Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

View all the Fabric Data Days sessions on demand. View schedule

Reply
spencer_sa
Super User
Super User

Minimum permissions needed to share a lakehouse schema

‎03-27-2025 04:39 AM

Hi folks,
I'm trying to work out the minimum permissions I need to grant a user to be able to view a schema (and its tables) in a OneLake lakehouse.  Specifically I'm looking at OLS in the lakehouse and not in the SQL Endpoint (which does work but IIRC forces queries to use Direct Query).
Can you see where I might be going wrong, please?

I have a lakehouse with 3 schemas in it (dbo, schema1, schema2) and a test USER

Steps I've taken

  • I've granted 'Read' permissions on the lakehouse object to USER
  • I've enabled 'Manage OneLake Data Access (Preview)' inside the lakehouse
  • I've removed the default role and added a role called 'schema1locked'
  • I've Assigned USER to this role
  • I've selected schema1 for access (automatically selects all tables inside)

What we're seeing is that;

  • USER can query to data using a notebook and pyspark
  • In the lakehouse view USER can only see schema1, and can see the two tables there.
  • The user can't view the Preview of the data in this table - instead geting the error message below;

spencer_sa_0-1743074956161.png

I've used the following as reference documents;
Lakehouse sharing and permission management - Microsoft Fabric | Microsoft Learn

Share items in Microsoft Fabric - Microsoft Fabric | Microsoft Learn

 

Labels:
Message 1 of 11
3,839 Views
0
2 ACCEPTED SOLUTIONS
spencer_sa
Super User
Super User
In response to v-tsaipranay

‎04-08-2025 12:37 AM

I've discovered the practical 'minimum permissions' to grant access to a table - this forms the practical solution as things currently stand.

If there is a more minimal permission set that works, I'd like to know - there appears to be no explicit 'Explore' permission. 😞

 

  • Grant read access to the lakehouse object
  • Using "Manage OneLake Data Access" create a new role (and delete the default role if needed)
  • Allow this role read access to the schemas and tables it needs
  • Add the USER to the role.

These first 4 steps grant access to the table for pyspark.

  • In the SQL endpoint, GRANT SELECT ON <TABLE/SCHEMA> TO USER

This step grants access to preview the data

  • Grant Read access on the Direct Lake semantic model to USER
  • Grant Read access on / share any reports

The user is now able to see report data based on the Direct Lake model.

View solution in original post

Message 10 of 11
3,427 Views
0
v-tsaipranay
Community Support
Community Support
In response to spencer_sa

‎04-08-2025 11:27 PM

Hi @spencer_sa ,

Thank you for your detailed summary and for taking the time to explore the current permission model in Microsoft Fabric.

 

You're correct, there is currently no explicit "Explore" permission in Microsoft Fabric. The combination you've identified Lakehouse-level Read access, schema/table access via OneLake Data Access roles, and GRANT SELECT on the SQL Endpoint forms the practical minimum permission set to enable PySpark querying, table preview in the UI, and Direct Lake semantic model access.

This hybrid approach is expected behavior under the current security model. We appreciate your findings, and your feedback is valuable as we work toward simplifying and unifying permission management in future updates.

 

If this post helps, then please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

 

Thank you. 

View solution in original post

Message 11 of 11
3,409 Views
0
10 REPLIES 10
v-tsaipranay
Community Support
Community Support

‎03-28-2025 04:26 AM

Hi @spencer_sa ,
Thank you for posting in the Microsoft Fabric Community.

 

The issue is due to missing Explore permissions, which are required for table preview in the Fabric UI. Since the USER has no workspace role, implicit permissions are missing.

To fix this, grant Read + Explore on the Lakehouse and ensure Read access is assigned at both the schema and table levels. Verify that "Manage OneLake Data Access (Preview)" is fully applied and check for any Object-Level Security (OLS) restrictions.

If the issue persists, assign Storage Blob Data Reader in Azure to allow OneLake access. As an alternative, assigning the Viewer role in the workspace can resolve this, but you would need to separately restrict SQL Endpoint access if required.

For more details, refer to the official Microsoft documentation on Lakehouse sharing and permission management - Microsoft Fabric | Microsoft Learn which explains how to manage Lakehouse permissions effectively.

 

I hope my suggestions give you good idea, if you need any further assistance, feel free to reach out.

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 4 of 11
3,745 Views
0
spencer_sa
Super User
Super User
In response to v-tsaipranay

‎04-01-2025 07:00 AM

No Explore permissions regardless of removing and re-adding.
I played with a lot of things and ended up GRANTing SELECT on the schema in the SQL Endpoint which caused both the Preview to work *and* the semantic model/report to be able to see the data.

I'm also guessing over the next few months this whole security model is going to be revamped in light of Arun's announcement.

Message 7 of 11
3,630 Views
0
v-tsaipranay
Community Support
Community Support
In response to spencer_sa

‎04-01-2025 07:18 PM

Helo @spencer_sa ,

 

Thank you for the update! I completely understand your frustration with the Explore permissions not working as expected. It’s great that granting SELECT permissions on the SQL Endpoint helped solve the issue and allowed both the Preview and the semantic model/report to work properly.

As you mentioned, there may be some changes to the security model in the future based on Arun’s announcement. These changes might help improve how permissions are handled.

For now, if the SELECT permission on the SQL Endpoint is working well for you, it seems like a good solution.

 

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 8 of 11
3,602 Views
0
v-tsaipranay
Community Support
Community Support
In response to v-tsaipranay

‎04-06-2025 08:48 PM

Hi @spencer_sa ,

I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.


Thank you.

Message 9 of 11
3,444 Views
0
spencer_sa
Super User
Super User
In response to v-tsaipranay

‎04-08-2025 12:37 AM

I've discovered the practical 'minimum permissions' to grant access to a table - this forms the practical solution as things currently stand.

If there is a more minimal permission set that works, I'd like to know - there appears to be no explicit 'Explore' permission. 😞

 

  • Grant read access to the lakehouse object
  • Using "Manage OneLake Data Access" create a new role (and delete the default role if needed)
  • Allow this role read access to the schemas and tables it needs
  • Add the USER to the role.

These first 4 steps grant access to the table for pyspark.

  • In the SQL endpoint, GRANT SELECT ON <TABLE/SCHEMA> TO USER

This step grants access to preview the data

  • Grant Read access on the Direct Lake semantic model to USER
  • Grant Read access on / share any reports

The user is now able to see report data based on the Direct Lake model.

Message 10 of 11
3,428 Views
0
v-tsaipranay
Community Support
Community Support
In response to spencer_sa

‎04-08-2025 11:27 PM

Hi @spencer_sa ,

Thank you for your detailed summary and for taking the time to explore the current permission model in Microsoft Fabric.

 

You're correct, there is currently no explicit "Explore" permission in Microsoft Fabric. The combination you've identified Lakehouse-level Read access, schema/table access via OneLake Data Access roles, and GRANT SELECT on the SQL Endpoint forms the practical minimum permission set to enable PySpark querying, table preview in the UI, and Direct Lake semantic model access.

This hybrid approach is expected behavior under the current security model. We appreciate your findings, and your feedback is valuable as we work toward simplifying and unifying permission management in future updates.

 

If this post helps, then please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

 

Thank you. 

Message 11 of 11
3,410 Views
0
spencer_sa
Super User
Super User
In response to v-tsaipranay

‎03-31-2025 04:02 AM

How does one explicitly assign Explore permissions?  The document you shared (which is also the one I've been using as reference material) doesn't cover that - just ReadAll and SubscribeOneLakeEvents.


"Manage OneLake Data Access (Preview)" is definitely fully applied as far as it goes (the UI has changed over the weekend 🙂 )  I have a single role and a single USER in that role, and the schema and tables have been added to the role.  These are the only OLS restrictions (I created this lakehouse/files specifically for this test)

I can also access the data using pyspark - it's just the Preview (and also an attached semantic model, but that's out of scope) that have the issues.  I'm beginning to think I need to add SQL Endpoint OLS - bleh.

spencer_sa_0-1743418695608.png

 

 

Message 5 of 11
3,679 Views
v-tsaipranay
Community Support
Community Support
In response to spencer_sa

‎03-31-2025 10:48 PM

Hello @spencer_sa ,

Thank you for your follow-up question, and I appreciate your patience. In Microsoft Fabric, the Explore permission is not explicitly assigned but is implicitly granted when a user has Read access at the Lakehouse level and Manage OneLake Data Access (Preview) enabled.

 

Since the user can query data via PySpark but is unable to preview tables in the UI, the issue is likely due to missing Lakehouse-level Read + Explore permissions rather than schema-level access.

To resolve this, I recommend navigating to Lakehouse > Settings > Permissions and ensuring that the user has Read + Explore permissions on the entire Lakehouse, not just on specific schemas or tables. If you do not see the Explore option, you can try removing and re-adding Read access, as Explore is typically included implicitly. Additionally, SQL Endpoint OLS is not required for table preview in the UI, as it only affects SQL-based queries.

 

If this post helps, then please give us Kudos and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you. 

Message 6 of 11
3,643 Views
0
lbendlin
Super User
Super User

‎03-27-2025 05:51 AM

Does the user have any role in the workspace?

Message 2 of 11
3,817 Views
0
spencer_sa
Super User
Super User
In response to lbendlin

‎03-27-2025 06:20 AM

No.  No workspace role.  Just sharing of lakehouse item and then permissions on schemas inside the lakehouse.
If I make USER a viewer, then I'd have to lock down the SQL Endpoint separately.

Message 3 of 11
3,805 Views
0

Helpful resources

Announcements
November Fabric Update Carousel

Fabric Monthly Update - November 2025

Check out the November 2025 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Kudoed Authors
View All