Fabric Security explained in a Layered Approach
As a SaaS service, Fabric offers a complete security package for the entire platform. The Fabric platform comprises of experiences like include Lakehouse, Data Factory, Synapse Data Engineering, Synapse Data Warehouse, Power BI, and others. To understand the security in Fabric we have broken down Fabric components into the following layers:
Data – Where the data actually resides inside Fabric (Warehouse/Lakehouse/Eventhouse/OneLake/Fabric clusters)
Items – These are the building blocks of the Fabric platform. They’re the objects that you create and manage in Fabric. There are different types of items, such as data warehouses, data pipelines, semantic models, reports, and dashboards.
Workspace – A logical is a collection of items that brings together different functionality in a single tenant. It acts as a container that leverages capacity for the work that is executed, and provides controls for who can access the items in it. For example, in a sales workspace, users associated with the sales organization can create a data warehouse, run notebooks, create semantic models, create reports, etc.
Domain – A logical grouping of workspaces. Domains are used to organize items in a way that makes sense for your organization. You can group things together in a way that makes it easier for the right people to have access to the right workspaces. For example, you might have a domain for sales, another for marketing, and another for finance.
Capacity – A dedicated set of resources that is available at a given time to be used. A tenant can have one or more capacities associated with it. Capacity defines the ability of a resource to perform an activity or to produce output. Different items consume different capacity at a certain time. Fabric offers capacity through the Fabric SKU and Trials.
Tenant – A dedicated space for organizations to create, store, and manage Fabric items. There’s often a single instance of Fabric for an organization, and it’s aligned with Microsoft Entra ID. The Fabric tenant maps to the root of OneLake and is at the top level of the hierarchy.You can create any number of workspaces, which you can think of as folders, within a tenant.
One-lake – Microsoft Fabric Lake is also known as OneLake.There is OneLake per tenant. It comes automatically with every Microsoft Fabric tenant and is designed to be the single place for all your analytics data. Its the unified storage layer for Fabric
Power BI – Power BI is an online software service (SaaS, or Software as a Service) offering as part of Microsoft Fabric. Its the unified visualization layer for Fabric. When a Power BI report loads data from OneLake, the data goes through the internal Microsoft network.
Layer
Feature
Data Handling and Security
Encryption, Labelling, Customer Lockbox
Access Management
Authentication, Authorization, Workspace Identities, Guest user sharing
Item Security
Share item via link, Impact Analysis, Semantic Model, Data Warehouse, Lakehouse, Data Factory
Workspace Security
Workspace Roles, Access Management, Settings, Retention, Governance, Lineage, State
Domain Security
Domain Roles, Creation, Settings, Assignment, Endorsement, Auditing
Capacity Security
Tenant Concept and Settings, Capacity License and Features, Access Management, Consumption, Disaster Recovery
PowerBI Security
PowerBI Embedded Analytics, Row-level security, Object/Column-Level Security, Dynamic Data Masking
OneLake Security
Encryption, Restricted External Access, Shortcuts, Least Privilege, BCDR
Network Security
Private Endpoint, Private Links, Service Tags, URL’s and Ports
Microsoft Tech Community – Latest Blogs –Read More
