Introduction
This tooling provides an mechanism to automatically remediate which users, groups and machine identities have access each Fabric workspaces, ensuring alignment with a desired security / RBAC configuration stored in an external configuration file.
It uses the Semantic Link Labs python package (which are Python wrappers for Fabric APIs)
Problem statement
Access to Workspaces is managed via authorised security groups, and developers are typically granted the Member role is used when provisioning developers with access to Workspaces.
However, Members can also add other entities to Workspaces, including groups, machine identities or users, at equal or lower levels (Member, Contributor or Viewer), which would violate the access control authorisation & approval policies. As the ability of Members to add entities cannot be disabled, it is necessary to enforce this policy via a control.
To eliminate manual intervention required to implement this control, an automated solution was sought.
Solution
Fabric Capacities allow the execution of arbitrary Python / PySpark through Fabric Notebooks. This functionality has been combined with the Semantic Link Labs Python package (a Python wrapper for Fabric APIs) to extract, evaluate and rectify Workspace permissions for Fabric Workspaces.
By using a desired state configuration file, the tooling only performs access enforcement on listed Workspaces, rather than deprovisioning & re-provisioning across the entire tenant, allowing for a progressive roll-out
Link to repo (challenge file)
Link to repo as submodules & and an auto-installer notebook
https%3A%2F%2Fgithub.com%2FArgel-Tal%2Ffabric-configuration-management%2Fblob%2FSLL-Developer-Challenge%2F2026_SemanticLink_Argel-Tal_workspace-access-management-automation.ipynb
