How lakehouse sharing works
When you share a lakehouse, you grant other users or groups access to a lakehouse without giving access to the workspace and the rest of its items. To see the list of items that others shared with you, select Browse in the Fabric navigation bar, and then select Shared with me. You can also see lakehouses that others shared with you in your OneLake catalog.
Sharing a lakehouse also grants access to the SQL analytics endpoint and the associated default semantic model.
To share a lakehouse, navigate to your workspace, and select the Share icon next to the lakehouse name. You can also select the ellipsis (...), then, from the More options menu, select Share. Complete the fields in the Grant people access screen and select Grant.
To edit or remove permissions, see Managing permissions.
Sharing and permissions
By default, sharing a lakehouse grants users read permission to the lakehouse, the associated SQL analytics endpoint, and the default semantic model. In addition to these default permissions, you can grant:
- ReadData permission on SQL analytics endpoint to access data without SQL policy.
- ReadAll permission on the lakehouse to access all data using Apache Spark.
- Build permission on the default semantic model to allow building Power BI reports on top of the semantic model.
Managing permissions
After you share an item, you can edit or remove permissions on the Direct access screen for that item. To manage permissions for the lakehouse you shared, navigate to your workspace and select the ellipsis (...) next to the lakehouse name. From the More options menu, select Manage permissions. On the Direct access screen, you can see the access you granted, add custom permissions, and remove access and custom permissions.
Folder level access control
OneLake data access permissions (preview) allow you to create custom roles within a lakehouse and to grant read permissions only to specific folders in OneLake. OneLake folder security is inheritable for all subfolders. For each OneLake role, you can assign users and security groups, or grant an automatic assignment based on the workspace role.
Learn more about OneLake Role-based access control (RBAC).
OneLake data access roles
To create a new data access role:
Open the lakehouse where you want to define the new role.
Select Manage OneLake data access (preview) from the ribbon, and confirm that you want to enable data access roles (preview) for the lakehouse.
Next select New role and enter a name for the role.
If you want the role to apply to all folders in the lakehouse, select All folders. If you want the role to only apply to selected folders, choose Selected folders and select the relevant folders.
Select Save. A notification appears that confirms the creation of the new role.
From the Edit <role name> pane, grant the new role Read permissions. To do so, select Assign role.
Choose the permissions you would like to assign, enter names or email addresses in the Add people or groups field and select Add.
Review the assignee list under Assigned people and groups, remove any that you don't want on the list, and select Save.
For more information, see Get started with OneLake data access roles.