Enterprise governance
Tenant isolation, roles, production Quality gates, retention, legal hold, and durable audit evidence.
Fabric Experiments connects the evidence produced by A/B experiments and Databricks workload tests to release decisions. Governance is organization scoped and enforced by the API; Studio is not the security boundary.
Start with the safe baseline
- Create separate organizations for unrelated security boundaries.
- Give humans the lowest suitable role:
viewer,experimenter,admin, orowner. - Create expiring Quality publisher keys for CI; do not share personal keys.
- Publish the suites that must protect production.
- Open Settings → Governance policy, enable the Quality gate, enter exact suite names, and choose a freshness window.
- Set evidence retention. Enable legal hold only for an active preservation requirement.
- Verify the policy in Audit and test a staging-to-production promotion.
Production Quality gate
When enabled, promotion into a production-tier environment requires the latest run for every configured suite to:
- exist in the same organization;
- have status
passed; and - finish within the configured freshness window.
The Configuration screen shows when promotion is blocked, and the API returns
409 QUALITY_GATE_FAILED with each failed check. The server repeats the check
at promotion time, so a stale browser or direct API caller cannot bypass it.
Typical required suites are:
Databricks BDD
Databricks live suite
Production data contractsSuite matching is exact. Publish with a stable name:
fx test publish reports/evidence.json --suite "Databricks BDD"Retention and legal hold
Retention is configurable from 30 to 3,650 days. Scheduled pruning applies the organization policy. Legal hold suspends automatic event deletion for the organization; disabling it resumes the normal retention calculation.
Legal hold is an operational control, not a complete e-discovery product. Export evidence to your approved archive or SIEM where policy requires independent, immutable storage.
Unified audit trail
The tenant-scoped Audit screen records experiment lifecycle actions, immutable environment publications and promotions, API-key creation/revocation, Quality run publication, and governance-policy changes. Resource links resolve to the appropriate Experiment, Configuration, Quality, or Settings screen.
Secrets are not written to audit payloads. API keys are stored hashed and shown only once. Quality evidence is redacted at runner capture and again at ingest.
Authorization model
| Role | Typical responsibilities |
|---|---|
| Viewer | Read experiments, Quality evidence, and audit history |
| Experimenter | Author experiments and publish scoped Quality evidence |
| Admin | Manage keys and governance policy; cannot mint an owner key |
| Owner | Organization ownership and highest administrative authority |
Databricks Apps OAuth and Fabric authorization are independent layers. The gateway grants access to the App; the Fabric session or API key selects an organization and role. Every read and write includes the authenticated organization in its storage predicate.
Enterprise readiness boundary
Shipped controls include tenant isolation, fixed RBAC roles, SAML/OIDC and SCIM surfaces, 2FA-capable authentication, scoped/expiring API keys, durable audit, retention/legal hold, external audit forwarding, and production Quality gates.
Before a regulated deployment, your team must still validate the chosen IdP, SCIM directory, regional/data-residency design, backup policy, SIEM destination, and incident procedures. Custom roles, formal compliance certification, and AWS/GCP Databricks certification are not claimed. See the compatibility matrix for the evidence boundary and enterprise security and operations for available controls and customer responsibilities.