Forum Discussion
Unified Catalog Self-serve analytics integration
I'm hoping someone has gone through the process of setting up the Self-serve analytics in the Unified Catalog settings to push the Unified Catalog information down to a Fabric Lakehouse.
I created a Workspace, and then created a lakehouse in this workspace, and created a folder under the files section in the lakehouse. I used the MSI that is shown in Purview when you configure the storage for the connection and granted it contriubutor access to the Workspace.
I then went into Purview, settings for Unified Catalog, and in the solution integrations, set up Fabric storage and provided the URL to the File folder I set up on the lakehouse.
I tested the connection and it tested successfully.
When I set up the scheduler to run, I received the following:
The blacked out is the Workspace ID.
I'm trying to understand what I'm missing, I'm assuming write permissions are missing somewhere, but I'm not sure. Any assistance is appreciated.
3 Replies
Hi JBNFM,
The 403 (AccessDenied) during the scheduled run could mean write/scan permissions are missing at the item (Lakehouse) level, not just to the workspace.
I believe granting Contributor on the Workspace to the Fabric MSI is not sufficient for Unified Catalog scans.
This could be the issue as the Fabric Workspace Managed Identity (MSI) must have explicit access to the Lakehouse item. This could mean Lakehouse item should have explicit permissions Read + Write + Execute permissions so Purview can persist scan state/results.
Try the following
- Go to Fabric Workspace → open the Lakehouse.
- Click Manage access then item-level permissions.
- Add the same MSI shown in Purview.
- Grant Read, Build, and Write (or equivalent Lakehouse contributor rights)
- Re‑run the scheduler.
Thos may work, as without Lakehouse-level permissions, Fabric returns 403 Forbidden even though workspace access exists.
If you find the answer useful and you appreciate my time, please do not forget to like and mark it as a solution 🙂
Pbv85 , thanks for your response. When I go into the Lakehouse, I don't see the "Manage Access", the only thing I see is "Managed OneLake security". If there's another place, let me know as I'm not seeing it.
In the OneLake security, there was only a Reader role with the MSI in it. I created another Contributor Role and set it to "Read,ReadWrite" as those were the only 2 options. and then added the Purview MSI to that role. Still getting the same error.
Pbv85 , thanks for the response.
SO, I opened up the Lakehouse and the only thing I see inside the lakehouse, is Manage OneLake security. Is that the same as "Manage access"?
When I opened that, there was only DefaultReader as a security role. I created a new role and set permissions to "Read, ReadWrite" as those were the only options. I then added the Purview MSI to that group and I still get the same error.If there is a different place to manage those permissions, let me know, I could have missed it somewhere on the screen, again inside of the Lakehouse.
