| Security Feature | Fabric Lakehouse (March 2025) | Fabric Warehouse |
|---|---|---|
| Object-Level Security | Yes – via SQL grants on schemas/tables (T-SQL) learn.microsoft.com. OneLake security roles also allow table/folder-level access control in preview. | Yes – via SQL grants on schemas/tables (T-SQL) learn.microsoft.com. Workspace role or item permission needed to connect. |
| Row-Level Security (RLS) | Yes – supported on Lakehouse SQL endpoint via SECURITY POLICY (same as Warehouse) learn.microsoft.com. In preview, OneLake security roles can filter rows across all engines microsoft.com. | Yes – supported via T-SQL SECURITY POLICY (like SQL Server) learn.microsoft.com. Enforced on all queries; Direct Lake queries will switch to DirectQuery to honor RLS learn.microsoft.com. |
| Column-Level Security (CLS) | Yes – supported on SQL endpoint via GRANT SELECT on specific columns learn.microsoft.com. OneLake security roles can restrict column access (preview) microsoft.com. | Yes – supported via column-level GRANT/DENY on Warehouse tables learn.microsoft.com. (Direct Lake reports will respect CLS by using DirectQuery mode learn.microsoft.com.) |
| Dynamic Data Masking | No – not currently available on Lakehouse (n/a in Spark). | Yes – supports Dynamic Data Masking to obscure sensitive data at query time learn.microsoft.com. |
Created
April 1, 2025 17:39
-
-
Save BryantAvey/7052b80a12b92c2cbaf64109df3f4174 to your computer and use it in GitHub Desktop.
Security Feature Support in Fabric Lakehouse vs. Warehouse as of March 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment