Tag: security

BI Administration, Business Intelligence Platform, Data Security, DP-600, Microsoft Certification, Microsoft Fabric

Implement workspace-level access controls in Microsoft Fabric

 
This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
    --> Implement security and governance 
        --> Implement workspace-level access controls

To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric

Workspace-level access control is the first and most fundamental security boundary in Microsoft Fabric. It determines who can access a workspace, what actions they can perform, and how they can interact with Fabric items such as Lakehouses, Warehouses, semantic models, reports, notebooks, and pipelines.

For the DP-600 exam, you should clearly understand workspace roles, their permissions, and how workspace security integrates with broader governance practices.

What Are Workspace-Level Access Controls?

Workspace-level access controls define permissions at the workspace scope, applying to all items within that workspace unless further restricted by item-level or data-level security.

These controls are managed through workspace roles, which are assigned to:

  • Individual users
  • Microsoft Entra ID (Azure AD) security groups
  • Distribution lists (limited scenarios)

Workspace Roles in Microsoft Fabric

Microsoft Fabric workspaces use role-based access control (RBAC). There are 4 roles that users can be assigned to for workspace access and each role grants a predefined set of permissions.

1. Admin

Highest level of access

Admins can:

  • Manage workspace settings
  • Add or remove users and assign roles
  • Delete the workspace
  • Control capacity assignment
  • Access and manage all items

Typical use cases

  • Platform administrators
  • Lead analytics engineers

Exam note
Admins automatically have all permissions of lower roles.

2. Member

Full content creation and collaboration role

Members can:

  • Create, edit, and delete Fabric items
  • Publish and update semantic models and reports
  • Share content
  • Run pipelines and notebooks

Members cannot:

  • Delete the workspace
  • Manage capacity settings

Typical use cases

  • Analytics engineers
  • Senior analysts

3. Contributor

Content creation with limited governance control

Contributors can:

  • Create and modify items they have access to
  • Run notebooks, pipelines, and queries
  • Publish reports and datasets

Contributors cannot:

  • Manage workspace users
  • Modify workspace settings

Typical use cases

  • Data analysts
  • Developers contributing content

4. Viewer

Read-only access

Viewers can:

  • View reports and dashboards
  • Read data from semantic models
  • Execute queries if explicitly allowed

Viewers cannot:

  • Create or edit items
  • Publish or share content

Typical use cases

  • Business users
  • Report consumers

Summary table:

RoleDescriptionCan / CannotTypical use cases
Admin– Highest level of access.
– Full workspace administration access including ability to delete.		Admins Can:
– Manage workspace settings
– Add or remove users and assign roles
– Delete the workspace
– Control capacity assignment
– Access and manage all items		– Platform administrators
– Lead analytics engineers
MemberFull content creation and collaboration role.
– Can manage members with same or lower permissions.		Members can:
– Create, edit, and delete Fabric items
– Publish and update semantic models and reports
– Share content
– Run pipelines and notebooks

Members cannot:
– Delete the workspace
– Manage capacity settings		– Analytics engineers
– Senior analysts
Contributor– Content creation with limited governance control
– Can create and manage workspace content		Contributors can:
– Create and modify items they have access to
– Run notebooks, pipelines, and queries
– Publish reports and datasets

Contributors cannot:
– Manage workspace users
– Modify workspace settings		– Data analysts
– Developers contributing content
Viewer– Read-only access to the workspaceViewers can:
– View reports and dashboards
– Read data from semantic models
– Execute queries if explicitly allowed

Viewers cannot:
– Create or edit items
– Publish or share content		– Business users
– Report consumers

How Workspace-Level Security Is Enforced

Workspace-level access controls:

  • Are evaluated before item-level or data-level security
  • Determine whether a user can even see workspace content
  • Apply consistently across all Fabric workloads (Power BI, Lakehouse, Warehouse, Data Factory, Real-Time Analytics)

This makes workspace roles the entry point for all other security mechanisms.

Best Practices for Workspace-Level Access Control

Use Security Groups Instead of Individuals

  • Assign Microsoft Entra ID security groups to workspace roles
  • Simplifies access management
  • Supports scalable governance

Separate Workspaces by Purpose

Common patterns include:

  • Development vs Test vs Production
  • Department-specific workspaces
  • Consumer-only (Viewer) workspaces

Apply Least Privilege

  • Grant users the lowest role necessary
  • Avoid overusing Admin and Member roles

Relationship to Other Security Layers

Workspace-level access controls work alongside:

  • Item-level permissions (e.g., sharing a report)
  • Row-level, column-level, and object-level security in semantic models
  • File-level security in OneLake
  • Capacity-level governance

For exam scenarios, always identify which security layer is being tested.

Common Exam Scenarios to Watch For

You may be asked to:

  • Choose the correct workspace role for a given user persona
  • Identify why a user cannot see or edit workspace content
  • Decide when to use Viewer vs Contributor
  • Understand how workspace roles interact with RLS or file access

Key Exam Takeaways

  • Workspace roles control who can access a workspace and what actions they can perform
  • Admin, Member, Contributor, and Viewer each have distinct permission boundaries
  • Workspace security is broader than item-level sharing
  • Always think workspace first, data second when designing security

Exam Tips

If the question is about who can create, edit, share, or manage content, the answer almost always involves workspace-level access controls.

Expect scenario-based questions that test:

  • Choosing the least-privileged role
  • Understanding the difference between Member vs Contributor
  • Knowing when workspace security is not enough and must be combined with RLS or item-level access

Practice Questions

Question 1 (Single choice)

Which workspace role in Microsoft Fabric allows a user to publish content, manage permissions, and delete the workspace?

A. Viewer
B. Contributor
C. Member
D. Admin

Correct Answer: D

Explanation:

  • Admin is the highest workspace role and includes full control, including managing access, deleting the workspace, and assigning roles.
  • Contributors and Members cannot manage workspace-level permissions.
  • Viewers have read-only access.

Question 2 (Scenario-based)

You want analysts to create and edit items (lakehouses, notebooks, reports) but prevent them from managing access or deleting the workspace. Which role should you assign?

A. Viewer
B. Contributor
C. Member
D. Admin

Correct Answer: C

Explanation:

  • Members can create, edit, and publish content but cannot manage workspace access or delete the workspace.
  • Contributors have more limited permissions.
  • Admins have excessive privileges for this scenario.

Question 3 (Multi-select)

Which actions are possible for a user assigned the Contributor role? (Select all that apply.)

A. Create new items
B. Edit existing items
C. Manage workspace permissions
D. Publish reports to the workspace

Correct Answers: A, B

Explanation:

  • Contributors can create and edit items.
  • They cannot manage permissions or perform full publishing/administrative actions.
  • Publishing to app audiences or managing access requires Member or Admin.

Question 4 (Scenario-based)

A workspace contains sensitive data. You want executives to view reports only, without seeing datasets, lakehouses, or notebooks. What is the BEST approach?

A. Assign Viewer role
B. Assign Contributor role
C. Assign Member role
D. Assign Admin role

Correct Answer: A

Explanation:

  • Viewer role provides read-only access and prevents exposure to underlying assets beyond consumption.
  • Other roles expose authoring and object-level visibility.

Question 5 (Single choice)

Workspace-level access controls in Fabric are applied to:

A. Individual tables only
B. Semantic models only
C. All items within the workspace
D. Reports published to apps only

Correct Answer: C

Explanation:

  • Workspace-level roles apply across all items in the workspace unless further restricted using item-level or semantic-model security.
  • Finer-grained security must be implemented separately.

Question 6 (Scenario-based)

You need to ensure that workspace access is centrally governed and users cannot self-assign roles. What is the BEST practice?

A. Allow Members to manage access
B. Restrict access management to Admins only
C. Use Viewer roles exclusively
D. Disable workspace sharing

Correct Answer: B

Explanation:

  • Only Admins should manage workspace access for governance and compliance.
  • Members should not be allowed to assign roles in controlled environments.

Question 7 (Multi-select)

Which of the following are valid workspace roles in Microsoft Fabric? (Select all that apply.)

A. Viewer
B. Contributor
C. Member
D. Owner

Correct Answers: A, B, C

Explanation:

  • Valid Fabric workspace roles are Viewer, Contributor, Member, and Admin.
  • “Owner” is not a Fabric workspace role.

Question 8 (Scenario-based)

A user can view reports but receives an error when attempting to open a semantic model directly. What is the MOST likely reason?

A. They are a Contributor
B. They are a Viewer
C. The dataset is in Import mode
D. XMLA endpoint is disabled

Correct Answer: B

Explanation:

  • Viewers can consume reports but may not have permissions to explore or access underlying semantic models directly.
  • This behavior aligns with workspace-level access restrictions.

Question 9 (Single choice)

Which statement about workspace-level access vs. item-level security is TRUE?

A. Workspace access overrides all other security
B. Workspace access is more granular than item-level security
C. Item-level security can further restrict access granted by workspace roles
D. Workspace access only applies to reports

Correct Answer: C

Explanation:

  • Workspace roles grant baseline access, which can then be restricted using item-level security, RLS, or object-level permissions.
  • Workspace access does not override more restrictive controls.

Question 10 (Scenario-based)

You want to minimize administrative overhead while allowing self-service analytics. Which workspace role strategy is MOST appropriate?

A. Assign Admin to all users
B. Assign Member to authors and Viewer to consumers
C. Assign Contributor to executives
D. Assign Viewer to data engineers

Correct Answer: B

Explanation:

  • This is a recommended best practice:
    • Members for authors/builders
    • Viewers for consumers
  • It balances governance and agility while minimizing risk.