Unified governance CLI and SDK for Microsoft Fabric — discovery, access control, lineage, and catalog management in one interface. Bridges Fabric, Purview, and Databricks Unity Catalog.
Project description
fabric-catalog
Unified governance for Microsoft Fabric — the missing Unity Catalog.
fabric-catalog is a CLI and Python SDK that unifies governance across Microsoft Fabric, Purview, and Databricks Unity Catalog. Define policies once in YAML. Enforce them everywhere. Search, grant, revoke, trace lineage, and sync permissions — one tool, all backends.
The Problem
Databricks has Unity Catalog: one namespace, one permission model, one CLI. Microsoft has Purview + OneLake Catalog + workspace RBAC + OneLake data access roles — five different systems with five different interaction models that don't behave as a unified whole.
fabric-catalog fixes this. It provides a single policy engine that treats Fabric, Purview, and Databricks as enforcement backends rather than independent products.
Install
pip install fabric-catalog
# With Databricks Unity Catalog support
pip install fabric-catalog[databricks]
# Everything
pip install fabric-catalog[all]
Policy-as-Code
Define your governance posture in YAML. Commit it to git. Review changes in CI. Apply across all backends.
# governance.yaml
version: "1"
policies:
- name: analysts-read
assets:
- pattern: "my-workspace.production-lakehouse.*"
principals:
- name: analysts@example.com
type: group
level: read
column_masks:
- column: ssn
mask: redact
- column: account_number
mask: hash
except_principals:
- compliance@example.com
row_filters:
- condition: "region = 'US'"
principals:
- us-analysts@example.com
# Validate the manifest
fc policy validate governance.yaml
# Preview what changes would be applied (dry run)
fc policy plan governance.yaml
# Apply across Fabric + Purview + Unity Catalog
fc policy apply governance.yaml
The policy compiler decomposes each policy into the correct backend-specific grants: workspace RBAC roles, OneLake data access roles, Purview policies, and UC GRANT statements — automatically.
CLI
# Search across all backends
fc search "customer_transactions"
# List assets
fc ls my_workspace
fc ls my_catalog.my_schema --backend databricks
# View permissions (aggregated across all backends)
fc permissions show my_workspace.lakehouse.customers
# Grant / Revoke
fc grant my_workspace.lakehouse.customers user@example.com read
fc revoke my_workspace.lakehouse.customers user@example.com
# Lineage (merged from Purview + Fabric + UC)
fc lineage my_workspace.lakehouse.customers --direction upstream --depth 3
# Sync permissions between Fabric and Unity Catalog
fc diff --mapping-file mappings.json
fc sync --direction fabric_to_uc --dry-run
fc sync --direction fabric_to_uc --apply
Python SDK
from fabric_catalog.facade import CatalogFacade
from fabric_catalog.models import PermissionLevel
async with CatalogFacade() as catalog:
# Search everywhere
results = await catalog.search("transactions")
# Grant with one command — auto-routes to the right backend
await catalog.grant(
"workspace.lakehouse.transactions",
"analyst@example.com",
PermissionLevel.READ,
)
# Lineage across backends
lineage = await catalog.lineage("workspace.lakehouse.transactions")
# UC Bridge: sync permissions
catalog.add_sync_mapping(
"workspace.lakehouse.transactions",
"catalog.schema.transactions",
)
report = await catalog.sync(direction="fabric_to_uc", dry_run=True)
print(report.summary)
MCP Server
fabric-catalog exposes itself as an MCP server, enabling AI agents to discover assets, check permissions, trace lineage, and manage governance through natural language.
Available tools: catalog_search, catalog_get, catalog_permissions, catalog_lineage, catalog_policy_check, catalog_list.
Architecture
┌──────────────────────────────────────────────────┐
│ CLI (fc) │
│ search │ ls │ grant │ revoke │ lineage │
│ sync │ diff │ policy plan │ policy apply │
├──────────────────────────────────────────────────┤
│ Policy Engine │
│ YAML manifest → compiler → execution plan │
│ drift detection │ column masks │ row filters │
├──────────────────────────────────────────────────┤
│ CatalogFacade │
│ concurrent fan-out │ merge │ deduplicate │
├──────────┬──────────┬──────────┬─────────────────┤
│ Fabric │ Purview │Databricks│ UC Bridge │
│ Client │ Client │ Client │ (perm sync) │
├──────────┴──────────┴──────────┴─────────────────┤
│ Unified Models │
│ CatalogAsset │ Permission │ LineageGraph │
│ GovernancePolicy │ CompiledPlan │ SyncReport │
├──────────────────────────────────────────────────┤
│ MCP Server │
│ AI agent interface for governance │
└──────────────────────────────────────────────────┘
Backend Capabilities
| Capability | Fabric | Purview | Databricks UC |
|---|---|---|---|
| Discovery | ✅ Workspace items, tables | ✅ Data Catalog search | ✅ Catalogs, schemas, tables |
| Access Control | ✅ Workspace RBAC, OneLake roles | 🔜 Phase 2 | ✅ UC grants |
| Lineage | ⚠️ Limited native | ✅ Data Map | ✅ System tables |
| Column Masking | ✅ via policy engine | ✅ sensitivity labels | ✅ UC column masks |
| Row Filters | ✅ via policy engine | — | ✅ UC row filters |
| Sync Bridge | ✅ Source/target | — | ✅ Source/target |
Example Templates
Industry-specific governance templates are included in examples/:
energy-governance.yaml— Well data, subsurface engineering, regional access controlsfinancial-services-governance.yaml— PII masking, transaction access, compliance overrideshealthcare-governance.yaml— HIPAA-aligned PHI masking, research de-identification, consent filters
Use these as starting points and adapt to your organization.
Configuration
# Interactive setup
fc config init
# Or set environment variables
export FABRIC_CATALOG_TENANT_ID="..."
export FABRIC_CATALOG_CLIENT_ID="..."
export FABRIC_CATALOG_CLIENT_SECRET="..."
export FABRIC_CATALOG_WORKSPACE_ID="..."
export FABRIC_CATALOG_PURVIEW_ACCOUNT="my-purview-account"
export DATABRICKS_HOST="my-workspace.azuredatabricks.net"
export DATABRICKS_TOKEN="dapi..."
UC Bridge Mappings
Map Fabric assets to their Unity Catalog equivalents for permission sync:
{
"my_workspace.my_lakehouse.customers": "my_catalog.my_schema.customers",
"my_workspace.my_lakehouse.transactions": "my_catalog.my_schema.transactions"
}
fc diff --mapping-file mappings.json
fc sync --direction fabric_to_uc --mapping-file mappings.json --apply
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fabric_catalog-0.1.0.tar.gz.
File metadata
- Download URL: fabric_catalog-0.1.0.tar.gz
- Upload date:
- Size: 111.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b722ed1ebfe89264efb75736cfe1c2cc83aaccb9c08b786768ba33f9184fced6
|
|
| MD5 |
933a1adacba679bbf3ea3bd6e597772f
|
|
| BLAKE2b-256 |
4a405bbfe962cd5168c6e52bcb5c171d2d6a88a82841dbc19d2b20a4edb89071
|
File details
Details for the file fabric_catalog-0.1.0-py3-none-any.whl.
File metadata
- Download URL: fabric_catalog-0.1.0-py3-none-any.whl
- Upload date:
- Size: 122.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5b21a43bac6cbad03b67143b3dc439b5f4d56ccab8773995a556d16ad3036483
|
|
| MD5 |
c5586b951d4429586f6c1e73cf7e56bf
|
|
| BLAKE2b-256 |
d577b3dc15821570b26760807eee8a7962e3ab69ff75ec754426b971edcc3f2c
|
