Security and permissions
This page explains the security model behind Icon Map for Fabric — how identity, permissions, and data storage work. It's written for anyone carrying out a security review.
Looking for the step-by-step admin setup (tenant settings, admin consent, service-principal grants)? See the Onboarding & Setup section.
The guiding principle is that Icon Map works on your data, in your tenant: it reads your data in place, acts under the identity of the signed-in user, and stores anything it writes in your own OneLake.
Identity model
Authoring and reading a map (inside Fabric). The Icon Map editor and viewer run inside the Fabric experience and act as the signed-in user using their Microsoft Entra identity. Reads of OneLake files (such as tile and imagery files) use a short-lived, user-delegated SAS obtained on the user's behalf — so a user only ever sees data they are already permitted to access. Power BI semantic model sources are queried through the model, which enforces the model's measures, relationships, and row-level security.
Because Icon Map inherits Fabric permissions, no separate access system is introduced for normal authoring and viewing — your existing workspace roles and OneLake permissions govern who can see what.
Permissions for authoring
To build maps, a user needs:
- Access to the workspace containing the Icon Map item (Contributor or higher to create and edit items; Viewer to open in reading view).
- Read access to the data they connect to — the Lakehouse, Warehouse/SQL, semantic model, Eventhouse/KQL database, or file — under their own identity.
- For an Organizational Catalog, OneLake permissions on the catalog's repository folder, which govern who can use its layers.
No elevated or service credentials are required for a user to author or read a map. So that authoring works without repeated consent prompts, an administrator grants tenant-wide admin consent to the Icon Map app — this pre-approves the delegated permissions but grants no standalone access to your data.
Publishing and the viewer identity
Publishing a map for viewing outside Fabric is the one case where a non-user identity is involved: the public embedded viewer reads the frozen, published files from your OneLake using an Icon Map reader service principal that an administrator grants Contributor on each publishing workspace. The setup is covered in Set up publishing. Key security properties:
- Snapshot vs live. A snapshot publish freezes data at publish time; a live publish runs the map's pinned queries on each load, with server-validated parameters and a daily query budget (default 500 fresh queries/day, 50,000 rows/query) you can lower.
- Row-level security for viewers. Per-viewer RLS is available only with signed embed tokens, where token claims map to declared, server-validated filter parameters. Anonymous published links cannot apply per-viewer RLS — publish only data you're content to share with everyone who has the link.
- Allowed origins. Restrict which sites may host an embed with the allowed-origins allow-list.
- Revocation. Any published link can be revoked at any time from Publish management.
- Organization-wide off switch. Embedded publishing can be disabled for your tenant, or for individual workspaces: the Publish action is removed from the editor and the embed service refuses to serve the affected maps, including ones published before the change.
- What's stored where. Published files live in your OneLake under
Files/_published/<publish-id>/(amanifest.jsonof styling/config with no secrets or connection strings, adata.jsonsnapshot, and assets). Icon Map does not copy or cache your map data on its own servers.
Source credentials
For sources that need credentials (for example, an authenticated WMS service or a GTFS feed), the saved credentials are stored in the map item's own OneLake folder, protected by workspace roles, and attached server-side when the source is fetched — they are not stored in the layer's configuration.
Write-back permissions
Write-back — letting viewers add or edit the data behind a map — writes to files in your OneLake (the map's annotations store, or a layer's GeoJSON/CSV file) as the signed-in user. It is gated on the user's Fabric Write permission on the item, so it's available to users with write access even when they're in reading view. In this preview, anonymous published/embedded viewers cannot write back.
Next steps
- Onboarding & Setup — the step-by-step administrator configuration.
- Data, privacy & residency — where your data lives and compliance resources.