Hi @prathijp,
You can do this with item-level permissions on the lakehouse (no workspace role required for readers) and a different path for writers. Here’s the practical setup I’ve used.
- Read-only via SSMS (T-SQL)
In the lakehouse, select … > Manage permissions.
Share the item and add the users (or a group).
On the SQL analytics endpoint permissions, grant ReadData. This is the specific right that lets SSMS/TDS clients read tables. Microsoft: Lakehouse sharing and permissions
Have them connect from SSMS using the lakehouse’s SQL endpoint connection string (from Settings > SQL endpoint) with Microsoft Entra (AAD) auth. What is the lakehouse SQL analytics endpoint?, Find the SQL endpoint connection string - Read-only via OneLake (files/Spark)
If they also need file/folder access (Parquet/Delta in Files), grant ReadAll on the lakehouse or create folder-scoped OneLake data access roles for least-privilege read to specific folders. Lakehouse sharing and permissions, Get started with OneLake security - Write access (insert/create)
The lakehouse SQL analytics endpoint is read-only for tables (you can create views/functions and apply SQL security, but no INSERT/CREATE TABLE via SSMS). Writers must use Spark/Notebooks/Pipelines targeting the lakehouse, which requires a workspace role (Contributor/Member) — or use a Warehouse if you want DDL/DML over T-SQL. SQL endpoint is read-only, Workspace roles in Lakehouse
If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.
Proud to be a Super User! |  |
Hi @prathijp,
You can do this with item-level permissions on the lakehouse (no workspace role required for readers) and a different path for writers. Here’s the practical setup I’ve used.
- Read-only via SSMS (T-SQL)
In the lakehouse, select … > Manage permissions.
Share the item and add the users (or a group).
On the SQL analytics endpoint permissions, grant ReadData. This is the specific right that lets SSMS/TDS clients read tables. Microsoft: Lakehouse sharing and permissions
Have them connect from SSMS using the lakehouse’s SQL endpoint connection string (from Settings > SQL endpoint) with Microsoft Entra (AAD) auth. What is the lakehouse SQL analytics endpoint?, Find the SQL endpoint connection string - Read-only via OneLake (files/Spark)
If they also need file/folder access (Parquet/Delta in Files), grant ReadAll on the lakehouse or create folder-scoped OneLake data access roles for least-privilege read to specific folders. Lakehouse sharing and permissions, Get started with OneLake security - Write access (insert/create)
The lakehouse SQL analytics endpoint is read-only for tables (you can create views/functions and apply SQL security, but no INSERT/CREATE TABLE via SSMS). Writers must use Spark/Notebooks/Pipelines targeting the lakehouse, which requires a workspace role (Contributor/Member) — or use a Warehouse if you want DDL/DML over T-SQL. SQL endpoint is read-only, Workspace roles in Lakehouse
If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.
Proud to be a Super User! | |
Helpful resources
Join our Fabric User Panel
Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.
Fabric Monthly Update - February 2026
Check out the February 2026 Fabric update to learn about new features.
FabCon Atlanta 2026
Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.
