Write Access to OneLake folder using RBAC

kchung_msft · ‎05-01-2024

I'm trying to provide granular permissions for my system-assigned managed identity so that it doesn't have permission to do too many things.

At the Lakehouse level, I was able to give it "Read", "ReadAll" permisisons, but there wasn't an option to provide Write.

Within the Lakehouse, using "Manage OneLake Data Access (preview)", I created a role and assigned it to specific folders, but it also only shows Read, ReadAll.

How can I get this managed identity to have Write only on a selected set of folders? Workspace contributor seems too broad as it might provide Write to the entire Lakehouse which is undesireable.

kchung_msft · ‎05-02-2024

That looks to be operation-specific but I didn't see anything that suggested it could scope the permission to a subset of resources.
I was using https://learn.microsoft.com/en-us/fabric/onelake/security/get-started-data-access-roles#assign-a-mem... as a reference as it appeared to allow for folder-level scoping of permissions.

v-zhouwen-msft · ‎05-02-2024

Hi @kchung_msft ,

Perhaps you can leverage Azure role-based access control to create custom roles?The following articles may be helpful to you.

Azure custom roles - Azure RBAC | Microsoft Learn

Write Access to OneLake folder using RBAC

Helpful resources

Fabric certifications survey

Power BI Monthly Update - April 2024

Fabric Community Update - April 2024