Granular Data Protection in Microsoft Fabric: Implementing OneLake Security with OLS, CLS, and RLS

As enterprises continue to adopt Microsoft Fabric for unified data management and analytics, ensuring secure and controlled data access becomes paramount. In highly regulated industries or data-sensitive environments, simply securing the overall dataset isn’t enough. You need granular data protection—controlling access down to the table, column, and even row level. This is where Object-Level Security (OLS), Column-Level Security (CLS), and Row-Level Security (RLS) in OneLake come into play.

In this blog post, we’ll explore how to implement these security features effectively in OneLake, enabling fine-grained access control while maintaining performance and scalability.

Enhance Your Productivity with Microsoft Copilot

Effortless Integration
AI-Powered Assistance

Get Started Now

What is OneLake?

OneLake is the unified data lake in Microsoft Fabric, offering a single logical data lake for your entire organization. It allows various workloads—like Data Engineering, Data Science, Real-Time Analytics, and BI—to interact with shared data seamlessly while keeping data security and governance in check.

With OneLake, securing data is not just about locking folders. It’s about enabling role-based, need-to-know access to only what’s required. That’s where OLS, CLS, and RLS become critical.

Note: OneLake security is currently in a limited preview. To request to join the preview and access these features, fill out the form at https://aka.ms/onelakesecuritypreview

1. Object-Level Security (OLS): Secure Tables and Folders

Use Case: Restrict access to specific tables or folders within a Fabric Lakehouse.

What it does: OLS lets you hide entire tables or folders from unauthorized users. Even metadata like table names and schemas won’t be visible to those without permission.

How to Implement OLS

Navigate to your Lakehouse or Warehouse in Microsoft Fabric.
Use the Access Control panel to assign permissions.
Remove Read or Metadata access for users or groups on specific tables or folders.
Validate using another user profile to ensure hidden resources don’t appear.

Best Practice: Apply OLS to protect sensitive datasets (like financial or HR data) from visibility across departments.

2. Column-Level Security (CLS): Restrict Sensitive Fields

Use Case: Hide or restrict access to specific columns like SSNs, salary data, or PII, while letting users see other non-sensitive fields in the same table.

What it does: CLS ensures that even if a user can access a table, specific columns will be invisible or inaccessible to them based on defined security roles.

How to Implement CLS

Create a security role in your Lakehouse.
Define column access policies using DENY COLUMN permissions in T-SQL or through UI.
Assign users or groups to roles accordingly.

3. Row-Level Security (RLS): Filter Data by User Role

Use Case: Limit access to specific rows in a table, based on user roles or attributes.

What it does: RLS filters data at runtime, showing only the rows a user is permitted to see—ideal for department-level access, regional segregation, or personalized data views.

How to Implement RLS

Create a security predicate (filter logic) on the table.
Define roles with specific conditions using T-SQL:
Assign users to roles and test visibility accordingly.

Bringing It All Together: OLS + CLS + RLS

Implementing all three layers provides defense-in-depth:

Security Type	Level of Granularity	Use Case Example
OLS	Table or Folder	HR team can’t see Financials table
CLS	Specific Columns	Analysts can’t see SSN or Salary
RLS	Specific Rows	Managers only see their team’s records

Combination Example:

A sales analyst in the East region only sees sales records for East customers (RLS), can’t view customer credit scores (CLS), and doesn’t even know the existence of the HR folder (OLS).

Final Tips for Granular Security Implementation

Plan roles upfront: Design your security model around business roles and use cases.
Use Entra ID groups: Easier management and automation of access controls.
Audit regularly: Review permissions periodically to ensure compliance.
Test with different user personas before deployment.

Conclusion

Granular data protection in Microsoft Fabric is not just about security—it’s about enabling responsible data access that drives insights without compromising compliance or privacy. By effectively implementing OLS, CLS, and RLS in OneLake, organizations can ensure the right people access the right data—and only the right data.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS, AWS Systems Manager, Amazon RDS, and many more.