Establishing Data Mesh architectural pattern with Domains and OneLake on Microsoft Fabric

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Overview

Data mesh is a type of decentralized data architecture that organizes data based on different business domains such as marketing, sales, human resources, etc. Microsoft Fabric's data mesh architecture supports this approach by allowing data to be grouped into domains. It also enables decentralized governance, giving each business unit or department some level of ability to set their own rules and restrictions for data management based on their unique needs.

In Microsoft Fabric, a domain is a way of organizing and grouping data that is related to a specific area or field within an organization. This is commonly done by grouping data based on business departments, allowing each department to manage their data according to their own regulations and needs. Domains are associated with workspaces, so when a workspace is assigned to a domain, all the items within that workspace is also linked to the domain and have a domain attribute in their metadata.

Domain roles

There are three roles involved in domains:

Fabric admins (or higher) can create and edit domains, specify domain admins and contributors, and associate workspaces with domains. They can also see, edit, and delete all domains in the admin portal.

Domain admins are the business owners or experts of a domain. They can update the domain description, define contributors, and associate workspaces with the domain. They also can define and update the domain image and override tenant settings for any specific settings the tenant admin has delegated to the domain level. They can't delete the domain, change the domain name, or add/delete other domain admins. they can only see and edit the domains they're admins of.

Domain contributors are workspace admins who can associate their workspaces with a domain or change the current domain association. They don’t have access to the Domains page in the admin portal. A domain contributor must be a workspace admin.

Refer Domains to learn more about the domains in Microsoft fabric.

Create and configure Domains- highlighting Fabric Domain roles.

As a Fabric Admin login into Fabric, Open the admin portal from settings and select Domains.

Provide a Domain name (mandatory) and a description for the domain and Select Apply

Add the Domain Admins and Select Apply, here we select an Azure AD group for the Domain Admins.

As a user who is member of the Domain Admin AAD group (provided access in earlier step) login into Fabric, Open the admin portal from settings and select Domains

Edit the domain, add the domain image and select the appropriate option on "Set who can add or remove workspaces from the domain". Add and apply the domain contributor (workspace admin).

The domain admins and Fabric admins can override tenant-level settings that have been delegated to the domain level On the Delegated Settings tab.

As the domain contributor (workspace admin) log in to fabric and assign the workspace to specific domain from workspace settings

Once a workspace is assigned to a domain, the domain icon is displayed alongside the workspace name.

Domain image in OneLake data hub

The Domain image created as part of the Domains configuration process makes it easier for people to recognize the domain. when a domain is selected in OneLake data hub the domain image will become part of the theme of the data hub and displays only the artifacts belonging to that domain.

Sharing domain artifacts with other domains via OneLake shortcuts in lakehouse

Domain users can share lakehouse with other domain users without giving access to workspace and other artifacts.
Shortcuts in lakehouse allow users to reference data without copying it.
Sharing lakehouse and using shortcuts can make other domain data available locally without the need for copying data.

Learn more about OneLake , Refer Sharing lakehouse to learn more about the lakehouse sharing and refer shortcuts in lakehouse to learn more about lakehouse shortcuts

Using the share icon of the lakehouse , share the lakehouse with other domain users.

Once Shared, From the local domain Lakehouse explorer choose the "New shortcut" icon from the tables section and select the shared domains lakehouse table to create a shortcut, the other domain data is now available locally without the need for copying data.

Object-level granular permissions in Microsoft Fabric SQL Endpoint and Warehouse

In order to provide granular permissions at an object level in SQL Endpoint and Warehouse (SQL specific workloads).

Using the share icon of the warehouse, share the warehouse with other domain users, ensure no "Additional Permissions" are provided when sharing.

Open the warehouse and provide access to only the required Objects to the user using the GRANT SELECT statement. In the image below access has been provided to a single table in the warehouse

The user who was provided access can login into the warehouse using the connection string and can see only the table which access was provided using GRANT SELECT

Learn more about SQL granular permissions

Summary

In conclusion, this guide provides the steps to establish a Data Mesh architectural pattern with Domains and OneLake on Microsoft Fabric, sharing domain data with other domains via OneLake shortcuts in lakehouse and providing granular permissions at an object level in SQL Endpoint and Warehouse.