update - June 2026

Check out the June 2026 Fabric update to learn about new features.

View All