Author: Aaron Merrill - Principal Program Manager
OneLake security is an innovative, fine-grained access control model built natively into data lake storage that’s designed to work across multiple engines. Data stored in OneLake can be secured at scale at the item, folder, table, or even row/column level through our intuitive role-based access control model and that security travels with the data wherever it goes. Whether a user is querying data through a Spark notebook, viewing it in a Power BI report, or exploring it through a Fabric data agent, OneLake’s security model ensures they see only what they’re permitted. The security even follows data outside Fabric when it’s accessed through apps like Microsoft Excel.
You can check out our whitepaper, The Future of Data Security is Interoperability, for an in-depth look at what sets OneLake security apart and how to implement it at scale.
Today's announcement also includes new updates and functionality. The remainder of this post outlines what to expect from this rollout, the new functionality, and recaps our announcements since preview.
Rollout plan
As part of this update, OneLake security will be enabled by default on all supported item types. Starting today, any newly created item will have OneLake security enabled. Existing items can continue to opt-in to the experience on a per-item basis. Over the next few weeks, we will automatically upgrade all supported items to have OneLake security enabled. The rollout will be completed by the end of May. This change will not impact users’ permissions or access to data. It will simply enable users to start creating and editing OneLake security roles.
What's new
OneLake security has been enhanced with several new features to address customer feedback and improve the overall experience of managing security.
UX improvements
We've made several improvements to the OneLake security role management UI. These changes make role management easier and help reduce errors with RLS rules.
Better inline RLS validation
Row-level security (RLS) is a powerful way to align access to business rules, but it also needs to be safe and predictable. A small mistake in an expression can create confusion or require time to be spent troubleshooting access. OneLake security RLS now has inline RLS validation and improved auto recommendations, helping authors identify and correct issues earlier in the workflow.
New role creation flow with RLS and CLS at creation time
We've completely revamped the new role creation flow with a new "wizard-like" interface that walks through each step to create a role. In addition, you can now author RLS and CLS policies during role creation which saves time and ensures new roles are complete from the start.
Figure: Easily create RLS and CLS while authoring a new role.
Bug fixes and experience improvements
- Cross-region shortcuts are now supported.
- Viewer permission is no longer required; you can share specific items instead.
- Workspace private link is now supported by all workloads except Power BI.
- User’s identity mode is now the default for newly created SQL Analytics Endpoints.
What you may have missed
- OneLake security launched new granular APIs for single role management. You can check the API reference here to get started.
- Unifying data with OneLake mirroring creates a single data estate regardless of where your data resides. You can centrally control data security on Mirrored Databases using OneLake security. Learn more from my previous blog post, Manage OneLake security for Mirrored Databases (Preview).
- Empower users to safely write data to OneLake using ReadWrite permissions in OneLake security.
Next steps
Refer to the OneLake security documentation (and explore the API reference to get started.