Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Vienna from September 15-18, 2025, for the ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM. Get registered

Reply
PriyaJha
Regular Visitor

Which user identity is used in Lakehouse T-SQL endpoint

‎06-11-2025 01:03 AM

I have 2 workspaces and 2 user accounts; 1st account has member access on both workspaces and 2nd account has member access only on workspace 2.

Workspace 1 consist of Lakehouse and Warehouse whereas workspace 2 has a Lakehouse, all these are created by user 1 account.

Shortcuts have been created in Workspace 2 Lakehouse pointing to Workspace1 Lakehouse and warehouse.

When checking via 2nd user account, files are not visible as shown below-

PriyaJha_0-1749628857459.png

 

Tables give the error as user unauthorized but still I can preview the data when clicked on table name

 

PriyaJha_2-1749628857521.png

 

While going through Microsoft docs came across the reason as calling item owner’s identity is passed

https://learn.microsoft.com/en-us/fabric/onelake/onelake-shortcuts

PriyaJha_0-1749628947001.png

 

Then user 2 has taken over lakehouse present in workspace 2 and still I am able to see data in tables.

So, when the doc mentions calling item owner’s identity is used, exactly which user’s identity is considered here, the one that has taken over the Lakehouse or the user that has created Lakehouse in Workspace 1.

Labels:
Message 1 of 6
143 Views
0
5 REPLIES 5
NandanHegde
Super User
Super User

‎06-11-2025 01:26 AM

You are still able to see the data due to cache.
Try checking after sometime and you should see a failure :

NandanHegde_0-1749630318503.png

So as stated by @burakkaragoz  the owner of the lakehouse that has the shortcut is used for authentication and authrozation for SQL and dataset aspects




----------------------------------------------------------------------------------------------
Nandan Hegde (MSFT Data MVP)
LinkedIn Profile : www.linkedin.com/in/nandan-hegde-4a195a66
GitHUB Profile : https://github.com/NandanHegde15
Twitter Profile : @nandan_hegde15
MSFT MVP Profile : https://mvp.microsoft.com/en-US/MVP/profile/8977819f-95fb-ed11-8f6d-000d3a560942
Topmate : https://topmate.io/nandan_hegde
Blog :https://datasharkx.wordpress.com
Message 6 of 6
123 Views
0
burakkaragoz
Community Champion
Community Champion

‎06-11-2025 01:10 AM

Hi @PriyaJha ,

You have described the scenario and your observations very clearly. Here’s how the user identity resolution works for OneLake shortcuts in Lakehouse T-SQL endpoints, based on Microsoft’s documentation and your examples.

How identity is determined when accessing data via shortcut in Lakehouse T-SQL endpoint:

  • When a user queries data through a shortcut in a Lakehouse (for example, via the T-SQL endpoint), the query does not use the identity of the user running the query.
  • Instead, it uses the item owner’s identity—specifically, the owner of the Lakehouse or the object where the shortcut resides.
  • If the Lakehouse was created by User 1, then initially all shortcut access (even for other users with workspace permissions) is performed using User 1's credentials.
  • If User 2 takes ownership of the Lakehouse (either via Azure portal, Power BI admin actions, or collaboration features), User 2 becomes the new item owner. After this change, shortcuts will use User 2's identity for all subsequent access.

In practice, this means:

  • When User 2 tries to access shortcut data before taking ownership, the system tries to access the shortcut target using User 1's identity. If User 1 does not have access to the target data, you get an authorization error (as seen in your first screenshot).
  • Once User 2 becomes the owner of the Lakehouse, all shortcut queries from that Lakehouse will use User 2’s identity instead—and if User 2 has the necessary permissions, data loads as expected (as in your second screenshot).

Reference:
The highlighted documentation confirms:

"The calling item owner's identity is passed instead [of the calling user], delegating access to the calling item."

Summary Table:

Lakehouse Owner Query Executed By Whose Identity is Used in Shortcut Data Access Depends On

User 1User 2User 1User 1's permissions
User 2 (after transfer)User 2User 2User 2's permissions

Key Takeaway:
The identity used for accessing data via shortcuts is always the current owner of the Lakehouse, not the user running the query. If you want to change this, you must transfer ownership of the Lakehouse to the intended user.

Let me know if you need details on how to transfer ownership, or if you have further questions about OneLake security or shortcuts!

Message 2 of 6
137 Views
0
PriyaJha
Regular Visitor
In response to burakkaragoz

Monday

Hi @burakkaragoz,

 

Thanks for your reply.

 

I still have one question, when we are in lakehouse mode and i click on one of the table names in the table section and preview of the table is visible, this preview that it is showing is via which authentication? Is it using T-SQL auth or via Spark?

 

Message 3 of 6
60 Views
0
v-prasare
Community Support
Community Support
In response to PriyaJha

Tuesday

Hi @PriyaJha,

 

When working in Lakehouse mode in Microsoft Fabric and by clicking on a table name to view its preview, the data is actually being fetched using Spark, behind the scenes it is a Spark based query that pulls a sample of the data.

This means the authentication being used in that moment is tied to Spark, which uses your Fabric identity to authorize the action. T-SQL authentication only comes into play if you are accessing the data through the SQL analytics endpoint, such as when you're connecting from Power BI or writing T-SQL queries directly through the SQL interface.

So, to put it simply: when you preview a table from the Lakehouse UI, it's Spark doing the work in the background, not T-SQL.

 

 

 

 

Thanks,

Prashanth Are

MS Fabric community support

Message 4 of 6
52 Views
0
PriyaJha
Regular Visitor
In response to v-prasare

Tuesday

Hi @v-prasare,

 

So which authentication is being used by spark query?

Is it the calling item owner id or the user's id?

Message 5 of 6
38 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

May FBC25 Carousel

Fabric Monthly Update - May 2025

Check out the May 2025 Fabric update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All