...
- Azure RBAC can grant broad access to a storage account or container, while ACLs secure individual directories and files.
- In Fabric, OneLake security roles can grant access only to specific folders or tables, while Admins, Members, and Contributors generally retain broad access within the item
...
SYSM-388 - Evaluate security implications of ADLS Gen2 shortcuts in Fabric
Jira server Syensqo's Jira columnIds issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,customfield_13736,priority,status,resolution columns key,summary,type,created,updated,due,assignee,reporter,Priority,priority,status,resolution serverId d8efc1ef-48bd-3b4e-8714-ad827f4f059b key SYSM-389
Shortcut-specific access model
| Question | Practical answer |
|---|---|
| Who authenticates to ADLS? | The identity configured on the shortcut |
| Who authorizes storage access? | Azure ADLS |
| Who authorizes visibility in Fabric? | Fabric workspace/item permissions and, when enabled, OneLake security |
| What happens if both layers apply? | The effective access is constrained by both layers; for shortcuts, Fabric documents a most-restrictive logic between shortcut path and target path |
| Is behavior identical across engines? | No; some scenarios use delegated identity differently, including owner-based access patterns in specific engines |
Access flow
| Layer | What it controls | Examples |
|---|---|---|
| Fabric layer | Who can see and use the shortcut inside Fabric | Workspace role, item access, OneLake security |
| Shortcut layer | Which identity is used to reach ADLS | Workspace Identity, Service Principal, Organizational account, SAS, Account Key |
| Azure layer | Whether the target storage path can actually be read | RBAC, ACL, firewall / trusted access |
...
Shortcut authentification models
Delegated shortcuts access data by using some intermediate credential, such as another user or an account key.
These shortcuts allow for permission management to be separated or 'delegated' to another team or downstream user to manage.
Delegated shortcuts always break the flow of security from one system to another.
...
Latency consideration
Latency view
| Dimension | What it means | Shortcut impact |
|---|---|---|
| Exposure latency | Time to make data available in Fabric | Low, because no ingestion copy is required. (Microsoft Learn) |
| First-read latency | Time for the first query/read to access ADLS data | Can be higher than fully ingested local data because Fabric still reads the external target. (Microsoft Learn) |
| Repeated-read latency | Time for subsequent reads of the same data | Often improved when cache is used. (Microsoft Learn) |
| Refresh latency | Delay before changes in ADLS are reflected | Depends on engine and cache refresh behavior; Spark intelligent cache automatically detects underlying file changes. (Microsoft Learn) |
Cache Solution for Shortcuts
Mecanism
Settings
| Info |
|---|
Shortcut caching currently supports Google Cloud Storage (GCS), S3, S3 compatible, and on-premises data gateway shortcuts. |
