Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during AI Skills Fest. This week only. Secure your voucher now.

Reply
fabricpribeiro
Post Patron
Post Patron

Gold Layer + Semantic Model + Reporting - Security for TDA question

‎03-01-2026 03:45 AM

Dears,

 

I have a Microsoft Fabric Architecture (Medallion + Datamesh) as below (figure 1)

 

I have the TDA completed for layers till Silver. This was achieved with the excel help I got from our community

 

But I still have questions about the consumption part (Gold + Semantic + Reporting / Self-Service) from a security point of view

 

May I kindly ask for your help? please

 

Figure 1: 

 

fabricpribeiro_0-1772363492696.png

 

Summary ,

 

Gold layer : is divided by workspaces, each workspace representing a data domain. Each workspace will have one or more lakehouses

 

Semantic model : There is a semantic model inside each workspace using a direct lake method to secure that one semantic model can fetch data from the lakehouses in the workspace where it is, but also, from lakehouses from other workspaces for the sake of re-usability

 

PBI Reports : We will have powerbi dashboards and several different operational reports

 

Excel : There will be the possibility of doing Self-service via Excel and via PowerBI

 

SElf-Service - Possibility of doing Self-Service via PBI or Excel

 

4 types of Personas and their ability:

 

All users : Will be able to connect to powerBI and see the reports

 

Power Users : Will be able to do what All users can do, plus, create as well PBI new reports against our semantic model and create measures in the existing semantic model

 

Advanced users : Able to do what Power Users can do plus, add new tables to the semantic model which exist in gold layer and Use excel and PBI do do had-hoc reports against our semantic models (Self-service)

 

Master Users : Able to do what Advanced users can do, plus going directly to our gold layer to make selects to tables

 

Note - Some of this users are not in our tenant

 

Questions:

 

Group All Users :

 

1) Was thinking in creating this four Entra-ID groups (the groups will not have this names, their true names will be different) and for the users which are external (do not belong to our tenant), bring them into our Entra-ID (B2B) as external users and join them to this Entra groups

 

2) Create a fixed identity, which will be used by semantic model to connect to gold layer workspaces, than, on top of it, create RLS at semantic level. This way we don't have to provide permissions to all users in our Gold layer. Its the fixed identity which will hold the permissions to our gold

 

3) I don't know where this fixed identity is created nor if its created via the onelake security new functionality or if its  a workspace identity tjhat I create . How do I create this fixed identity is through the new funcionality called onelake security?  I see it here :  Fixed Identity and RLS in Microsoft Fabric Direct Lake Semantic Model

 

4) The RLS at semantic model level is created by the new functionality called Onelake security?

 

 

For all the other 3 Gorups what would you propose as security models?

 

1 - For example, can I have excel self-service and powerBI self -service?

2 - What should I propose as security model for this 3 other gorups?

 

Also, important, can someone please help understand, per user group , what is the security at rest, security in transit and service-to-service security that I can use to explain in my technical desgin authority document (TDA)?

 

Thank you very much for all the support

 

Best regards,

 

Pedro

 

And can someone please explain me what shall I put in the TDA for security in transit , service-to-service and security at rest for this (gold + semantic + Reporting)

 

Thanks a lot,

 

Pedro

   

 

   

 

Labels:
Message 1 of 7
723 Views
0
1 ACCEPTED SOLUTION
v-prasare
Community Support
Community Support

‎03-06-2026 12:44 AM

Hi @fabricpribeiro,

there is currently no single Microsoft document that describes this architecture end‑to‑end. However, the design pattern is possible when the relevant components are combined: Microsoft Fabric security, Direct Lake with a fixed (workspace) identity, semantic model RLS, OneLake security(Preview), and Microsoft Entra ID B2B. PFB references
 
due to access permission constraints and licensing limitations in our environment, we were unable reproduce at our end, could let us know if you could able achieve as below suggested? and also please refer some useful docs
 
 
 
 

Recommended approach: Use Microsoft Entra ID security groups for user personas (All, Power, Advanced, Master). External users can be onboarded via Entra ID B2B and added to the same groups for consistent access management.

For Gold → Semantic Model access, use a single fixed identity (workspace identity / service principal) that holds permissions on Gold Lakehouses. End‑user access is enforced via RLS in the semantic model, avoiding direct Gold access and permission sprawl while enabling cross‑workspace reuse.

OneLake security governs storage‑level access (data at rest) and does not replace semantic model RLS, which handles user‑level filtering.

Persona model: All Users view reports; Power Users build reports on semantic models; Advanced Users extend models with read access to Gold; Master Users have direct Gold access.

 

This aligns with Fabric security best practices: encryption at rest (OneLake), TLS in transit, and Entra ID–based service‑to‑service authentication.

 
 
 
Thanks,
Prashanth
 

View solution in original post

Message 5 of 7
555 Views
0
6 REPLIES 6
v-prasare
Community Support
Community Support

‎03-12-2026 02:43 AM

Hi @fabricpribeiro,

We would like to confirm if our suggestions resolves your query or if you need further help. If you still have any questions or need more support, please feel free to let us know. We are happy to help you.

 

 

 

Thank you for your patience and look forward to hearing from you.
Best Regards,
Prashanth Are
MS Fabric community support

Message 7 of 7
428 Views
0
v-prasare
Community Support
Community Support

‎03-09-2026 09:45 AM

Hi @fabricpribeiro,

We would like to confirm if our suggestions resolves your query or if you need further help. If you still have any questions or need more support, please feel free to let us know. We are happy to help you.

 

 

 

Thank you for your patience and look forward to hearing from you.
Best Regards,
Prashanth Are
MS Fabric community support

Message 6 of 7
498 Views
0
v-prasare
Community Support
Community Support

‎03-06-2026 12:44 AM

Hi @fabricpribeiro,

there is currently no single Microsoft document that describes this architecture end‑to‑end. However, the design pattern is possible when the relevant components are combined: Microsoft Fabric security, Direct Lake with a fixed (workspace) identity, semantic model RLS, OneLake security(Preview), and Microsoft Entra ID B2B. PFB references
 
due to access permission constraints and licensing limitations in our environment, we were unable reproduce at our end, could let us know if you could able achieve as below suggested? and also please refer some useful docs
 
 
 
 

Recommended approach: Use Microsoft Entra ID security groups for user personas (All, Power, Advanced, Master). External users can be onboarded via Entra ID B2B and added to the same groups for consistent access management.

For Gold → Semantic Model access, use a single fixed identity (workspace identity / service principal) that holds permissions on Gold Lakehouses. End‑user access is enforced via RLS in the semantic model, avoiding direct Gold access and permission sprawl while enabling cross‑workspace reuse.

OneLake security governs storage‑level access (data at rest) and does not replace semantic model RLS, which handles user‑level filtering.

Persona model: All Users view reports; Power Users build reports on semantic models; Advanced Users extend models with read access to Gold; Master Users have direct Gold access.

 

This aligns with Fabric security best practices: encryption at rest (OneLake), TLS in transit, and Entra ID–based service‑to‑service authentication.

 
 
 
Thanks,
Prashanth
 
Message 5 of 7
556 Views
0
fabricpribeiro
Post Patron
Post Patron

‎03-05-2026 04:40 AM

Hello, can someone Senior please help me with this? Thank you so much 

Message 4 of 7
589 Views
0
lbendlin
Super User
Super User

‎03-01-2026 11:43 AM 
each workspace representing a data domain.

What kind of company size is this?  How many workspaces do you have across all capacities?

Message 2 of 7
669 Views
0
fabricpribeiro
Post Patron
Post Patron
In response to lbendlin

‎03-02-2026 03:29 AM

Hello, its a mid size company, probably around 200 users 

 

We have one cacpacity for ingestion, one capacity for reporting and then separade capacities for the ones (domains) which are more consuming 

 

But the question is about security not so much about performance

 

Thanks a lot,

 

Pedro

Message 3 of 7
646 Views
0

Helpful resources

Announcements
June Fabric Update Carousel

Fabric Monthly Update - June 2026

Check out the June 2026 Fabric update to learn about new features.

Fabric SQL PBI Data Days

Data Days 2026 coming soon!

Sign up to receive a private message when registration opens and key events begin.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

View All