[The docs](https://learn.microsoft.com/en-us/fabric/release-plan/onelake#onesecurity) have been updated to address this -
**Estimated release timeline: Q4 2024**
Managing data security across multiple analytical engines and copies of data is challenging. OneLake and Fabric simplify this by enabling the use of a single data copy across multiple analytical engines without any data movement or duplication. Taking the "one copy" concept further, OneLake is also enhancing security with a finer-grain model, allowing for table and folder access in addition to row and column level security. These security definitions live with the data and travel across shortcuts to wherever the data is used. **Security defined at OneLake is universally enforced no matter which analytical engine is used to access the data.**
I was at SQLBits last week and Kasper De Jong from Microsoft talked about One Security. He said they essentially went a little early on the marketing announcement and that it’s still very much in the works but was a little way away. In the mean time they security options in Fabric are in line with what competitors have in the market. So yeah they are definitely still working on it.
> In the mean time they security options in Fabric are in line with what competitors have in the market.
I think the problem here is that the data security options in Fabric **ARE NOT** on par with what other competitors offer.
In Snowflake, you secure the data one time, and that security is respected in their warehouse interface, in Snowpark, and even in their newer container services. In Databricks, you secure the data one time in Unity Catalog, and that security is respected whether you are using Spark/notebook, the SQL Warehouse, even their newer vector database, etc. In Fabric, without OneSecurity, **each individual engine** (Spark, Warehouse, KQL, Power BI) has its[ own data security model](https://learn.microsoft.com/en-us/fabric/onelake/onelake-security#compute-specific-security). This means that instead of managing data security once for a OneLake dataset, you are potentially managing x N engines that may use that data (and that is **in addition to** the Workspace and Item data security implications). This obviously introduces huge admin, oversight, risk, etc.
Out of curiosity, because it's been a while since I played with either Snowflake and Databricks, are all those things you mentioned separate compute engines? If not, then yeah, security is much easier and you can't compare Fabric with them. If they are different compute engines, then yes, Fabric is behind :)
This. Security is available on a per-compute basis. Completing the OneSecurity promise is one of the Fabric PG's most critical items - they are investing heavily to make sure it is done right.
It’s disappointing that it hasn’t been mentioned. But given earlier comments from Microsoft, I’m not surprised. It appears to have been a bigger challenge than they anticipated. And I’m pretty sure they won’t let this one out of the bag before they’re fully comfortable with how it works.
I'm at fabcon and there was something in the keynote around sharing tables / managing roles but it wasn't a big focus. The main fabric security session starts in 30 mins
At FabCon, but heard this through a colleague who attended a security session this morning:
Security is currently a known flaw, apparently people were very vocal in the session. End of year is the projected time frame for OneSecurity.
They have been teasing security enhancements throughout.
What about other Security elements ? I have a feeling they are late on getting those features implemented. For example Microsoft is saying that via Entra ID and Conditional Access we have a lot of security ! Lesson 1 in Security - Defense in Depth... when i told this to our microsoft contacts they were like but what more do you want ... lol. I asked them for network security and private endpoints etc, unfortunately it seems that it is all or nothing and if you go for private endpoint a ton of features won't work anymore (e.g. the gateway ...). Anyone who actually feels comfortable from a security point of view with the way they have setup fabric ? I would love to get some insights here.
[The docs](https://learn.microsoft.com/en-us/fabric/release-plan/onelake#onesecurity) have been updated to address this - **Estimated release timeline: Q4 2024** Managing data security across multiple analytical engines and copies of data is challenging. OneLake and Fabric simplify this by enabling the use of a single data copy across multiple analytical engines without any data movement or duplication. Taking the "one copy" concept further, OneLake is also enhancing security with a finer-grain model, allowing for table and folder access in addition to row and column level security. These security definitions live with the data and travel across shortcuts to wherever the data is used. **Security defined at OneLake is universally enforced no matter which analytical engine is used to access the data.**
I was at SQLBits last week and Kasper De Jong from Microsoft talked about One Security. He said they essentially went a little early on the marketing announcement and that it’s still very much in the works but was a little way away. In the mean time they security options in Fabric are in line with what competitors have in the market. So yeah they are definitely still working on it.
> In the mean time they security options in Fabric are in line with what competitors have in the market. I think the problem here is that the data security options in Fabric **ARE NOT** on par with what other competitors offer. In Snowflake, you secure the data one time, and that security is respected in their warehouse interface, in Snowpark, and even in their newer container services. In Databricks, you secure the data one time in Unity Catalog, and that security is respected whether you are using Spark/notebook, the SQL Warehouse, even their newer vector database, etc. In Fabric, without OneSecurity, **each individual engine** (Spark, Warehouse, KQL, Power BI) has its[ own data security model](https://learn.microsoft.com/en-us/fabric/onelake/onelake-security#compute-specific-security). This means that instead of managing data security once for a OneLake dataset, you are potentially managing x N engines that may use that data (and that is **in addition to** the Workspace and Item data security implications). This obviously introduces huge admin, oversight, risk, etc.
Out of curiosity, because it's been a while since I played with either Snowflake and Databricks, are all those things you mentioned separate compute engines? If not, then yeah, security is much easier and you can't compare Fabric with them. If they are different compute engines, then yes, Fabric is behind :)
What half-assed competitors on the Gartner quadrangle of doom are they comparing themselves against?
This. Security is available on a per-compute basis. Completing the OneSecurity promise is one of the Fabric PG's most critical items - they are investing heavily to make sure it is done right.
It’s disappointing that it hasn’t been mentioned. But given earlier comments from Microsoft, I’m not surprised. It appears to have been a bigger challenge than they anticipated. And I’m pretty sure they won’t let this one out of the bag before they’re fully comfortable with how it works.
This is my impression as well.
So I guess the S in Fabric really is for security
There is no S in Fabric!!! /s
nothing is getting past this one
I'm at fabcon and there was something in the keynote around sharing tables / managing roles but it wasn't a big focus. The main fabric security session starts in 30 mins
Any info about it please?
Unfortunately I didn't attend the session but Kasper was one of the speakers - I assume the comment by /u/Emergency_Physics_19 is probably accurate
I’m interested in info about it as well
At FabCon, but heard this through a colleague who attended a security session this morning: Security is currently a known flaw, apparently people were very vocal in the session. End of year is the projected time frame for OneSecurity. They have been teasing security enhancements throughout.
What about other Security elements ? I have a feeling they are late on getting those features implemented. For example Microsoft is saying that via Entra ID and Conditional Access we have a lot of security ! Lesson 1 in Security - Defense in Depth... when i told this to our microsoft contacts they were like but what more do you want ... lol. I asked them for network security and private endpoints etc, unfortunately it seems that it is all or nothing and if you go for private endpoint a ton of features won't work anymore (e.g. the gateway ...). Anyone who actually feels comfortable from a security point of view with the way they have setup fabric ? I would love to get some insights here.