Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

60 Days of Data Days! Live and on-demand sessions, challenges, study groups and more! And it's all FREE!. Join now. Learn more

Reply
schneiw
Advocate IV
Advocate IV

Lakehouse table security

Hello Community!

 

For our internal IT team, we have general read access to all SQL Endpoints of Lakehouses (via workspace access setting) and also have the ReadAll setting applied on each Lakehouse as well, so that they can have read access via Notebooks.

 

One of our Lakehouses contains replicated tables from the ERP system. A requirement from Finance is that no one except a certain group has access to the GL tables. Is there away to set a "deny" on all the non authorized groups to specify that certain table(s) may not be accessed? I believe we can do this over the SQL Endpoint via grant statements in SQL, but how does one do this so that a notebook also cannot access the table(s) since it does not use the SQL Endpoint? 

 

I have seen suggestions to have those tables in their own seperate Lakehouse - but that seems like some overkill, is there no easier method to block access to specific tables when accessing via Notebooks?

 

Thank you!

1 ACCEPTED SOLUTION
Lozovskyi
Kudo Collector
Kudo Collector

Hello @schneiw, there is no Deny as of today; however, you can do that by leveraging One lake security preview.

Lozovskyi_0-1773706065156.png

To simplify the solution and maintenance undertaking, you can store GL data under one schema.

Then define a role to read data inside this schema.

Lozovskyi_1-1773706262890.png

add allowed user group as a member and then share the lakehouse with this group. when sharing the lakehouse, keep all selections unticked. By that, users will see the lakehouse under the OneLake catalog.

If you need to grant them SQL endpoint access, go to the SQL endpoint and switch to Use OneLake security for tables (User's identity access mode)

Lozovskyi_4-1773706675759.png

 

Lozovskyi_3-1773706646442.png

 

Lozovskyi_2-1773706335000.png

It's important to keep in mind that having higher-level rights (shared read All, or having workspace-level access) will override this security setup.

View solution in original post

4 REPLIES 4
v-echaithra
Community Support
Community Support

Hi @schneiw ,

Thank you @Lozovskyi , @Olufemi7 , @Srisakthi  for your inputs.

We’d like to follow up regarding the recent concern. Kindly confirm whether the issue has been resolved, or if further assistance is still required. We are available to support you and are committed to helping you reach a resolution.

Thank you.

Lozovskyi
Kudo Collector
Kudo Collector

Hello @schneiw, there is no Deny as of today; however, you can do that by leveraging One lake security preview.

Lozovskyi_0-1773706065156.png

To simplify the solution and maintenance undertaking, you can store GL data under one schema.

Then define a role to read data inside this schema.

Lozovskyi_1-1773706262890.png

add allowed user group as a member and then share the lakehouse with this group. when sharing the lakehouse, keep all selections unticked. By that, users will see the lakehouse under the OneLake catalog.

If you need to grant them SQL endpoint access, go to the SQL endpoint and switch to Use OneLake security for tables (User's identity access mode)

Lozovskyi_4-1773706675759.png

 

Lozovskyi_3-1773706646442.png

 

Lozovskyi_2-1773706335000.png

It's important to keep in mind that having higher-level rights (shared read All, or having workspace-level access) will override this security setup.

Olufemi7
Super User
Super User

Hello @schneiw,

 

No. SQL GRANT/DENY only works on the SQL Endpoint; notebooks access Delta tables directly, so those permissions aren’t enforced.

To restrict access (for example GL tables), move them to a separate Lakehouse and grant access only to the authorized group.

Docs: https://learn.microsoft.com/fabric/data-engineering/lakehouse-overview

Srisakthi
Super User
Super User

Hi @schneiw ,

 

Have you tried One lake security(preview) feature

https://learn.microsoft.com/en-us/fabric/onelake/security/row-level-security

 

Regards,

Srisakthi

Helpful resources

Announcements
FabCon and SQLCon Barcelona 2026

FabCon & SQLCon – Barcelona 2026

Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.

60 days of Data Days Carousel

Data Days 2026

Join Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.