Solved: Lakehouse Access

smpa01 · ‎07-30-2024

Is it possible to restrict access to a Lakehouse for a specific adimn in workspace.

The current workspace is shared by 4 different Admins from different dept. Each Admin has their dept-specific lakehouse; just to prevent one admin to accidentally write anything to LH1(specific to me) / destory anything from LH1, is threre any way to restrict to access of other admin to LH1.

None of us are tenant admin; rather we re workspace admin.

Did I answer your question? Mark my post as a solution!

Proud to be a Super User!

My custom visualization projects

Plotting Live Sound: Viz1

Beautiful News:Viz1, Viz2, Viz3

Visual Capitalist: Working Hrs

Others:Easing Graph, Animated Calendar

Anonymous · ‎07-31-2024

Hi @smpa01 ,

Thanks for the reply from @frithjof_v .

In lakehouse, users with Admin, Member, Contributor roles can perform all CRUD operations on all data. Users with the Viewer role can only read data stored in tables using SQL analysis endpoints.

If you have 4 Admins in the same workspace, then they will have access to perform all CRUD operations on all data at the same time.

To accomplish your needs, it would be best if each department had its own workspace, and then each administrator had their department-specific OneLakehouse.

You can also try the Medal Architecture, which does not allow for direct editing of permissions, but does allow for different functionality through different levels.

It is divided into three different levels, each representing an increase in data quality:

Bronze Layer (Bronze Layer): this is the raw data layer, storing raw data imported directly from various data sources. Data is not processed at this level and may contain duplicates and errors.

Silver Layer: At this level, data is cleaned, validated and de-duplicated. Data in the Silver Layer is of higher quality and is suitable for further analysis and processing.

Gold Layer: This is the highest quality data layer and stores highly optimized and aggregated data. Data in the Gold Layer is typically used for final business intelligence and reporting, as it has been fully processed and validated.

If you have four departments ABCD, and you create three different layers of Lakehouse for department A, you can give access to Bronze Layer only to department BCD.

For more information on the medallion structure see the documentation below:

What is the medallion lakehouse architecture? - Azure Databricks | Microsoft Learn

Implement medallion lakehouse architecture in Microsoft Fabric - Microsoft Fabric | Microsoft Learn

Best Regards,
Yang
Community Support Team

If there is any post helps, then please consider Accept it as the solution to help the other members find it more quickly.
If I misunderstand your needs or you still have problems on it, please feel free to let us know. Thanks a lot!

View solution in original post

frithjof_v · ‎07-30-2024

I don't think so.

Then I think you would need to remove those users from the Workspace access, and instead give them item permissions on the relevant items which they need permission on.

(Or put the lakehouses in separate workspaces).

In general, if a user has a workspace role (admin, member, contributor, viewer) then the workspace role will give them permissions on all items in the workspace according to the workspace role they have.

https://learn.microsoft.com/en-us/fabric/get-started/roles-workspaces

Anonymous · ‎07-31-2024