fabric-cli

acl examples

Supported commands: fab acl -h

• Listing workspace permissions
• Listing item permissions
• Listing OneLake permissions for Lakehouse
• Getting and querying workspace permission details
• Getting and querying item permission details
• Getting and querying OneLake permissions details for Lakehouse
• Removing workpace permissions
• Adding workspace permission

See also:

• Managing workspaces
• Managing items

Listing workspace permissions

List workspace permissions and their details using -l.

fab:/$ acl ls ws1.Workspace
fab:/$ acl ls ws1.Workspace -l

Listing item permissions

List item permissions and their details using -l.

fab:/$ acl ls ws1.Workspace/lh1.Lakehouse
fab:/$ acl ls ws1.Workspace/lh1.Lakehouse -l

Listing OneLake permissions for Lakehouse

Manage OneLake RBAC permissions for Lakehouse. Include details with -l. All paths are always returned.

fab:/$ acl ls ws1.Workspace/lh1.Lakehouse/Files
fab:/$ acl ls ws1.Workspace/lh1.Lakehouse/Files -l

Getting workspace permission details

Retrieve and query workspace permissions with -q (JMESPath query). Output the result to a local path or Lakehouse/Files with -o.

# get JSON properties
fab:/$ acl get ws1.Workspace

# query using JMESPath
fab:/$ acl get ws1.Workspace -q [*].principal

# export JMESPath query result
fab:/$ acl get ws1.Workspace -q [*].principal -o /tmp 

# export to Lakehouse using relative path
fab:/$ cd ws1.Workspace
* Switched to 'ws1.Workspace'
fab:/ws1.Workspace$ acl get . -q [*].principal -o lh1.Lakehouse/Files

Getting item permission details

Retrieve and query item permissions with -q (JMESPath query). Output the result to a local path or Lakehouse/Files with -o.

# get JSON properties
fab:/$ acl get ws1.Workspace/lh1.Lakehouse

# query using JMESPath
fab:/$ acl get ws1.Workspace/lh1.Lakehouse -q [*].principal

# export JSON properties
fab:/$ acl get ws1.Workspace/lh1.Lakehouse -o /tmp

# export to Lakehouse using absolute path
fab:/$ acl get ws1.Workspace/lh1.Lakehouse -o /ws1.Workspace/lh1.Lakehouse/Files

Getting OneLake permissions details for Lakehouse

Retrieve and query OneLake RBAC permissions with -q (JMESPath query). Output the result to a local path or Lakehouse/Files with -o.

# get JSON properties
fab:/$ acl get ws1.Workspace/lh1.Lakehouse/Files

# query using JMESPath
fab:/$ acl get ws1.Workspace/lh1.Lakehouse/Files -q [].members

# export JMESPath query result
fab:/$ acl get ws1.Workspace/lh1.Lakehouse/Files -q [].members -o /tmp

Removing workpace permissions

Remove a user, service principal or security group from a workspace. Use the user email, security group name, clientId, or objectId with -I. Use -f to force.

# remove security group
fab:/$ acl rm ws1.Workspace -I fabgroup1 -f

# remove user
fab:/$ acl rm ws1.Workspace -I fabcli@microsoft.com

Adding workspace permission

Grant workspace permission to a user, service principal, or security group. Use the objectId with -I. Use -f to force.

fab:/$ acl set ws1.Workspace -I 45376d08-6d94-4875-89e9-ec4020ee4830 -R contributor -f
fab:/$ acl set ws1.Workspace -I 45376d08-6d94-4875-89e9-ec4020ee4830 -R viewer

See all examples