🔐 How many places in Microsoft Fabric do you define who sees what? 🤔
🧩 Semantic model → its own RLS
🧩 SQL Endpoint → its own access rules
🧩 Spark notebook → another layer
Each one enforced independently.
Each one maintained separately.
Each one a place where something can drift.
🎯 OneLake Security defines security once — at the storage layer.
🔸 Row-Level Security → SQL WHERE clause, scoped per role
🔸 Column-Level Security → control exactly which columns each role can see
One definition.
Automatically enforced across Spark, SQL Endpoint, Power BI — every engine reading the data.
⚠️ What to know before you start:
→ RLS and CLS must live in the same role when used together
→ Mixing them across roles breaks queries entirely
→ Once you enable OneLake Security on an item, it cannot be turned off
watch?v=U1Jdbw-pal0
