All Episodes

Unified data access & security with OneLake

May 5, 2025 8 mins

Unify and secure your data—no matter where it lives—without sacrificing control using OneLake security, part of Microsoft Fabric. With granular permissions down to the row, column, and table level, you can confidently manage access across engines like Power BI, Spark, and T-SQL, all from one place. Discover, label, and govern your data with clarity using the integrated OneLake catalog that surfaces the right items fast.

Aaron Merrill, Microsoft Fabric Principal Program Manager, shows how you can stay in control, from security to discoverability—owning, sharing, and protecting data on your terms.

► QUICK LINKS:

00:00 - OneLake & Microsoft Fabric core concepts

01:28 - Table level security

02:11 - Column level security

03:06 - Power BI report

03:28 - Row level security

04:23 - Data classification options

05:19 - OneLake catalog

06:22 - View and manage data

06:48 .css-j9qmi7{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;font-weight:700;margin-bottom:1rem;margin-top:2.8rem;width:100%;-webkit-box-pack:start;-ms-flex-pack:start;-webkit-justify-content:start;justify-content:start;padding-left:5rem;}@media only screen and (max-width: 599px){.css-j9qmi7{padding-left:0;-webkit-box-pack:center;-ms-flex-pack:center;-webkit-justify-content:center;justify-content:center;}}.css-j9qmi7 svg{fill:#27292D;}.css-j9qmi7 .eagfbvw0{-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;color:#27292D;}

Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
As you build AI and analytic workloads,
unifying your data from wherever it lives
and making it accessible
doesn't have to come atthe cost of security.
In fact, today we dive deeperinto Microsoft's approach
to data unification,accessibility, and security
with OneLake, part of Microsoft Fabric,
where we'll focus onOneLake's security control set
and how it compliments data discovery

(00:23):
via the new OneLake catalog.
Now, in case you're new toOneLake and Microsoft Fabric,
I'll start by explaininga few core concepts.
OneLake is the logicalmulti-cloud data lake
that is foundational to Microsoft Fabric,
Microsoft's fully managed dataanalytics and AI platform.
OneLake, with its supportfor open data formats,
provides a single and unified place
across your entire companyfor data to be discovered,

(00:45):
accessed, and controlledacross your data estate.
Data can reside anywhere,
and you can connect to it usingshortcuts or via mirroring.
And once in OneLake,you have a single place
where data can be centrallyclassified and labeled
as the basis for policy controls.
You can then configuregranular, role-based permissions
that can apply down to the folder level

(01:05):
for unstructured data and bytable for structured data.
Then all the way down
to the column and rowlevels within each table.
This way, security is enforcedacross all connected data.
Meaning that whetheryou're accessing the data
through Spark, Power BI,T-SQL, or any other engine,
it's protected and you have the controls
to allow or limit accessto data on your terms.

(01:28):
In fact, let me show you a few examples
for enforcing OneLake securityat all of these levels.
I'll start with an exampleshowing OneLake security
at the table level.
I want to grant our suppliers team access
to a specific table in this lakehouse.
I'll create a OneLakesecurity role to do that.
So I'll just give it aname, SuppliersReaders.
Then I'll choose selecteddata and find the table

(01:49):
that I want to share byexpanding the table list,
pick suppliers and then confirm.
Now, I just need toassign the right users.
I'll just add Mona in thiscase, and create the role.
Then if I move over to Mona's experience,
I can run queriesagainst the supplier data
in the SQL endpoint.
But if I try to query anyother table, I'm blocked,
as you can see here.

(02:11):
Now, let me show you another option.
This time, I'll lock accessdown to the column level.
I want to grant our customerrelations team access
to the data they need,
but I don't want to givethem access to PII data.
Using OneLake securitycontrols, I can create a role
that restricts accessto sensitive columns.
Like before, I'll name it.Then I need to select my data.

(02:33):
This time, I'll choosethree different tables
for customer and order data.
But notice this grayed outlegacy orders table here
that we would like to applycolumn security to as well.
I don't own the permissions for this table
because it's a shortcut to other data.
However, the owner of that data
can grant permission to itusing the steps I'll show next.

(02:53):
From the role I just created,I'll expand on my tables.
And for the customer's table,I'll enable column security.
Once I confirm, I can selectthe columns I want to remove
and that we don't wantthem to see and save it.
Now, let's look at the resultsof this from another engine,
Power BI, while building a report.
I'll choose a semantic modelfor my Power BI report.

(03:15):
With the column level security in place,
notice the sensitivecolumns I removed before,
contact name and address,are hidden from me.
And when I expand the legacy orders table,
which was a shortcut, it'salso not showing PII columns.
Now, some scenarios requirethat security controls
are applied where recordsmight be interspersed
with the same table, so arow level filter is needed.

(03:36):
For example, our US-basedHR team should only see data
for US-based employees.
I've created another security role
with the right data selected, HRUS.
Now, I'll move to my tablesand choose from the options
for this employee's tableand I'll select row security.
Row level security inOneLake uses SQL statements

(03:56):
to limit what people can see.
I'll do that here with asimple select statement
to limit country to USA.
Now, from the HR team's perspective,
they can start to query thedata using another engine,
Spark, to analyze employer retention.
But only across US based employees,
as you can see from the country column.
And as mentioned, thisapplies to all engines,

(04:18):
no matter how you access it,
including the Parquetfiles directly in OneLake.
Next, let's move on todata classification options
that can be used toinform policy controls.
Here, the good news is thesame labels you've defined
in Microsoft Purview for your organization
used in Microsoft 365 foremails, messaging, files, sites,
and meetings can be appliedto data items in OneLake.

(04:41):
Additionally, Microsoft Purviewpolicy controls can be used
to automatically label content in OneLake.
And another benefit I can show you
from the lineage viewis label inheritance.
Notice this Lakehouseis labeled Non-Business,
as is NorthwindTest, but lookat the connected data items
on the right of NorthwindTest.
They are also non-business.

(05:02):
If I move into the testlakehouse and apply a label
either automaticallyor manually to my data,
like I'm doing here, then Imove back to the lineage view.
My downstream data items like this model
and the SQL analytics endpointbelow it have automatically
inherited the upstream label.
So now we've exploredOneLake security controls,
their implementation, and enforcement,

(05:24):
let's look at how this works hand in hand
with the OneLake catalog fordata discovery and management.
First, to know thatyou're in the right place,
you can use branded domains toorganize collections of data.
I'll choose the sales domain.
To get the data I want, I can see my items
as the ones I own, endorseditems, and my favorites.

(05:46):
I can filter by workspace.
And on top, I can selectthe type of data item
that I'm looking for.
Then if I move over to tags,
I can find ones associatedwith cost centers,
dates, or other collection types.
Now, let's take a look at a data item.
This shows me more detail,like the owner and location.

(06:07):
I can also see tableschemas and more below.
I can preview data within thetables directly from here.
Then using the lineagetab, it shows me a list
of connected and related items.
Lastly, the monitor tab letsme track data refresh history.
Now, let me show you how asa data owner you can view
and manage these data items.

(06:27):
From the settings of this lakehouse,
I can change its properties and metadata,
such as the endorsement orupdate the sensitivity label.
And as the data owner, Ican also share it securely
internally or even externallywith approved recipients.
I'll choose a colleague,
dave@contoso.com, and share it.

(06:48):
Next, the govern tabin the OneLake catalog
gives you even morecontrol as a data owner,
as well as recommendations to make data
more secure and compliant.
You'll find it on theOneLake catalog main page.
This gives me key insights at a glance,
like the number and type of items I own.
And when I click into view more,
I see additional informationlike my data hierarchy.

(07:10):
Below that, item inventoryand data refresh status.
Sensitivity labelcoverage gives me an idea
of how compliant my data items are.
And I can assess data completeness
based on whether anitem is properly tagged,
described, and endorsedacross the items I own.
Back on the main view, Ican see governance actions

(07:30):
tailored specifically to my data,
like increasing sensitivitylabel, coverage, and more.
The OneLake catalog is integrated
across Microsoft Fabricexperiences to help people
quickly discover the items they need.
And it's also integrated withyour favorite Office apps,
including MicrosoftExcel, where you can use
the get data control to selectand access data in OneLake.

(07:51):
And right in context,without leaving the app,
you can define what youwant and pull it directly
into your Excel file for analysis.
The OneLake catalog is the oneplace where you can discover
the data that you want andmanage the data that you own.
And combined with OneLakesecurity controls,
you can do all of this without increasing
your data security risks.
To find out more and getstarted, check out our blog

(08:12):
at aka.ms/OneLakeSecurity.
Also, be sure to sign up
for a 60 day free trialat fabric.microsoft.com.
And keep watching Mechanicsfor the latest updates
across Microsoft,subscribe to our channel,
and thanks for watching.
Advertise With Us

Popular Podcasts

Stuff You Should Know

Stuff You Should Know

If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.

Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com

24/7 News: The Latest

24/7 News: The Latest

The latest news in 4 minutes updated every hour, every day.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

Explore

iHeart

Live Radio

Podcasts

Artist Radio

Exclusives

News

Features

Events

Contests

Photos

Information

About

Advertise

Blog

Brand Guidelines

Contest Guidelines

Subscription Offers

Jobs

Get the App

Automotive

Home

Mobile

Wearables

© 2025 iHeartMedia, Inc.