IT Admin Data Architect Platform Owner — This section covers data governance frameworks, Microsoft Purview integration, security models, workspace roles, RLS/CLS, and network security in Fabric.
Governance
Establishing data governance, cataloging, quality, and trust across your Fabric environment.
Governance Framework
Effective governance in Fabric combines Microsoft Purview for cataloging and lineage, endorsement for trust signals, sensitivity labels for data protection, and organizational policies for access control.
Microsoft Purview Integration
- Data Catalog: Automatically discovers and catalogs all Fabric artifacts (lakehouses, warehouses, reports)
- Data Lineage: Visual, end-to-end lineage from source ingestion through transformation to Power BI reports
- Data Map: Browse and search across your entire data estate
- Glossary: Define business terms and link them to technical assets
Data Domains & Ownership
Organize your Fabric workspaces into logical domains (e.g., Finance, HR, Marketing) to align with business ownership.
- Assign a domain owner responsible for data quality and access within their domain
- Use Fabric domains feature to tag workspaces by business area
- Establish a data stewardship model — stewards per domain for hands-on governance
Endorsement
Fabric provides two endorsement levels to signal trust in artifacts:
Promoted
Workspace members can promote artifacts to indicate they're ready for broader use. A lightweight signal that says "this is reliable."
Certified
Only designated reviewers can certify artifacts. This is the highest trust level — it means the artifact meets organizational quality and governance standards.
Establish a certification process: define criteria (documentation, testing, data quality checks) that an artifact must pass before being certified. Only Gold-layer datasets and production reports should be certified.
Sensitivity Labels
Microsoft Information Protection (MIP) sensitivity labels can be applied to Fabric artifacts to classify and protect data:
- Labels flow downstream automatically — if a lakehouse is labeled "Confidential," reports built on it inherit the label
- Labels can enforce encryption and access restrictions on exported data
- Integrates with Microsoft 365 compliance center and DLP policies
Data Quality
- Implement data quality rules in notebooks (Great Expectations, custom Spark checks)
- Use Delta Lake constraints (NOT NULL, CHECK) for schema-level enforcement
- Set up monitoring and alerting for data freshness, completeness, and accuracy
- Create a data quality dashboard in Power BI for visibility
Security
Securing your data at every layer — from workspace access to row-level permissions.
Security Model Overview
Fabric implements a defense-in-depth approach with multiple security layers: identity, workspace, item, data, and network.
Workspace Roles
Every workspace has four built-in roles that control what users can do:
| Role | Permissions | Typical Assignment |
|---|---|---|
| Admin | Full control: manage access, delete workspace, configure settings | Workspace owners, IT admins |
| Member | Create, edit, delete artifacts; publish reports; share items | Data engineers, developers |
| Contributor | Create and edit artifacts, but cannot share or manage access | Analysts, junior developers |
| Viewer | View and interact with artifacts (read-only) | Business users, stakeholders |
Data-Level Security
Row-Level Security (RLS)
RLS restricts data access at the row level based on user identity. Configure RLS in Power BI semantic models or Warehouse T-SQL:
-- Create a security predicate function CREATE FUNCTION dbo.fn_security_predicate(@Region AS nvarchar(50)) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS result WHERE @Region = USER_NAME() OR USER_NAME() = 'admin@contoso.com'; -- Apply security policy to a table CREATE SECURITY POLICY RegionFilter ADD FILTER PREDICATE dbo.fn_security_predicate(Region) ON dbo.SalesData WITH (STATE = ON);
Column-Level Security (CLS)
CLS restricts access to specific columns. Use GRANT and DENY statements on individual columns in Fabric Warehouse:
-- Deny access to salary column for a specific role DENY SELECT ON dbo.Employees(Salary) TO [LimitedAccess]; -- Grant access to only specific columns GRANT SELECT ON dbo.Employees(EmployeeId, Name, Department) TO [LimitedAccess];
OneLake Data Access Roles
OneLake data access roles provide fine-grained access control at the folder level within a lakehouse. You can restrict users to specific folders or tables without granting access to the entire lakehouse.
Network Security
- Private Endpoints: Connect to Fabric from your private network over Azure Private Link
- Managed Virtual Networks: Fabric Spark can run within a managed VNet, ensuring outbound traffic is controlled
- Trusted workspace access: Allow specific workspaces to access firewalled storage accounts
- Conditional Access: Use Entra ID conditional access policies to control how and from where users access Fabric
□ Enable Entra ID Conditional Access | □ Implement RLS on all customer-facing reports | □ Use service principals (not user accounts) for automation | □ Enable audit logs | □ Apply sensitivity labels | □ Review workspace access quarterly