Fabric Infrastructure and Security - OneLake security and workspace automation for Microsoft Fabric
Project description
fabias - Fabric Infrastructure and Security
OneLake security and workspace automation for Microsoft Fabric. Works seamlessly both inside Fabric notebooks and as a standalone library.
Full documentation at fabias.pages.dev
Why fabias?
Microsoft Fabric has no official Python SDK. The CLI is limited. fabias fills the gaps:
- OneLake ABAC Security - Table/row/column-level access control as code
- Workspace Automation - Create workspaces, assign roles, configure Spark
- CI/CD Ready - Works outside Fabric for GitHub Actions and automation scripts
- Hybrid Runtime - Same code runs in notebooks and standalone
Installation
pip install fabias
Quick Start
Inside Microsoft Fabric
Authentication is automatic:
import fabias
ws = fabias.workspace() # Current workspace
pipeline = ws.pipeline("Daily ETL")
job = pipeline.run()
job.wait()
Standalone Usage
import fabias
from fabias import ServicePrincipalAuth
auth = ServicePrincipalAuth(
tenant_id="your-tenant-id",
client_id="your-client-id",
client_secret="your-client-secret"
)
fabias.client(auth=auth)
ws = fabias.workspace("Analytics")
lakehouse = ws.lakehouse("Gold")
OneLake Data Access Roles (ABAC Security)
The killer feature. Define lakehouse security as code:
import fabias
from fabias import Role, Rule, EntraMember, FabricItem, ReadWrite, ItemAccess
from fabias import RowLevelSecurity, ColumnLevelSecurity
ws = fabias.workspace("Analytics")
lakehouse = ws.lakehouse("Sales")
# Regional managers: read-only with row filter
regional_role = Role(
name="Regional Managers",
rules=[
Rule(
path=["dbo.sales"],
access=ReadWrite.READ,
rls=RowLevelSecurity("region = 'West'")
)
],
members=[EntraMember("managers-group-guid")]
)
# Data engineers: full access inherited from workspace permissions
engineer_role = Role(
name="Data Engineers",
rules=[Rule(path=["*"], access=ReadWrite.READWRITE)],
members=[FabricItem(access=[ItemAccess.READALL])]
)
# Apply roles
lakehouse.accessRoles.replace([regional_role, engineer_role])
Workspace Operations
import fabias
# List workspaces
for ws in fabias.workspaces():
print(f"{ws.name}: {ws.id}")
# Create workspace
new_ws = fabias.workspaces.add("Feature Branch", capacity_id="...")
# Role assignments
new_ws.roleAssignments.add(
principalId="spn-guid",
principalType="ServicePrincipal",
role="Admin"
)
# Access items
pipelines = ws.pipelines()
lakehouses = ws.lakehouses()
notebooks = ws.notebooks()
Git Integration
ws = fabias.workspace("GENESIS")
# Check status
status = ws.git.status()
print(f"Synced: {status.is_synced}")
# Pull from Git
if status.has_changes:
ws.git.updateFromGit().wait()
Connections
# List connections
for conn in fabias.connections():
print(f"{conn.name}: {conn.connectivity_type}")
# Manage access
conn = fabias.connection("SQL Server")
conn.roleAssignments.add(principalId="user-guid", principalType="User", role="Owner")
Spark Settings
ws = fabias.workspace("Analytics")
# Configure workspace Spark
settings = ws.spark.settings
settings.highConcurrency.enabled = True
settings.pool.starterPool.maxNodes = 10
settings.commit()
Additional Modules
Azure Data Factory
from fabias.integrations import adf
from fabias import ServicePrincipalAuth
adf.client(
subscription_id="...",
resource_group="rg-name",
factory="adf-name",
auth=ServicePrincipalAuth(...)
)
job = adf.pipeline("ETL").run(date="2026-01-01")
job.wait()
Key Vault Secrets
from fabias.integrations import keyvault
# Inside Fabric (auth is automatic)
keyvault.client(vault_url="https://my-vault.vault.azure.net/")
password = keyvault.get("database-password")
Teams Messaging
from fabias.notifications import teams
from fabias.notifications.cards import Adaptive, TextBlock
teams.client(team_id="...", channel_id="...", auth=...)
teams.send(Adaptive(body=[TextBlock("Deployment complete!")]))
Authentication Methods
| Method | Use Case |
|---|---|
| Automatic | Inside Fabric notebooks |
ServicePrincipalAuth |
CI/CD, automation scripts |
| Environment variables | AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET |
| From Key Vault | Bootstrap from secrets |
Requirements
- Python 3.9+
requests- Inside Fabric:
notebookutils(pre-installed)
License
MIT
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
fabias-1.0.20.tar.gz
(142.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
fabias-1.0.20-py3-none-any.whl
(140.1 kB
view details)
File details
Details for the file fabias-1.0.20.tar.gz.
File metadata
- Download URL: fabias-1.0.20.tar.gz
- Upload date:
- Size: 142.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7b8d3491f325b4bdc17ad80bfb92bbd7b1ce83aedca5b0dbc97d72a09cf2182a
|
|
| MD5 |
05d628cb7e19a4ce10e9c16d35588551
|
|
| BLAKE2b-256 |
d7f59363fb526f33c909c0e34280a12cbfe0a579645839d5ae43fdd2d3504414
|
File details
Details for the file fabias-1.0.20-py3-none-any.whl.
File metadata
- Download URL: fabias-1.0.20-py3-none-any.whl
- Upload date:
- Size: 140.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
55d83e9a2c0ae307dce5b62d5a334889b7c87436e3f25a619ea3dea0633b5983
|
|
| MD5 |
0c47ce89b1084e54fed6ef1cfea8100b
|
|
| BLAKE2b-256 |
74564b7ce385719565eee1ad4dc4444f6a97ec6ef69b7d4ddbf3102e8666a734
|
