Login
May 22, 2025|
Voiced by Amazon Polly |
As enterprises continue to adopt Microsoft Fabric for unified data management and analytics, ensuring secure and controlled data access becomes paramount. In highly regulated industries or data-sensitive environments, simply securing the overall dataset isn’t enough. You need granular data protection—controlling access down to the table, column, and even row level. This is where Object-Level Security (OLS), Column-Level Security (CLS), and Row-Level Security (RLS) in OneLake come into play.
In this blog post, we’ll explore how to implement these security features effectively in OneLake, enabling fine-grained access control while maintaining performance and scalability.
Enhance Your Productivity with Microsoft Copilot
- Effortless Integration
- AI-Powered Assistance
What is OneLake?
OneLake is the unified data lake in Microsoft Fabric, offering a single logical data lake for your entire organization. It allows various workloads—like Data Engineering, Data Science, Real-Time Analytics, and BI—to interact with shared data seamlessly while keeping data security and governance in check.
With OneLake, securing data is not just about locking folders. It’s about enabling role-based, need-to-know access to only what’s required. That’s where OLS, CLS, and RLS become critical.
Note: OneLake security is currently in a limited preview. To request to join the preview and access these features, fill out the form at https://aka.ms/onelakesecuritypreview
1. Object-Level Security (OLS): Secure Tables and Folders
Use Case: Restrict access to specific tables or folders within a Fabric Lakehouse.
What it does: OLS lets you hide entire tables or folders from unauthorized users. Even metadata like table names and schemas won’t be visible to those without permission.
How to Implement OLS
- Navigate to your Lakehouse or Warehouse in Microsoft Fabric.
- Use the Access Control panel to assign permissions.
- Remove Read or Metadata access for users or groups on specific tables or folders.
- Validate using another user profile to ensure hidden resources don’t appear.
Best Practice: Apply OLS to protect sensitive datasets (like financial or HR data) from visibility across departments.
2. Column-Level Security (CLS): Restrict Sensitive Fields
Use Case: Hide or restrict access to specific columns like SSNs, salary data, or PII, while letting users see other non-sensitive fields in the same table.
What it does: CLS ensures that even if a user can access a table, specific columns will be invisible or inaccessible to them based on defined security roles.
How to Implement CLS
- Create a security role in your Lakehouse.
- Define column access policies using DENY COLUMN permissions in T-SQL or through UI.
- Assign users or groups to roles accordingly.
3. Row-Level Security (RLS): Filter Data by User Role
Use Case: Limit access to specific rows in a table, based on user roles or attributes.
What it does: RLS filters data at runtime, showing only the rows a user is permitted to see—ideal for department-level access, regional segregation, or personalized data views.
How to Implement RLS
- Create a security predicate (filter logic) on the table.
- Define roles with specific conditions using T-SQL:
- Assign users to roles and test visibility accordingly.
Bringing It All Together: OLS + CLS + RLS
Implementing all three layers provides defense-in-depth:
| Security Type | Level of Granularity | Use Case Example |
| OLS | Table or Folder | HR team can’t see Financials table |
| CLS | Specific Columns | Analysts can’t see SSN or Salary |
| RLS | Specific Rows | Managers only see their team’s records |
Combination Example:
A sales analyst in the East region only sees sales records for East customers (RLS), can’t view customer credit scores (CLS), and doesn’t even know the existence of the HR folder (OLS).
Final Tips for Granular Security Implementation
- Plan roles upfront: Design your security model around business roles and use cases.
- Use Entra ID groups: Easier management and automation of access controls.
- Audit regularly: Review permissions periodically to ensure compliance.
- Test with different user personas before deployment.
Conclusion
Granular data protection in Microsoft Fabric is not just about security—it’s about enabling responsible data access that drives insights without compromising compliance or privacy. By effectively implementing OLS, CLS, and RLS in OneLake, organizations can ensure the right people access the right data—and only the right data.
Become an Azure Expert in Just 2 Months with Industry-Certified Trainers
- Career-Boosting Skills
- Hands-on Labs
- Flexible Learning
About CloudThat
WRITTEN BY Pankaj Choudhary
Pankaj Choudhary is the Azure Data Vertical Head at CloudThat, specializing in Azure Data solutions. With 14 years of experience in data engineering, he has helped over 5,000 professionals upskill in technologies such as Azure, Databricks, Microsoft Fabric, and Big Data. Known for his ability to simplify complex concepts and deliver hands-on, practical learning, Pankaj brings deep technical expertise and industry insights into every training and solution engagement. He holds multiple certifications, including Databricks Certified Data Engineer Associate, Microsoft Certified: Azure Data Engineer Associate, and Apache Spark Developer. His work spans building scalable Lakehouse architectures, designing PySpark-based ETL pipelines, enabling real-time analytics, and implementing CI/CD pipelines with Azure DevOps. Pankaj’s passion for empowering teams and staying at the forefront of data innovation shapes his unique, outcome-driven approach to learning and development.
PREV
Comments