Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during AI Skills Fest. This week only. Secure your voucher now.

SEMattis

OneLake Security: Configurable role conflict resolution - intersection-based access instead

Submitted by Advocate III on ‎05-21-2026 04:26 AM

Problem Description

In OneLake security, when a user is a member of multiple security groups or roles that apply different access rules to the same object, table, column, or row, conflicting permissions can result in overly restrictive behavior—often blocking access entirely.

This is challenging in enterprise environments where users frequently belong to multiple roles across domains, projects, or departments. Instead of enabling fine-grained access, the current behavior can unintentionally deny access completely, even when there is a valid overlap in permissions.

Expected Behavior

When multiple roles apply to the same object:

  • The system should support resolving permissions using the intersection of all roles
  • Users should retain access to:
    • Rows allowed across all roles (AND logic)
    • Columns allowed across all roles
    • Objects permitted across all roles

Instead of blocking access completely, the system should enforce the most restrictive valid access.

Actual Behavior

  • Conflicting roles may result in:
    • Full denial of access
    • Unexpected permission failures
  • Overlapping permissions are not leveraged
  • Difficult to understand and troubleshoot effective access

Proposed Solution

Introduce a configurable feature (toggle or policy setting) for handling role conflicts:

1. Configurable Conflict Resolution Mode

Allow administrators to choose between:

  • Strict Mode (current behavior)

    • Conflicts result in blocking access

  • Intersection Mode (new option)

    • Effective permissions are calculated as the intersection of all roles:
      • Row-level: AND filters applied
      • Column-level: only shared allowed columns
      • Object-level: access only if permitted across roles

2. Scope of Configuration

The setting could be applied at different levels:

  • Workspace level
  • Domain level
  • Individual dataset / item level

3. Transparency & Debugging

Provide tooling to:

  • Show effective permissions after role intersection
  • Highlight which roles contributed to restrictions
  • Help admins understand why access is granted or limited

4. Backward Compatibility

  • Default behavior remains unchanged (strict mode)
  • Organizations can opt in where needed
  • Enables gradual adoption based on security strategy

Impact

  • Reduces unnecessary access failures
  • Enables scalable multi-role security design
  • Simplifies administration in complex environments
  • Improves user experience and trust in security model

Business Value

  • Supports real-world enterprise security patterns
  • Encourages adoption of fine-grained access controls (RLS/CLS)
  • Reduces support overhead and troubleshooting time
  • Provides flexibility to meet different compliance and governance needs

Additional Context

This is especially valuable in organizations where:

  • Users belong to multiple teams/projects
  • Security is managed centrally via groups
  • Both row-level and column-level security are extensively used

A configurable model ensures Fabric can support both:

  • Highly secure “fail-closed” environments
  • Flexible, data-sharing-friendly environments
Status: New
Comment