This post is a part of the DP-700: Implementing Data Engineering Solutions Using Microsoft Fabric Exam Prep Hub.
This topic falls under these sections:
Implement and manage an analytics solution (30–35%)
--> Configure security and governance
--> Implement item-level access controls
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 2 practice tests with 60 questions each available from the hub's main page below the exam topics section.
Introduction
While workspace-level permissions provide the first layer of security in Microsoft Fabric, they are often not sufficient for enterprise environments. Organizations frequently need to grant users access to specific assets without providing access to everything within a workspace.
This is where item-level access controls become important.
Item-level access controls allow administrators and data engineers to secure individual Fabric items such as Lakehouses, Warehouses, Semantic Models, Reports, Dashboards, and other assets. These controls provide more granular security than workspace permissions and help organizations implement governance, compliance, and least-privilege access models.
For the DP-700 exam, it is important to understand how item-level permissions work, how they interact with workspace permissions, and when to use item-level controls instead of workspace-level access.
What Are Item-Level Access Controls?
Item-level access controls are permissions assigned directly to specific Fabric assets rather than to an entire workspace.
For example:
Workspace│├── Lakehouse A├── Lakehouse B├── Warehouse A├── Warehouse B└── Notebook A
A user might need access only to:
- Lakehouse A
- Warehouse A
without gaining access to the entire workspace.
Item-level permissions make this possible.
Why Item-Level Security Is Important
Many organizations have:
- Sensitive financial data
- Human resources data
- Customer information
- Regulatory data
- Executive reporting data
Providing broad workspace access could expose data unnecessarily.
Item-level controls allow organizations to:
- Restrict sensitive assets
- Share specific content
- Improve governance
- Support compliance requirements
- Implement least-privilege security
Workspace Permissions vs Item-Level Permissions
One of the most frequently tested DP-700 topics is understanding the difference between workspace-level and item-level permissions.
| Workspace-Level Access | Item-Level Access |
|---|---|
| Applies to entire workspace | Applies to specific items |
| Broader permissions | Granular permissions |
| Easier administration | More precise security |
| Used for collaboration | Used for controlled sharing |
Example
A data engineer may need:
- Contributor access to a workspace
while an executive may only need:
- Access to a single report
In this scenario, item-level permissions are the preferred solution.
Permission Inheritance
Understanding inheritance is critical for the DP-700 exam.
Workspace permissions often provide access to contained items.
However, item-level permissions can be used to:
- Grant access beyond workspace membership
- Share specific assets
- Restrict access to sensitive content
Exam Tip
Many questions focus on determining whether workspace-level permissions or item-level permissions should be used.
A good rule is:
- Access to many assets → Workspace permissions
- Access to one or a few assets → Item-level permissions
Item-Level Security for Lakehouses
Lakehouses contain:
- Delta tables
- Files
- Structured data
- Unstructured data
Organizations often need to control who can access these assets.
Examples include:
- Finance Lakehouse
- HR Lakehouse
- Customer Analytics Lakehouse
Item-level permissions can limit access to specific Lakehouses without exposing all workspace assets.
Item-Level Security for Warehouses
Fabric Data Warehouses frequently contain business-critical data.
Examples include:
- Sales metrics
- Financial transactions
- Customer information
Warehouse permissions can be assigned independently of workspace permissions.
This helps organizations:
- Restrict data access
- Support regulatory requirements
- Enforce data ownership
Item-Level Security for Reports
Reports are one of the most commonly shared Fabric assets.
A user may need:
- Access to a report
- No access to development artifacts
Examples:
- Executive dashboards
- Department reports
- Operational reporting
Item-level sharing enables this scenario.
Semantic Model Permissions
Semantic Models serve as the foundation for many reporting solutions.
Permissions can control who may:
- View the model
- Build reports from the model
- Query the model
Common permissions include:
- Read access
- Build permission
Understanding Build Permission
Build permission is a commonly tested Fabric security topic.
Users with Build permission can:
- Create reports from a semantic model
- Analyze data using approved tools
- Reuse trusted datasets
Without Build permission, users may be able to view reports but not create new reports from the underlying semantic model.
Example
Semantic Model ↓Build Permission ↓Create New Reports
This distinction frequently appears in exam questions.
Sharing Items
Fabric allows users to share individual assets.
Examples include:
- Reports
- Semantic Models
- Dashboards
Sharing provides targeted access without adding users to the workspace.
Benefits include:
- Reduced administrative overhead
- Improved security
- Easier collaboration
Row-Level Security (RLS)
Although RLS is often discussed separately from item permissions, it is closely related to access control.
Row-Level Security restricts which rows a user can view.
Example:
| User | Visible Region |
|---|---|
| Alice | East |
| Bob | West |
Both users access the same report but see different data.
Important Distinction
Item-level permissions control:
Who can access the item
RLS controls:
What data they can see within the item
This distinction is commonly tested.
Object-Level Security (OLS)
Object-Level Security provides even more granular control.
OLS can restrict access to:
- Tables
- Columns
- Measures
Example:
Finance users:
Salary Column = Visible
General users:
Salary Column = Hidden
Combining Security Layers
Enterprise security often combines:
Workspace Security ↓Item Security ↓Row-Level Security ↓Object-Level Security
Each layer provides additional protection.
Security Groups and Item Permissions
Best practice is to assign item permissions through Microsoft Entra ID groups rather than individual users.
Example:
Finance Executives Group ↓Executive Dashboard Access
Benefits include:
- Easier administration
- Consistent security
- Simplified auditing
Common DP-700 Exam Scenarios
Scenario 1
A CEO needs access to a financial dashboard but should not access the entire workspace.
Solution:
Use item-level sharing on the report.
Scenario 2
Analysts need to create reports from a semantic model.
Solution:
Grant Build permission.
Scenario 3
Regional managers should only see sales data for their region.
Solution:
Implement Row-Level Security.
Scenario 4
Users should not see salary-related columns.
Solution:
Implement Object-Level Security.
Best Practices
Follow Least Privilege
Grant only necessary permissions.
Use Security Groups
Avoid assigning permissions to individual users whenever possible.
Use Build Permission Carefully
Build permission enables report creation and data exploration.
Combine Security Layers
Use:
- Workspace permissions
- Item permissions
- RLS
- OLS
where appropriate.
Audit Permissions Regularly
Review access assignments periodically.
Secure Sensitive Assets Separately
Finance, HR, and compliance data should receive additional scrutiny.
DP-700 Exam Focus Areas
You should understand:
✓ Item-level permissions
✓ Workspace vs item-level security
✓ Semantic model permissions
✓ Build permission
✓ Report sharing
✓ Lakehouse permissions
✓ Warehouse permissions
✓ Permission inheritance
✓ Row-Level Security (RLS)
✓ Object-Level Security (OLS)
✓ Security group assignments
✓ Least-privilege principles
Practice Exam Questions
Question 1
A user needs access to a single report but should not have access to the workspace.
What should be used?
A. Workspace Admin role
B. Workspace Member role
C. Item-level sharing
D. Capacity assignment
Answer: C
Explanation
Item-level sharing allows access to a specific report without granting workspace access.
Question 2
What is the primary purpose of item-level access controls?
A. Manage Fabric capacities
B. Secure specific Fabric assets
C. Configure deployment pipelines
D. Manage Spark pools
Answer: B
Explanation
Item-level permissions provide granular security for individual Fabric items.
Question 3
Which permission allows users to create reports from an existing semantic model?
A. Viewer
B. Contributor
C. Read
D. Build
Answer: D
Explanation
Build permission allows users to create new reports and analyses from a semantic model.
Question 4
A user can access a report but should only see rows for their assigned sales region.
Which security feature should be implemented?
A. Item sharing
B. Workspace Viewer role
C. Object-Level Security
D. Row-Level Security
Answer: D
Explanation
Row-Level Security filters data based on user identity or role.
Question 5
What is the primary difference between workspace-level and item-level permissions?
A. Item-level permissions apply to specific assets
B. Workspace permissions only apply to reports
C. Item permissions control Spark resources
D. Workspace permissions cannot be assigned to groups
Answer: A
Explanation
Workspace permissions affect the entire workspace, while item-level permissions affect specific assets.
Question 6
A company wants users to access an executive dashboard without viewing development notebooks.
What should be implemented?
A. Workspace Admin access
B. Workspace Contributor access
C. Item-level access to the dashboard
D. Capacity permissions
Answer: C
Explanation
Item-level sharing allows access to specific assets without exposing the broader workspace.
Question 7
What does Object-Level Security (OLS) control?
A. Workspace membership
B. Data refresh schedules
C. Deployment permissions
D. Access to tables, columns, and measures
Answer: D
Explanation
OLS provides granular security at the database object level.
Question 8
A user belongs to a workspace but should not access a highly sensitive financial warehouse.
What security approach is most appropriate?
A. Use item-level controls on the warehouse
B. Increase capacity
C. Configure deployment rules
D. Create a notebook
Answer: A
Explanation
Item-level permissions provide additional control over access to sensitive assets.
Question 9
Which statement about Build permission is correct?
A. It grants workspace administration rights.
B. It allows users to create reports from a semantic model.
C. It controls deployment pipelines.
D. It replaces Row-Level Security.
Answer: B
Explanation
Build permission enables report creation and data exploration based on a semantic model.
Question 10
What is considered a best practice when assigning item-level permissions?
A. Assign permissions directly to every user
B. Use only Admin roles
C. Use Microsoft Entra ID groups
D. Disable item sharing
Answer: C
Explanation
Group-based permission management improves consistency, scalability, and governance.
Exam Tip
For the DP-700 exam, remember the following hierarchy:
| Security Layer | Purpose |
|---|---|
| Workspace Security | Controls access to the workspace |
| Item-Level Security | Controls access to specific assets |
| Row-Level Security (RLS) | Controls which rows users can see |
| Object-Level Security (OLS) | Controls which tables, columns, or measures users can access |
A common exam strategy is to identify whether the question is asking who can access an asset (item permissions) or what data they can see after gaining access (RLS/OLS). This distinction often leads directly to the correct answer.
Go to the DP-700 Exam Prep Hub main page.
The Data Community 