This post is a part of the DP-700: Implementing Data Engineering Solutions Using Microsoft Fabric Exam Prep Hub.
This topic falls under these sections:
Implement and manage an analytics solution (30–35%)
   --> Configure security and governance
      --> Implement row-level, column-level, object-level, and folder/file-level access controls

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 2 practice tests with 60 questions each available from the hub's main page below the exam topics section.

Introduction

Modern data platforms must secure information at multiple layers. While workspace-level and item-level permissions determine who can access Fabric assets, organizations often require much more granular control over the data itself.

For example:

• A regional sales manager should only see sales data for their region.
• Human Resources staff should see salary information, while other users should not.
• Analysts should access specific tables but not highly sensitive tables.
• Data engineers should have access to specific folders within OneLake while being restricted from others.

Microsoft Fabric supports multiple layers of security to address these requirements:

• Row-Level Security (RLS)
• Column-Level Security (CLS)
• Object-Level Security (OLS)
• Folder/File-Level Security

These controls help organizations implement the Principle of Least Privilege while supporting regulatory compliance, governance requirements, and data protection initiatives.

For the DP-700 exam, understanding the differences between these security mechanisms and when to use each one is extremely important.

Understanding Security Layers

Security in Fabric is often implemented as multiple layers.

Workspace Security
        ↓
Item Security
        ↓
Row-Level Security
        ↓
Column-Level Security
        ↓
Object-Level Security
        ↓
Folder/File Security

Each layer controls access to increasingly granular portions of data.

Row-Level Security (RLS)

What Is Row-Level Security?

Row-Level Security restricts which rows of data a user can view.

Users access the same table or report but see different subsets of data.

Example table:

With RLS:

Why Use RLS?

Organizations commonly use RLS to:

• Restrict regional data
• Secure department-specific data
• Support multi-tenant solutions
• Enforce business ownership boundaries

Static RLS

Static RLS uses predefined security roles.

Example:

Region = "East"

Users assigned to the role see only East region data.

Dynamic RLS

Dynamic RLS evaluates the currently logged-in user.

Example:

USERPRINCIPALNAME()

The system automatically determines which rows the user should access.

Dynamic RLS is commonly used in enterprise implementations because it scales better than manually assigning users to roles.

Common DP-700 RLS Scenario

A company has regional managers.

Requirement:

Each manager should only see data for their assigned region.

Solution:

Implement Row-Level Security.

Column-Level Security (CLS)

What Is Column-Level Security?

Column-Level Security restricts access to specific columns while allowing access to the rest of the table.

Example table:

With CLS:

HR Users:

Non-HR Users:

The Salary column is hidden.

Why Use CLS?

CLS is commonly used to protect:

• Salary information
• Personally identifiable information (PII)
• Social Security numbers
• Healthcare data
• Financial account information

Benefits of CLS

• Protects sensitive fields
• Simplifies compliance efforts
• Reduces data exposure
• Supports privacy regulations

Common DP-700 CLS Scenario

Requirement:

Managers need employee information but must not see salary data.

Solution:

Implement Column-Level Security.

Object-Level Security (OLS)

What Is Object-Level Security?

Object-Level Security controls access to entire database objects.

Examples include:

• Tables
• Views
• Columns
• Measures

Rather than filtering data, OLS completely hides objects from users.

Example

Database Objects:

Sales Table
Customer Table
Payroll Table

Finance Users:

Sales Table
Customer Table
Payroll Table

Sales Users:

Sales Table
Customer Table

The Payroll table is completely hidden.

OLS vs CLS

This distinction is frequently tested on the DP-700 exam.

Why Use OLS?

Organizations use OLS when users should not even know an object exists.

Examples:

• Payroll tables
• Executive compensation data
• Audit tables
• Compliance datasets

Common DP-700 OLS Scenario

Requirement:

Analysts should not see the Payroll table at all.

Solution:

Implement Object-Level Security.

Folder-Level Security

What Is Folder-Level Security?

Folder-level security controls access to folders within storage structures such as OneLake.

Example:

Finance
│
├── Payroll
├── Budgets
└── Forecasts
Sales
│
├── Regional
└── Territory

Finance users may access:

Finance/*

while Sales users may access:

Sales/*

Why Folder-Level Security Matters

Benefits include:

• Departmental separation
• Data governance
• Simplified access management
• Better organization

OneLake Considerations

Microsoft Fabric’s OneLake serves as the unified storage layer.

Organizations often structure OneLake data using:

Department
    ↓
Project
    ↓
Files

Folder-level controls help restrict access appropriately.

File-Level Security

What Is File-Level Security?

File-level security controls access to individual files.

Example:

EmployeeData.parquet
Payroll.parquet
Benefits.parquet

A user may be granted access to:

EmployeeData.parquet

while being denied access to:

Payroll.parquet

Use Cases

File-level security is useful when:

• Sensitive files exist within shared folders
• Regulatory restrictions apply
• Individual datasets require additional protection

Folder-Level vs File-Level Security

Comparing All Four Security Models

Security Layer Examples

Example 1: Regional Sales

Requirement:

Users should only see sales for their region.

Solution:

Row-Level Security

Example 2: Salary Protection

Requirement:

Users can see employee records but not salary information.

Solution:

Column-Level Security

Example 3: Payroll Table Protection

Requirement:

Payroll tables should be invisible to most users.

Solution:

Object-Level Security

Example 4: Departmental Data Separation

Requirement:

Finance files should not be accessible by Sales users.

Solution:

Folder-Level Security

Combining Security Controls

Enterprise environments often combine multiple controls.

Example:

Workspace Permission
        ↓
Item Permission
        ↓
RLS
        ↓
CLS
        ↓
OLS
        ↓
Folder Security

This layered approach provides stronger protection.

Best Practices

Follow Least Privilege

Grant only required access.

Prefer Dynamic RLS

Dynamic RLS scales better than manually maintained security roles.

Use OLS for Highly Sensitive Objects

Hide entire tables when appropriate.

Protect Sensitive Columns

Use CLS for PII and confidential information.

Organize OneLake Carefully

Use logical folder structures to simplify governance.

Audit Security Regularly

Review permissions and security configurations periodically.

DP-700 Exam Focus Areas

You should understand:

✓ Row-Level Security (RLS)

✓ Static versus Dynamic RLS

✓ Column-Level Security (CLS)

✓ Object-Level Security (OLS)

✓ Folder-level access controls

✓ File-level access controls

✓ OneLake security concepts

✓ Security layering

✓ Least-privilege principles

✓ Common security implementation scenarios

Practice Exam Questions

Question 1

A company wants regional managers to see only sales records from their assigned region.

Which security feature should be implemented?

A. File-Level Security

B. Object-Level Security

C. Workspace Security

D. Row-Level Security

Answer: D

Explanation

Row-Level Security filters rows based on user identity or role, allowing managers to view only relevant regional data.

Question 2

A user should be able to view employee records but not salary information.

Which security feature should be used?

A. Row-Level Security

B. Workspace Viewer Role

C. Column-Level Security

D. Deployment Rules

Answer: C

Explanation

Column-Level Security restricts access to specific columns while allowing access to the rest of the table.

Question 3

Which security feature can completely hide a table from users?

A. Row-Level Security

B. Object-Level Security

C. File-Level Security

D. Workspace Security

Answer: B

Explanation

Object-Level Security can hide entire tables, views, columns, and measures.

Question 4

A company wants to prevent users from accessing a specific file within a shared OneLake folder.

Which security mechanism is most appropriate?

A. Row-Level Security

B. Column-Level Security

C. Object-Level Security

D. File-Level Security

Answer: D

Explanation

File-Level Security controls access to individual files.

Question 5

What is a key advantage of Dynamic RLS compared to Static RLS?

A. Faster query execution

B. Automatically adjusts security based on the logged-in user

C. Eliminates the need for semantic models

D. Removes workspace permissions

Answer: B

Explanation

Dynamic RLS uses user identity functions to determine appropriate data access automatically.

Question 6

Which security control is best suited for hiding a Payroll table from analysts?

A. Column-Level Security

B. Folder-Level Security

C. Object-Level Security

D. Row-Level Security

Answer: C

Explanation

OLS completely hides the table from unauthorized users.

Question 7

A company wants Finance users to access the Finance folder but not the Sales folder.

Which security mechanism should be implemented?

A. Folder-Level Security

B. Row-Level Security

C. Column-Level Security

D. Build Permission

Answer: A

Explanation

Folder-Level Security restricts access to specific storage locations.

Question 8

Which statement correctly describes Column-Level Security?

A. It filters rows of data.

B. It hides specific columns while keeping the table accessible.

C. It hides entire tables.

D. It controls workspace membership.

Answer: B

Explanation

CLS allows access to the table while restricting access to designated columns.

Question 9

What is the primary purpose of Object-Level Security?

A. Filter data rows

B. Control notebook execution

C. Hide entire data objects from users

D. Manage workspace permissions

Answer: C

Explanation

OLS controls visibility of tables, views, columns, and measures.

Question 10

Which combination provides the most granular data protection?

A. Workspace Security only

B. Workspace Security and Item Security only

C. Row-Level Security only

D. Layered security using RLS, CLS, OLS, and folder/file controls

Answer: D

Explanation

Layering multiple security mechanisms provides comprehensive protection across multiple levels of the data platform.

Exam Tip

For the DP-700 exam, remember these distinctions:

A common exam strategy is to identify what is being protected:

• Rows → RLS
• Columns → CLS
• Objects (tables/views/measures) → OLS
• Files/Folders → Folder/File-Level Security

Many DP-700 questions present multiple security options that seem plausible. Focusing on the exact scope of the restriction usually leads directly to the correct answer.

Go to the DP-700 Exam Prep Hub main page.