Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
fatma_akyol
Frequent Visitor

Lakehouse sharing without workspace access causes 403

‎12-30-2025 12:12 AM

Hello,

 

We created a OneLake security role and granted access to specific tables. 
Then we shared the Lakehouse with the same user using Read and ReadAll permissions via 
Lakehouse → Manage permissions.

 

The user does NOT have any workspace role (Viewer/Contributor).

 

According to the official Microsoft documentation, Lakehouse data can be shared 
without granting workspace access:
https://learn.microsoft.com/en-us/fabric/data-engineering/lakehouse-sharing

 

 

However, when the user tries to open the from the OneLake Catalog, 
they receive the following error:

 

"User is not authorized to perform this operation. (403)"

 

Questions:

1. Is workspace access still required to open a Lakehouse from OneLake Catalog UI, even when the Lakehouse is shared directly?

2. How can we share lakehouse without workspace-level access?

Any clarification or guidance would be appreciated.

Labels:
Message 1 of 12
1,555 Views
1 ACCEPTED SOLUTION
fatma_akyol
Frequent Visitor
In response to v-achippa

‎01-12-2026 04:45 AM

Hello,

We opened a support ticket with Microsoft. According to their response, workspace permissions are required to view a Lakehouse from the OneLake Catalog and Explorer UI. To open and view Lakehouse tables in the Fabric UI, a user must have one of the following workspace roles: Contributor, Member, or Admin. So the problem is resolved.

View solution in original post

Message 11 of 12
1,101 Views
11 REPLIES 11
deborshi_nag
Resident Rockstar
Resident Rockstar

‎12-30-2025 02:38 AM

Hello @fatma_akyol 

 

Lakehouse sharing should work without giving the user any workspace role—but a 403 can still happen depending on how OneLake security and the SQL Analytics endpoint are configured.
 
  1. Prerequisite for ReadAll
  • ReadAll is an additional permission that only works on top of either Read (item-level sharing) or a workspace Viewer role. You already granted Read (good), so this prerequisite should be satisfied. 
  1. OneLake security (preview) changes the access model
  • If you turned on Manage OneLake security (preview) for the lakehouse, users must be in a data access role to see data; users not in a role “see no data in that item.” A default role (DefaultReader) is created to keep existing read access for users who had ReadAll; if you removed ReadAll and didn’t add the user to a role, they may get 403 trying to browse/open via OneLake Catalog. 
  1. SQL Analytics endpoint identity mode
  • With OneLake table/folder security enabled, the lakehouse’s SQL Analytics endpoint must be set to “User’s identity mode” (Security tab). If it’s still using a fixed/delegated identity, authorization can fail for users without workspace roles, leading to 403.

How to Fix

 

  • Verify sharing permissions on the Lakehouse

    • In Lakehouse → … → Manage permissions → Direct access, confirm the user/group has Read (not just ReadAll).
    • If you rely on ReadAll for Spark, keep Read as well; ReadAll alone doesn’t grant lakehouse data access. 

  • If OneLake security (preview) is ON, add the user to a data access role

    • Go to Lakehouse → Manage OneLake security (preview).
    • Create/choose a role and grant Read (and optionally ReadWrite if needed).
    • Add the user/group to that role and include the specific tables/folders they should access.
    • Ensure they’re not still in the DefaultReader role if you intend to restrict them; otherwise, they keep full read access. 

  • Switch the SQL Analytics endpoint to “User’s identity mode”

    • Open the SQL Analytics endpoint → Settings → Security and set User’s identity mode.
    • This is required for OneLake table/folder security scenarios to authorize the actual user, not a fixed owner identity.

Hope this fixes your problem, kindly appreciate giving a Kudos or accept as a Solution

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.
Message 3 of 12
1,509 Views
0
fatma_akyol
Frequent Visitor
In response to deborshi_nag

‎12-30-2025 02:49 AM

Hello @deborshi_nag ,

Thank you for your response.

The user has Read, ReadAll, and SubscribeOneLakeEvents permissions.
We assigned the user to a OneLake security role and granted access to specific tables within this role.
Additionally, "User’s identity mode is enabled" on the SQL Analytics Endpoint.

We have already applied all of the recommendations mentioned above; however, the issue still persists.

Thank you.

Message 4 of 12
1,501 Views
0
deborshi_nag
Resident Rockstar
Resident Rockstar
In response to fatma_akyol

‎12-30-2025 03:19 AM

Have you removed the user from the DefaultReader role?

I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.
Message 5 of 12
1,496 Views
0
fatma_akyol
Frequent Visitor
In response to deborshi_nag

‎12-30-2025 03:33 AM

Yes. We removed 

Message 6 of 12
1,483 Views
0
deborshi_nag
Resident Rockstar
Resident Rockstar
In response to fatma_akyol

‎12-30-2025 04:00 AM
The user should open the lakehouse from Browse → Shared with me and from OneLake Catalog. The item appears when sharing is configured correctly.
 
Let me know if you're getting the error here.
I trust this will be helpful. If you found this guidance useful, you are welcome to acknowledge with a Kudos or by marking it as a Solution.
Message 7 of 12
1,459 Views
0
fatma_akyol
Frequent Visitor
In response to deborshi_nag

‎12-30-2025 05:28 AM

The user can see the Lakehouse in the Shared with me section of the OneLake Catalog.
However, when the user tries to open the Lakehouse from the catalog, a 403 – Not authorized error is returned.
Despite this, the user can access the SQL Analytics Endpoint without any issues from catalog.

Message 8 of 12
1,428 Views
0
v-achippa
Community Support
Community Support
In response to fatma_akyol

‎01-06-2026 09:56 PM

Hi @fatma_akyol,

 

Thank you for reaching out to Microsoft Fabric Community.

 

Thank you @deborshi_nag and @ismail_ozturk for the prompt response. 

 

This is expected behaviour in microsoft fabric. While Lakehouse data access can be shared without workspace roles using item level sharing but the lakehouse UI still requires workspace permissions.

Currently there is no supported way to open the lakehouse UI without granting at least Viewer access to the workspace. Your configuration is correct and the 403 error is expected.

I recommend submitting your detailed feedback and ideas through Microsoft's official feedback channels. Feedback submitted through these channels is frequently reviewed by the product teams and can contribute to meaningful improvements.

Fabric Ideas - Microsoft Fabric Community

 

Thanks and regards,

Anjan Kumar Chippa

Message 9 of 12
1,253 Views
0
v-achippa
Community Support
Community Support
In response to v-achippa

‎01-11-2026 08:32 PM

Hi @fatma_akyol,

 

As we haven’t heard back from you, we wanted to kindly follow up to check if your issue is resolved? If not have you raised this in the ideas forum?

 

Thanks and regards,

Anjan Kumar Chippa

Message 10 of 12
1,114 Views
0
fatma_akyol
Frequent Visitor
In response to v-achippa

‎01-12-2026 04:45 AM

Hello,

We opened a support ticket with Microsoft. According to their response, workspace permissions are required to view a Lakehouse from the OneLake Catalog and Explorer UI. To open and view Lakehouse tables in the Fabric UI, a user must have one of the following workspace roles: Contributor, Member, or Admin. So the problem is resolved.

Message 11 of 12
1,102 Views
v-achippa
Community Support
Community Support
In response to fatma_akyol

‎01-13-2026 02:58 AM

Hi @fatma_akyol,

 

Thank you for confirming that the issue is resolved now. Thank you for being part of Microsoft Fabric Community.

 

Thanks and regards,

Anjan Kumar Chippa

Message 12 of 12
1,071 Views
0
ismail_ozturk
Helper I
Helper I

‎12-30-2025 12:34 AM

Hello,

I have faced this issue so many times but I could not find any solution except giving viewer acces in workspace. I think there is something a bug or misunderstanding. 

Happy new year

Message 2 of 12
1,533 Views
0

Helpful resources

Announcements
FabCon and SQLCon Highlights Carousel

FabCon &SQLCon Highlights

Experience the highlights from FabCon & SQLCon, available live and on-demand starting April 14th.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Fabric Update Carousel

Fabric Monthly Update - March 2026

Check out the March 2026 Fabric update to learn about new features.

View All