BI Administration, Data Security, Microsoft Certification, PL-300, Power BI

Assign Workspace Roles (PL-300 Exam Prep)

 
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Assign Workspace Roles

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

In Power BI, workspaces are collaborative containers used to develop, manage, and distribute content such as semantic models (datasets), reports, dashboards, dataflows, and apps.
Assigning workspace roles is a core governance task that ensures users have the appropriate level of access—no more and no less—based on their responsibilities.

For the PL-300 exam, you are expected to understand:

  • The four workspace roles
  • What each role can and cannot do
  • When to assign each role
  • How workspace roles relate to security, governance, and content lifecycle

Power BI Workspace Roles

Power BI provides four predefined workspace roles:

1. Admin

Highest level of access

Admins have full control over the workspace and its contents.

Key capabilities:

  • Add or remove users and assign roles
  • Update workspace settings
  • Publish, update, and delete all content
  • Configure semantic model settings (refresh, credentials, endorsements)
  • Publish and update workspace apps
  • Delete the workspace

Typical use cases:

  • Power BI service administrators
  • BI platform owners
  • Lead analytics engineers

🔑 Exam tip: Only Admins can manage workspace access and delete a workspace.

2. Member

Content creators and managers

Members can actively create and manage content, but they cannot manage workspace access.

Key capabilities:

  • Create, edit, and delete reports and dashboards
  • Publish semantic models
  • Configure scheduled refresh
  • Publish and update workspace apps
  • Share content (depending on tenant settings)

Limitations:

  • Cannot add or remove workspace users
  • Cannot delete the workspace

Typical use cases:

  • Power BI developers
  • Data analysts responsible for production content

3. Contributor

Content creators without publishing authority

Contributors can build and modify content, but they cannot publish apps or manage access.

Key capabilities:

  • Create and edit reports and semantic models
  • Upload PBIX files
  • Modify existing content they have access to

Limitations:

  • Cannot publish or update workspace apps
  • Cannot manage workspace users
  • Cannot change workspace settings

Typical use cases:

  • Analysts building reports for review
  • Developers working in shared or pre-production workspaces

4. Viewer

Read-only access

Viewers can consume content but cannot modify anything.

Key capabilities:

  • View reports, dashboards, and apps
  • Interact with visuals (filters, slicers)
  • Export data (if allowed)

Limitations:

  • Cannot create or edit content
  • Cannot publish apps
  • Cannot configure refresh or settings

Typical use cases:

  • Business users
  • Executives and stakeholders
  • Consumers of certified content

🔑 Exam tip: Viewers require a Power BI Pro license unless the workspace is in Premium capacity.

Assigning Workspace Roles

Workspace roles are assigned in the Power BI service:

  1. Navigate to the workspace
  2. Select Access
  3. Add users or groups
  4. Assign the appropriate role (Admin, Member, Contributor, Viewer)

🔐 Best practice: Assign Azure AD security groups instead of individual users to simplify governance and reduce maintenance.

Governance and Security Considerations

Least Privilege Principle

Always assign the lowest role necessary for a user to perform their job.

  • Consumers → Viewer
  • Report authors → Contributor or Member
  • Platform owners → Admin

Separation of Duties

Use different workspaces for:

  • Development
  • Testing
  • Production

Assign higher roles in dev, more restrictive roles in prod.

Workspace Roles vs Item-Level Security

  • Workspace roles control what users can do
  • Row-level security (RLS) controls what data users can see

Both are often used together.

Common Exam Scenarios

You may see questions such as:

  • Which role allows a user to publish an app but not manage access?Member
  • Which role is required to assign users to a workspace?Admin
  • Which role should be assigned to report consumers?Viewer
  • Why use Contributor instead of Member? → To prevent app publishing or access management

Key Takeaways for PL-300

  • Know all four workspace roles
  • Understand capabilities vs limitations
  • Admin = access + settings
  • Member = manage content + apps
  • Contributor = build content only
  • Viewer = consume content only
  • Assign roles strategically for security and governance

Practice Questions

Go to the Practice Questions for this topic.

Leave a comment