OneLake Data Access Security - Create Or Update Data Access Roles
Creates or updates data access roles in OneLake.
Note
This API is part of a Preview release and is provided for evaluation and development purposes only. It may change based on feedback and is not recommended for production use.
Required Delegated Scopes
OneLake.ReadWrite.All
Microsoft Entra supported identities
This API supports the Microsoft identities listed in this section.
| Identity | Support |
|---|---|
| User | Yes |
| Service principal and Managed identities | Yes |
Interface
PUT https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{itemId}/dataAccessRolesPUT https://api.fabric.microsoft.com/v1/workspaces/{workspaceId}/items/{itemId}/dataAccessRoles?dryRun={dryRun}URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
item
|
path | True |
string (uuid) |
The ID of the Fabric item to put the roles. |
|
workspace
|
path | True |
string (uuid) |
The workspace ID. |
|
dry
|
query |
boolean |
Used to trigger a dry run of the API call. True - The API call will trigger a dry run and no roles will be changed. False - Will not trigger a dry run and roles will be updated. |
Request Header
| Name | Required | Type | Description |
|---|---|---|---|
| If-Match |
string |
An ETag value. The ETag must be specified in quotes. If provided, the call will succeed only if the resource's ETag matches the provided ETag. |
|
| If-None-Match |
string |
An ETag value. The ETag must be specified in quotes. If provided, the call will succeed only if the resource's ETag doesn't match the provided ETag. |
Request Body
| Name | Type | Description |
|---|---|---|
| value |
A list of roles that are used to manage data access security and ensure that only authorized users can view certain data. A role represents a set of permissions and permission scopes that define what actions its members are allowed to perform for the data in scope. Members are users or groups who have been granted the role, and they can read the data based on the permissions assigned to the role. For example, a member can be a Microsoft Entra ID group and permission scope can be a Read Action applied on the given Path to File, Folder(s) or Table(s) in OneLake. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
Request completed successfully. Headers Etag: string |
|
| Other Status Codes |
Common error codes:
|
Examples
| Create or update data access roles example |
| Create or update data access roles with constraints example |
| Create or update data access roles with tables path example |
Create or update data access roles example
Sample request
PUT https://api.fabric.microsoft.com/v1/workspaces/cfafbeb1-8037-4d0c-896e-a46fb27ff222/items/25bac802-080d-4f73-8a42-1b406eb1fceb/dataAccessRoles
{
"value": [
{
"name": "default_role_1",
"decisionRules": [
{
"effect": "Permit",
"permission": [
{
"attributeName": "Path",
"attributeValueIncludedIn": [
"*"
]
},
{
"attributeName": "Action",
"attributeValueIncludedIn": [
"Read"
]
}
]
}
],
"members": {
"fabricItemMembers": [
{
"itemAccess": [
"ReadAll"
],
"sourcePath": "cfafbeb1-8037-4d0c-896e-a46fb27ff222/25bac802-080d-4f73-8a42-1b406eb1fceb"
}
]
}
}
]
}
Sample response
ETag: 33a64df551425fcc55e4d42a148795d9f25f89d4Create or update data access roles with constraints example
Sample request
PUT https://api.fabric.microsoft.com/v1/workspaces/cfafbeb1-8037-4d0c-896e-a46fb27ff222/items/25bac802-080d-4f73-8a42-1b406eb1fceb/dataAccessRoles
{
"value": [
{
"name": "default_role_1",
"decisionRules": [
{
"effect": "Permit",
"permission": [
{
"attributeName": "Path",
"attributeValueIncludedIn": [
"*"
]
},
{
"attributeName": "Action",
"attributeValueIncludedIn": [
"Read"
]
}
],
"constraints": {
"columns": [
{
"tablePath": "/Tables/industrytable",
"columnNames": [
"Industry"
],
"columnEffect": "Permit",
"columnAction": [
"Read"
]
}
],
"rows": [
{
"tablePath": "/Tables/industrytable",
"value": "select * from Industrytable where Industry=\"Green\""
}
]
}
}
],
"members": {
"fabricItemMembers": [
{
"itemAccess": [
"ReadAll"
],
"sourcePath": "cfafbeb1-8037-4d0c-896e-a46fb27ff222/25bac802-080d-4f73-8a42-1b406eb1fceb"
}
]
}
}
]
}
Sample response
ETag: 33a64df551425fcc55e4d42a148795d9f25f89d4Create or update data access roles with tables path example
Sample request
PUT https://api.fabric.microsoft.com/v1/workspaces/cfafbeb1-8037-4d0c-896e-a46fb27ff222/items/25bac802-080d-4f73-8a42-1b406eb1fceb/dataAccessRoles
{
"value": [
{
"name": "default_role_1",
"decisionRules": [
{
"effect": "Permit",
"permission": [
{
"attributeName": "Path",
"attributeValueIncludedIn": [
"/Tables/sales",
"/Tables/users"
]
},
{
"attributeName": "Action",
"attributeValueIncludedIn": [
"Read"
]
}
]
}
],
"members": {
"fabricItemMembers": [
{
"itemAccess": [
"ReadAll"
],
"sourcePath": "cfafbeb1-8037-4d0c-896e-a46fb27ff222/25bac802-080d-4f73-8a42-1b406eb1fceb"
}
]
}
}
]
}
Sample response
ETag: 33a64df551425fcc55e4d42a148795d9f25f89d5Definitions
| Name | Description |
|---|---|
|
Attribute |
Specifies the name of the attribute that is being evaluated for access permissions. AttributeName can be |
|
Column |
The array of actions applied to the columnNames. This determines which actions a user will be able to perform on columns. The allowed values are: Read. Additional columnAction types may be added over time. |
|
Column |
ColumnConstraint indicates a constraint that determines the permissions and visibility a user has on columns within a table. |
|
Column |
The effect given to the columnNames. The only allowed value is Permit. Additional columnEffect types may be added over time. |
| Constraints |
Any constraints such as row or column level security that are applied to tables as part of this role. If not included, no constraints apply to any tables in the role. |
|
Create |
Contains definition of Roles that are used to manage data access security and ensure that only authorized users can view, edit, or delete certain data. Calling this API updates role definitions and creates, updates, or deletes roles to match the provided payload. |
|
Data |
A Data access role represents a set of permissions and permission scopes that define what actions its members are allowed to perform for the data in scope. Data access roles are used to manage data access security and ensure that only authorized users can view, edit, or delete certain data. Members are users or groups who have been granted the role, and they can read the data based on the permissions assigned to the role. For example, a member can be an Microsoft Entra ID group and permission scope can be a Read Action applied on the given Path to File, Folder(s) or Table(s) in OneLake. |
|
Decision |
Specifies a rule for matching the requested action. Contains effect (Permit) and Permission which determine whether a user or entity is authorized to perform a specific action (e.g., read) on a resource. Permission is a set of scopes, defined by attributes, that must match the requested action for the rule to apply. |
| Effect |
The effect that a role has on access to the data resource. Currently, the only supported effect type is |
|
Error |
The error related resource details object. |
|
Error |
The error response. |
|
Error |
The error response details. |
|
Fabric |
Fabric item member. |
|
Item |
A list specifying the access permissions for Fabric user to have to be automatically included in the role members. Additional itemAccess types may be added over time. |
| Members |
The members object which contains the members of the role as arrays of different member types. |
|
Microsoft |
Microsoft Entra ID member assigned to the role. |
|
Object |
The type of Microsoft Entra ID object. Additional objectType types may be added over time. |
|
Permission |
Defines a set of attributes (properties) that determine the scope and level of access to a resource. When |
|
Row |
RowConstraint indicates a constraint that determines the rows in a table that users can see. Roles defined with RowConstraints use T-SQL to define a predicate that filters data in a table. Rows that do not meet the predicate’s conditions are filtered out, leaving a subset of the original rows. RowConstraints can also be used to specify dynamic and multi-table flavors of RLS using T-SQL. |
AttributeName
Specifies the name of the attribute that is being evaluated for access permissions. AttributeName can be Path or Action. Additional attributeName types may be added over time.
| Value | Description |
|---|---|
| Path |
Attribute name Path |
| Action |
Attribute name Action |
ColumnAction
The array of actions applied to the columnNames. This determines which actions a user will be able to perform on columns. The allowed values are: Read. Additional columnAction types may be added over time.
| Value | Description |
|---|---|
| Read |
The ColumnAction value Read |
ColumnConstraint
ColumnConstraint indicates a constraint that determines the permissions and visibility a user has on columns within a table.
| Name | Type | Description |
|---|---|---|
| columnAction |
The array of actions applied to the columnNames. This determines which actions a user will be able to perform on columns. The allowed values are: Read. Additional columnAction types may be added over time. |
|
| columnEffect |
The effect given to the columnNames. The only allowed value is Permit. Additional columnEffect types may be added over time. |
|
| columnNames |
string[] |
An array of case sensitive column names. Each value is a column name from the table specified in |
| tablePath |
string |
A relative file path specifying which table the column constraint applies to. This should be in the form of |
ColumnEffect
The effect given to the columnNames. The only allowed value is Permit. Additional columnEffect types may be added over time.
| Value | Description |
|---|---|
| Permit |
The ColumnEffect type Permit |
Constraints
Any constraints such as row or column level security that are applied to tables as part of this role. If not included, no constraints apply to any tables in the role.
| Name | Type | Description |
|---|---|---|
| columns |
The array of column constraints applied to one or more tables in the data access role. |
|
| rows |
The array of row constraints applied to one or more tables in the data access role. |
CreateOrUpdateDataAccessRolesRequest
Contains definition of Roles that are used to manage data access security and ensure that only authorized users can view, edit, or delete certain data. Calling this API updates role definitions and creates, updates, or deletes roles to match the provided payload.
| Name | Type | Description |
|---|---|---|
| value |
A list of roles that are used to manage data access security and ensure that only authorized users can view certain data. A role represents a set of permissions and permission scopes that define what actions its members are allowed to perform for the data in scope. Members are users or groups who have been granted the role, and they can read the data based on the permissions assigned to the role. For example, a member can be a Microsoft Entra ID group and permission scope can be a Read Action applied on the given Path to File, Folder(s) or Table(s) in OneLake. |
DataAccessRole
A Data access role represents a set of permissions and permission scopes that define what actions its members are allowed to perform for the data in scope. Data access roles are used to manage data access security and ensure that only authorized users can view, edit, or delete certain data. Members are users or groups who have been granted the role, and they can read the data based on the permissions assigned to the role. For example, a member can be an Microsoft Entra ID group and permission scope can be a Read Action applied on the given Path to File, Folder(s) or Table(s) in OneLake.
| Name | Type | Description |
|---|---|---|
| decisionRules |
The array of permissions that make up the Data access role. |
|
| id |
string (uuid) |
The unique id for the Data access role. |
| members |
The members object which contains the members of the role as arrays of different member types. |
|
| name |
string |
The name of the Data access role. |
DecisionRule
Specifies a rule for matching the requested action. Contains effect (Permit) and Permission which determine whether a user or entity is authorized to perform a specific action (e.g., read) on a resource. Permission is a set of scopes, defined by attributes, that must match the requested action for the rule to apply.
| Name | Type | Description |
|---|---|---|
| constraints |
Any constraints such as row or column level security that are applied to tables as part of this role. If not included, no constraints apply to any tables in the role. |
|
| effect |
The effect that a role has on access to the data resource. Currently, the only supported effect type is |
|
| permission |
The |
Effect
The effect that a role has on access to the data resource. Currently, the only supported effect type is Permit, which grants access to the resource. Additional effect types may be added over time.
| Value | Description |
|---|---|
| Permit |
the effect type Permit |
ErrorRelatedResource
The error related resource details object.
| Name | Type | Description |
|---|---|---|
| resourceId |
string |
The resource ID that's involved in the error. |
| resourceType |
string |
The type of the resource that's involved in the error. |
ErrorResponse
The error response.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| moreDetails |
List of additional error details. |
|
| relatedResource |
The error related resource details. |
|
| requestId |
string |
ID of the request associated with the error. |
ErrorResponseDetails
The error response details.
| Name | Type | Description |
|---|---|---|
| errorCode |
string |
A specific identifier that provides information about an error condition, allowing for standardized communication between our service and its users. |
| message |
string |
A human readable representation of the error. |
| relatedResource |
The error related resource details. |
FabricItemMember
Fabric item member.
| Name | Type | Description |
|---|---|---|
| itemAccess |
A list specifying the access permissions for Fabric user to have to be automatically included in the role members. Additional itemAccess types may be added over time. |
|
| sourcePath |
string pattern: ^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?/[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$ |
The path to Fabric item having the specified item access. |
ItemAccess
A list specifying the access permissions for Fabric user to have to be automatically included in the role members. Additional itemAccess types may be added over time.
| Value | Description |
|---|---|
| Read |
Item Access Read. |
| Write |
Item Access Write. |
| Reshare |
Item Access Reshare. |
| Explore |
Item Access Explore. |
| Execute |
Item Access Execute. |
| ReadAll |
Item Access ReadAll. |
Members
The members object which contains the members of the role as arrays of different member types.
| Name | Type | Description |
|---|---|---|
| fabricItemMembers |
A list of members who have a certain permission set in Microsoft Fabric. All members with that permission set are added as members of this Data Access Role. |
|
| microsoftEntraMembers |
The list of Microsoft Entra ID members. |
MicrosoftEntraMember
Microsoft Entra ID member assigned to the role.
| Name | Type | Description |
|---|---|---|
| objectId |
string (uuid) |
The object id. |
| objectType |
The type of Microsoft Entra ID object. Additional objectType types may be added over time. |
|
| tenantId |
string (uuid) |
The tenant id. |
ObjectType
The type of Microsoft Entra ID object. Additional objectType types may be added over time.
| Value | Description |
|---|---|
| Group |
Attribute name Group |
| User |
Attribute name User |
| ServicePrincipal |
Attribute name ServicePrincipal |
| ManagedIdentity |
Attribute name ManagedIdentity |
PermissionScope
Defines a set of attributes (properties) that determine the scope and level of access to a resource. When attributeName property is set to Path, the attributeValueIncludedIn property must specify the location of the resource being accessed, such as "Tables/Table1". When the attributeName property is set to Action, the attributeValueIncludedIn property must specify the type of access being granted, such as Read.
| Name | Type | Description |
|---|---|---|
| attributeName |
Specifies the name of the attribute that is being evaluated for access permissions. AttributeName can be |
|
| attributeValueIncludedIn |
string[] |
Specifies a list of values for the |
RowConstraint
RowConstraint indicates a constraint that determines the rows in a table that users can see. Roles defined with RowConstraints use T-SQL to define a predicate that filters data in a table. Rows that do not meet the predicate’s conditions are filtered out, leaving a subset of the original rows. RowConstraints can also be used to specify dynamic and multi-table flavors of RLS using T-SQL.
| Name | Type | Description |
|---|---|---|
| tablePath |
string |
A relative file path specifying which table the row constraint applies to. This should be in the form of |
| value |
string |
A T-SQL expression that is used to evaluate which rows the role members can see. Only a subset of T-SQL can be used as a predicate. |