OneLake Security (ABAC)¶

OneLake uses Attribute-Based Access Control (ABAC) for fine-grained data security.

Concepts¶

Role: A named collection of rules and members
Rule: Path-based access control with optional RLS/CLS
Member: User, group, or item that gets access

Creating Roles¶

import fabias
from fabias import Role, Rule, EntraMember, FabricItem, ReadWrite

ws = fabias.workspace("GENESIS")
lakehouse = ws.lakehouse("Analytics")

# Create a role with rules and members
role = Role(
    name="DataAnalysts",
    rules=[
        Rule(paths=["tables"], accessLevel=ReadWrite.READ),
        Rule(paths=["Files/reports"], accessLevel=ReadWrite.READWRITE)
    ],
    members=[
        EntraMember("analyst-group-guid"),
        EntraMember("individual-user-guid")
    ]
)

# Save the role
lakehouse.accessRoles.add(role)

Path Shortcuts¶

User-friendly path shortcuts are automatically normalized:

Shortcut	Expands To	Meaning
`*`	`*`	Everything (Tables + Files)
`tables`	`/Tables/`	All tables
`files`	`/Files/`	All files
`dbo.*`	`/Tables/dbo`	All tables in dbo schema
`/Files/raw/`	`/Files/raw/`	Explicit path (as-is)

Row-Level Security¶

from fabias import Rule, RowLevelSecurity, ReadWrite

rule = Rule(
    paths=["tables"],
    accessLevel=ReadWrite.READ,
    rowLevelSecurity=[
        RowLevelSecurity(
            table="Sales",
            filter="Region = 'West'"
        )
    ]
)

Column-Level Security¶

from fabias import Rule, ColumnLevelSecurity, ReadWrite

rule = Rule(
    paths=["tables"],
    accessLevel=ReadWrite.READ,
    columnLevelSecurity=[
        ColumnLevelSecurity(
            table="Employees",
            columns=["Salary", "SSN"]  # These columns are hidden
        )
    ]
)

Member Types¶

EntraMember¶

Grant access to Entra ID (Azure AD) principals:

from fabias import EntraMember

# User or group by object ID
member = EntraMember("principal-guid")

# With explicit tenant
member = EntraMember(tenant="tenant-guid", object="principal-guid")

FabricItem¶

Grant access based on item permissions (e.g., if user can access a report, they can access the data):

from fabias import FabricItem, ItemAccess

member = FabricItem(
    access=[ItemAccess.READ, ItemAccess.EXECUTE]
)

Listing Roles¶

lakehouse = ws.lakehouse("Analytics")

for role in lakehouse.accessRoles():
    print(f"Role: {role.name}")
    for rule in role.rules:
        print(f"  - Paths: {rule.paths}, Access: {rule.accessLevel}")

Replacing Roles¶

# Get existing roles
roles = lakehouse.accessRoles()

# Modify and replace all roles
roles[0].name = "UpdatedName"
lakehouse.accessRoles.replace(roles)