Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

60 Days of Data Days! Live and on-demand sessions, challenges, study groups and more! And it's all FREE!. Join now. Learn more

aonelakeuser

Securing zero-copy distribution patterns with OneLake security and shortcuts

OneLake shortcuts are one of the most powerful ways to implement zero-copy distribution in Microsoft Fabric. Instead of moving or duplicating data into every workspace, domain, or project boundary, a shortcut lets you present data where people need it while the data stays in its original location. The key to taking full advantage of this zero-copy paradigm is to understand how security works with OneLake shortcuts. This blog post focuses on how OneLake security combines with shortcuts to give you secure and flexible data sharing without duplication.

 

Shortcut types

A quick recap on shortcuts: a shortcut is a symbolic link or pointer from one location (the shortcut path) to another (the target). There are two categories of shortcuts: passthrough and delegated.

 

For a passthrough shortcut, any time the shortcut path is accessed, the user is “passed” to the target to view the data and evaluate access. In this model, the permissions on the target are evaluated directly. This ensures that any user that is given access to a table can see only the rows or columns that the data owner has configured. Further, it prevents users from setting OneLake security on the shortcut path; the data exists only on the target and likewise the security exists only on the target.

aonelakeuser_0-1782160187429.png

Figure: Passthrough shortcuts evaluate permissions on the target.

 

For delegated shortcuts, an intermediate identity is used to access the data. This identity is attached to the shortcut so that all access to the shortcut accesses the shortcut target as the delegated identity. Delegated shortcuts typically are used for accessing external systems outside of OneLake, where the delegated identity is an account key or service principal.

 

And now, as introduced in the recent blog post SharePoint and OneDrive Shortcuts in OneLake, OneLake shortcuts can be created as delegated. When using delegated OneLake shortcuts, security can be configured both on the target and the to allow for delegation of access management. However, the security combines via intersection, so the end user can never be given more privileges than were given to delegated identity.

 

aonelakeuser_1-1782160226237.png

Figure: Delegated shortcuts combine security across an intermediate identity via intersection.

 

Let’s explore these concepts in more detail by looking at the use cases for each shortcut type.

 

Passthrough shortcuts

The main power of passthrough shortcuts is that the data owner maintains full control over everyone that accesses their data. If UserA wants to access your data, they need to be granted access through OneLake security on the target itself. Downstream users see exactly the same table as if they were reading from the target directly!).

 

Setting additional OneLake security on the shortcut path is not allowed for passthrough shortcuts, as that would remove the data owner’s full control.

 

Use passthrough shortcuts when:

  • You want to ensure security is consistent regardless of where the data is accessed.
  • The data owner wants to manage all access to the data.

 

Delegated shortcuts

Let’s say you’re the data owner for sales information that needs to be distributed to three separate teams, each with thousands of users. The teams are regional: Asia, Europe, and Americas. Each team should only see the data for their region, but there could be country or team specific data requirements.

 

With a passthrough shortcut, you (as the data owner) would be responsible for managing every end user’s access. Instead, delegated shortcuts let you represent each team with a service principal, configure access to limit each SPN to only see it’s region’s data, and then delegate the management of each end user’s permissions to the regional team owners. There’s still no data movement or duplication, but security management is now a lot simpler.

 

aonelakeuser_2-1782160301461.png

Figure: Use delegated shortcuts to scale-out access management to tens of thousands of users.

 

Delegated shortcuts also have the advantage of allowing for cross-tenant use. For multi-tenant organizations, cross-tenant shortcuts enable a seamless way to share data with their Fabric instance without creating any data copies. The same delegated security model applies, giving you full control over what data is accessed and any fine-grained access controls that are needed.

 

OneLake also enables connectivity to data outside of Fabric with external shortcuts to sources such as AWS S3 and Google Cloud Storage. External shortcuts also operate as a type of delegated shortcut. But for external storage types, the delegated identity is generally an account key or system identity in the external system. This means that access is an intersection of the external system’s permissions and the OneLake security roles configured on the shortcut itself.

 

Use delegated shortcuts when:

  • You don’t want to give end users direct access to the target item.
  • Managing all end users on the target data becomes a scale concern.
  • You want to share data with another Fabric tenant.

 

Design guidance for secure zero-copy distribution

If your goal is to let multiple engineering, analytics, or domain teams reuse a shared dataset while preserving source-managed authorization per person, passthrough remains the cleanest design. It keeps the shortcut honest: people can discover and mount the data where they work, but they still only get what the source authorizes. This is most often the right fit for collaborative data engineering and is the default behavior for OneLake shortcuts.

 

If your goal is broader distribution through curated serving layers, then delegated shortcuts can simplify administration and improve scale. In that model, the shortcut becomes part of a governed publishing architecture: central teams retain ownership of the source, consuming teams avoid copying data, and downstream audiences access a managed experience rather than direct raw-path access. The key is to be explicit about where delegated mode is in play, document the trust boundary, and design your security reviews around the actual engine path your users will take.

 

Final thoughts

OneLake shortcuts are not just a convenience feature for organizing data. They are a foundational building block for zero-copy data distribution across Microsoft Fabric. The security story makes that possible.

 

The default passthrough model preserves strong source-aware enforcement by combining permissions from the shortcut path and the target path and applying the most restrictive result.

 

The new delegated shortcut option extends that story for paths that need to serve larger audiences or share data externally.

 

Together, these modes let organizations choose the right balance of control, scale, and simplicity without giving up the governance benefits of unifying your data with OneLake

 

Learn more