Get certified for free when you join Fabric Data Days 2026 and dive into Fabric, Power BI, SQL, AI, and other essential data skills.
Join nowJuly 7 - July 17 | Round 2 of the Power BI Dataviz World Championships. Don't miss your chance! Learn more
I'm trying to provide granular permissions for my system-assigned managed identity so that it doesn't have permission to do too many things.
At the Lakehouse level, I was able to give it "Read", "ReadAll" permisisons, but there wasn't an option to provide Write.
Within the Lakehouse, using "Manage OneLake Data Access (preview)", I created a role and assigned it to specific folders, but it also only shows Read, ReadAll.
How can I get this managed identity to have Write only on a selected set of folders? Workspace contributor seems too broad as it might provide Write to the entire Lakehouse which is undesireable.
That looks to be operation-specific but I didn't see anything that suggested it could scope the permission to a subset of resources.
I was using https://learn.microsoft.com/en-us/fabric/onelake/security/get-started-data-access-roles#assign-a-mem... as a reference as it appeared to allow for folder-level scoping of permissions.
Hi @kchung_msft ,
Perhaps you can leverage Azure role-based access control to create custom roles?The following articles may be helpful to you.
Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.
Join Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.
| User | Count |
|---|---|
| 25 | |
| 10 | |
| 10 | |
| 5 | |
| 4 |