Tag: security

DP-700, Microsoft Certification, Microsoft Fabric

Endorse items (DP-700 Exam Prep)

 
This post is a part of the DP-700: Implementing Data Engineering Solutions Using Microsoft Fabric Exam Prep Hub.
This topic falls under these sections:
Implement and manage an analytics solution (30–35%)
   --> Configure security and governance
      --> Endorse items

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 2 practice tests with 60 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations adopt Microsoft Fabric, the number of available data assets can grow rapidly. Data engineers, analysts, business users, and executives may encounter hundreds or even thousands of reports, semantic models, dashboards, warehouses, lakehouses, notebooks, and other data assets.

A common challenge is determining:

  • Which data assets are trustworthy?
  • Which reports should be used for executive reporting?
  • Which semantic models represent official business definitions?
  • Which datasets have been reviewed and approved?

To address these governance challenges, Microsoft Fabric supports endorsements.

Endorsements help organizations identify trusted and authoritative data assets, making it easier for users to discover and use approved content.

For the DP-700 exam, it is important to understand endorsement types, governance benefits, use cases, and how endorsements differ from security and sensitivity labels.

What Are Endorsements?

An endorsement is a governance feature that allows organizations to identify and promote trusted data assets.

Endorsements help users answer the question:

“Can I trust this data asset?”

Instead of searching through numerous reports and datasets, users can quickly identify endorsed items that have been reviewed and approved.

Purpose of Endorsements

Organizations use endorsements to:

  • Improve data discoverability
  • Promote trusted assets
  • Reduce duplicate reports
  • Encourage consistent reporting
  • Improve governance
  • Increase user confidence
  • Establish authoritative data sources

Endorsement Types

Microsoft Fabric supports two primary endorsement levels:

Promoted

Certified

These endorsement levels indicate different degrees of trust and governance.

Promoted Items

A Promoted item indicates:

  • The content creator believes the item is valuable.
  • The item is recommended for broader use.
  • The item may not have gone through formal governance review.

Think of Promoted as:

Recommended Content

Examples:

  • Frequently used reports
  • Department dashboards
  • Common semantic models
  • Team-approved datasets

Characteristics of Promoted Items

Promoted items:

  • Are easier to discover
  • Indicate useful content
  • Can be designated by authorized users
  • Do not necessarily represent official organizational standards

Example

A Sales team creates a dashboard used by dozens of users.

The dashboard is reliable and widely used.

The owner marks it as:

Promoted

This helps users identify it as recommended content.

Certified Items

Certified is a higher endorsement level.

Certified items have typically undergone formal review and approval processes.

Think of Certified as:

Official Trusted Content

Examples:

  • Executive reporting datasets
  • Enterprise semantic models
  • Corporate KPI reports
  • Official financial dashboards

Characteristics of Certified Items

Certified items:

  • Represent authoritative data
  • Follow governance standards
  • Have undergone validation
  • Are approved by designated governance teams
  • Should be used whenever possible

Example

A Finance semantic model contains:

  • Revenue
  • Expenses
  • Profit
  • Corporate KPIs

The governance team validates the model and certifies it.

The model becomes:

Certified

Users now know it represents official business definitions.

Comparing Promoted and Certified

FeaturePromotedCertified
Recommended by creatorYesYes
Formal review requiredNoYes
Governance approvalOptionalRequired
Official organizational sourceNot necessarilyYes
Highest trust levelNoYes

Why Endorsements Matter

Without endorsements:

Sales Report V1
Sales Report V2
Sales Report Final
Sales Report Final2
Sales Dashboard New

Users may not know which asset to trust.

With endorsements:

Sales Dashboard
(Certified)

The preferred asset becomes obvious.

Supported Fabric Items

Endorsements can be applied to many Fabric assets, including:

  • Semantic Models
  • Reports
  • Dashboards
  • Data Warehouses
  • Lakehouses
  • Dataflows
  • Other supported Fabric artifacts

Supported item types may evolve as Microsoft Fabric continues to expand.

Endorsements and Data Discovery

One major benefit of endorsements is improved discoverability.

Users searching for assets can identify:

  • Promoted content
  • Certified content

This reduces confusion and encourages reuse of trusted assets.

Governance Benefits

Endorsements support governance initiatives by helping organizations:

  • Establish trusted data sources
  • Reduce shadow analytics
  • Minimize duplicate content
  • Improve reporting consistency
  • Promote enterprise standards

Endorsements vs Security Permissions

A common DP-700 exam topic is distinguishing endorsements from security.

EndorsementsPermissions
Identify trusted contentControl access
Governance featureSecurity feature
Improve discoverabilityRestrict usage
Indicate qualityGrant authorization

Example:

A report may be:

Certified

But users still require permissions to access it.

Certification does not grant access.

Endorsements vs Sensitivity Labels

Another frequently tested distinction.

EndorsementsSensitivity Labels
Indicate trustworthinessIndicate sensitivity
Governance and qualityClassification and protection
Help users find trusted contentHelp users identify sensitive content

Example:

Certified Report
Highly Confidential

Both labels may exist simultaneously.

The report is:

  • Trusted (Certified)
  • Sensitive (Highly Confidential)

Endorsements vs Data Lineage

EndorsementsData Lineage
Indicates trustShows data flow
Governance toolDependency tracking tool

Data lineage answers:

Where did this data come from?

Endorsements answer:

Can I trust this asset?

Common DP-700 Exam Scenarios

Scenario 1

Requirement:

Users need to identify official KPI definitions.

Solution:

Use Certified semantic models.

Scenario 2

Requirement:

A department wants to recommend a dashboard without formal review.

Solution:

Use Promoted endorsement.

Scenario 3

Requirement:

An executive dashboard has been validated by the governance team.

Solution:

Apply Certified endorsement.

Scenario 4

Requirement:

A report contains highly sensitive financial information.

Solution:

Apply a sensitivity label.

Not an endorsement.

Endorsement Workflow

A common governance workflow:

Create Asset
Validate Asset
Promote Asset
Governance Review
Certify Asset

This process improves trust and consistency.

Best Practices

Certify Enterprise Assets

Certify:

  • Corporate KPI datasets
  • Financial reports
  • Enterprise semantic models

Promote Useful Content

Promote:

  • Department dashboards
  • Frequently used reports
  • Shared analytics assets

Establish Governance Processes

Define:

  • Who can certify content
  • Review procedures
  • Approval standards

Avoid Certifying Everything

Certification should remain meaningful and reserved for truly authoritative assets.

Combine Governance Features

Use endorsements alongside:

  • Sensitivity labels
  • Lineage tracking
  • Security permissions
  • Data cataloging

DP-700 Exam Focus Areas

You should understand:

✓ Purpose of endorsements

✓ Promoted endorsements

✓ Certified endorsements

✓ Governance benefits

✓ Data discovery improvements

✓ Trusted data sources

✓ Promoted versus Certified

✓ Endorsements versus permissions

✓ Endorsements versus sensitivity labels

✓ Endorsements versus lineage

✓ Common governance scenarios

Practice Exam Questions

Question 1

What is the primary purpose of endorsements in Microsoft Fabric?

A. Encrypt sensitive data

B. Identify trusted and recommended data assets

C. Filter rows of data

D. Control workspace permissions

Answer: B

Explanation

Endorsements help users identify trusted, recommended, and authoritative data assets within Fabric.

Question 2

Which endorsement level represents the highest level of organizational trust?

A. Endorsed

B. Promoted

C. Confidential

D. Certified

Answer: D

Explanation

Certified is the highest endorsement level and indicates formal governance review and approval.

Question 3

A department wants to highlight a useful dashboard without requiring formal governance approval.

Which endorsement should be used?

A. Certified

B. Promoted

C. Confidential

D. Restricted

Answer: B

Explanation

Promoted endorsements indicate recommended content without requiring formal certification processes.

Question 4

What is a key characteristic of a Certified item?

A. It automatically grants workspace access.

B. It is encrypted.

C. It automatically receives a sensitivity label.

D. It has undergone formal validation and approval.

Answer: D

Explanation

Certified items have been reviewed and approved according to organizational governance standards.

Question 5

How do endorsements differ from security permissions?

A. Endorsements classify sensitivity levels.

B. Endorsements indicate trustworthiness, while permissions control access.

C. Endorsements encrypt content.

D. Endorsements implement Row-Level Security.

Answer: B

Explanation

Permissions determine who can access an asset, while endorsements indicate whether the asset is trusted.

Question 6

Which statement about Promoted items is correct?

A. They require formal governance certification.

B. They cannot be used by business users.

C. They indicate content that is recommended for broader use.

D. They automatically become Certified after publication.

Answer: C

Explanation

Promoted items highlight useful and recommended content without formal certification requirements.

Question 7

A governance team reviews and approves an enterprise semantic model that contains official KPI definitions.

Which endorsement should be applied?

A. Public

B. Promoted

C. Internal

D. Certified

Answer: D

Explanation

Certified endorsement is appropriate for formally reviewed and approved enterprise assets.

Question 8

What problem do endorsements primarily help solve?

A. Unauthorized access

B. Data encryption

C. User identification

D. Difficulty identifying trusted content

Answer: D

Explanation

Endorsements help users distinguish trusted assets from numerous available reports and datasets.

Question 9

A report is marked as Certified.

What does this indicate?

A. It is an authoritative and approved data asset.

B. It is automatically encrypted.

C. It is accessible to all users.

D. It contains confidential information.

Answer: A

Explanation

Certification indicates that the asset has been validated and approved as a trusted source.

Question 10

Which statement best describes the relationship between endorsements and sensitivity labels?

A. They are identical governance features.

B. Sensitivity labels replace endorsements.

C. Endorsements indicate trustworthiness, while sensitivity labels indicate data sensitivity.

D. Certified items cannot have sensitivity labels.

Answer: C

Explanation

Endorsements focus on trust and quality, while sensitivity labels focus on classification and protection requirements.

Exam Tip

One of the most common DP-700 exam traps is confusing endorsements, sensitivity labels, and security permissions.

Remember:

RequirementSolution
Identify trusted contentEndorsements
Classify sensitive dataSensitivity Labels
Control who can access dataPermissions
Track data originsLineage

A useful memory aid is:

  • Promoted = Recommended
  • Certified = Official
  • Sensitivity Label = Sensitive
  • Permission = Access

If the exam question focuses on helping users identify the most trustworthy or authoritative asset, the correct answer is often Promoted or Certified endorsement, not a security control.

Go to the DP-700 Exam Prep Hub main page.

BI Administration, Data Security, Microsoft Certification, PL-300, Power BI

Configure Row-Level Security Group Membership (PL-300 Exam Prep)

 
This post is a part of the PL-300: Microsoft Power BI Data Analyst Exam Prep Hub; and this topic falls under these sections:
Manage and secure Power BI (15–20%)
   --> Secure and govern Power BI items
      --> Configure Row-Level Security Group Membership

Note that there are 10 practice questions (with answers and explanations) at the end of each topic. Also, there are 2 practice tests with 60 questions each available on the hub below all the exam topics.

Overview

Configuring Row-Level Security (RLS) group membership is a key governance and scalability topic within the “Manage and secure Power BI (15–20%)” domain of the PL-300: Microsoft Power BI Data Analyst certification exam. This topic builds on basic RLS concepts and focuses on how users are assigned to RLS roles, with an emphasis on using Microsoft Entra ID (Azure AD) security groups instead of individual users.

For the exam, you should understand where RLS roles are defined, where group membership is configured, how group-based RLS behaves, and why it is considered a best practice.

What Is RLS Group Membership?

RLS group membership refers to assigning security groups (rather than individual users) to Row-Level Security roles in a Power BI semantic model. Any user who is a member of the group automatically inherits the data access defined by the role.

This approach:

  • Improves scalability
  • Simplifies administration
  • Aligns with enterprise security standards
  • Reduces ongoing maintenance

Exam Focus: The PL-300 exam strongly favors group-based RLS as the recommended approach.

Where RLS Group Membership Is Configured

Understanding where actions occur is frequently tested.

Power BI Desktop

  • Create RLS roles
  • Define DAX filter expressions
  • No users or groups are assigned here

Power BI Service

  • Assign users or security groups to RLS roles
  • Manage role membership after publishing

Key Distinction:

  • Roles and filters → Desktop
  • Users and groups → Service

Why Use Security Groups for RLS?

Benefits of Group-Based RLS

  • Centralized identity management
    Groups are managed in Microsoft Entra ID, not Power BI.
  • Automatic access updates
    Adding or removing users from a group instantly updates data access.
  • Reduced administrative effort
    No need to modify RLS settings when staff changes.
  • Auditability and compliance
    Easier to review who has access and why.

Exam Tip: If a question asks for the most scalable or best practice approach, choose security groups.

Types of Groups Used in RLS

Supported Group Types

  • Microsoft Entra ID security groups (recommended)
  • Mail-enabled security groups

Not Recommended / Not Supported

  • Distribution lists (not ideal for security)
  • Microsoft 365 groups (not designed for RLS scenarios)

PL-300 Expectation: Know that security groups are the preferred option for RLS role membership.

Assigning Groups to RLS Roles

Step-by-Step (Power BI Service)

  1. Publish the semantic model from Power BI Desktop
  2. In the Power BI Service, open the semantic model
  3. Select Security
  4. Choose an RLS role
  5. Add one or more security groups
  6. Save changes

Once assigned, all group members inherit the role’s data filters.

Group Membership and Dynamic RLS

Group membership is often combined with dynamic RLS for maximum flexibility.

Common Pattern

  • RLS role contains a dynamic filter using USERPRINCIPALNAME()
  • A mapping table links users to business entities (e.g., region, department)
  • A security group controls who is subject to that role

This pattern:

  • Minimizes the number of roles
  • Supports large organizations
  • Separates identity management from data logic

How Group-Based RLS Is Evaluated

When a user opens a report:

  1. Power BI identifies the user’s Entra ID group memberships
  2. The user is matched to assigned RLS roles
  3. The union of all applicable role filters is applied
  4. Only authorized rows are returned

Important Exam Concept:
Users in multiple roles see the combined (union) of allowed data—not the most restrictive set.

Testing Group-Based RLS

In Power BI Desktop

  • Use View as
  • Test role logic only (group membership is not evaluated here)

In Power BI Service

  • Use View as role
  • Or test by signing in as a user who belongs to the group

Exam Awareness: Group membership itself cannot be fully tested in Desktop—only in the Service.

Common Pitfalls (Exam-Relevant)

  • Assigning individual users instead of groups
  • Expecting RLS to apply before publishing
  • Forgetting that group membership changes happen outside Power BI
  • Confusing workspace roles with RLS roles
  • Assuming admins bypass RLS automatically

RLS Group Membership vs Workspace Roles

FeatureWorkspace RolesRLS Group Membership
Controls content access
Controls data visibility
Uses Entra ID groups
Defined in Desktop
Assigned in Service

PL-300 Focus: These are complementary—not interchangeable—security mechanisms.

Governance and Best Practices

  • Always prefer security groups over individuals
  • Use clear, business-aligned group names
  • Keep RLS logic simple and documented
  • Coordinate with identity administrators
  • Review group membership regularly

Common Exam Scenarios

You may be asked to identify:

  • The best way to manage RLS for hundreds of users
  • Why a user gained or lost data access without a model change
  • Where to update access when an employee changes roles
  • How group membership impacts RLS evaluation

Key Takeaways for the PL-300 Exam

  • RLS roles are defined in Power BI Desktop
  • Group membership is configured in the Power BI Service
  • Microsoft Entra ID security groups are the recommended approach
  • Group-based RLS improves scalability and governance
  • Users see the union of all assigned RLS roles
  • RLS applies to all reports and apps using the semantic model

Practice Questions

Go to the Practice Questions for this topic.

BI Administration, Business Intelligence Platform, Data Security, DP-600, Microsoft Certification, Microsoft Fabric

Implement workspace-level access controls in Microsoft Fabric

 
This post is a part of the DP-600: Implementing Analytics Solutions Using Microsoft Fabric Exam Prep Hub; and this topic falls under these sections: 
Maintain a data analytics solution 
    --> Implement security and governance 
        --> Implement workspace-level access controls

To Do:
Complete the related module for this topic in the Microsoft Learn course: Secure data access in Microsoft Fabric

Workspace-level access control is the first and most fundamental security boundary in Microsoft Fabric. It determines who can access a workspace, what actions they can perform, and how they can interact with Fabric items such as Lakehouses, Warehouses, semantic models, reports, notebooks, and pipelines.

For the DP-600 exam, you should clearly understand workspace roles, their permissions, and how workspace security integrates with broader governance practices.

What Are Workspace-Level Access Controls?

Workspace-level access controls define permissions at the workspace scope, applying to all items within that workspace unless further restricted by item-level or data-level security.

These controls are managed through workspace roles, which are assigned to:

  • Individual users
  • Microsoft Entra ID (Azure AD) security groups
  • Distribution lists (limited scenarios)

Workspace Roles in Microsoft Fabric

Microsoft Fabric workspaces use role-based access control (RBAC). There are 4 roles that users can be assigned to for workspace access and each role grants a predefined set of permissions.

1. Admin

Highest level of access

Admins can:

  • Manage workspace settings
  • Add or remove users and assign roles
  • Delete the workspace
  • Control capacity assignment
  • Access and manage all items

Typical use cases

  • Platform administrators
  • Lead analytics engineers

Exam note
Admins automatically have all permissions of lower roles.

2. Member

Full content creation and collaboration role

Members can:

  • Create, edit, and delete Fabric items
  • Publish and update semantic models and reports
  • Share content
  • Run pipelines and notebooks

Members cannot:

  • Delete the workspace
  • Manage capacity settings

Typical use cases

  • Analytics engineers
  • Senior analysts

3. Contributor

Content creation with limited governance control

Contributors can:

  • Create and modify items they have access to
  • Run notebooks, pipelines, and queries
  • Publish reports and datasets

Contributors cannot:

  • Manage workspace users
  • Modify workspace settings

Typical use cases

  • Data analysts
  • Developers contributing content

4. Viewer

Read-only access

Viewers can:

  • View reports and dashboards
  • Read data from semantic models
  • Execute queries if explicitly allowed

Viewers cannot:

  • Create or edit items
  • Publish or share content

Typical use cases

  • Business users
  • Report consumers

Summary table:

RoleDescriptionCan / CannotTypical use cases
Admin– Highest level of access.
– Full workspace administration access including ability to delete.		Admins Can:
– Manage workspace settings
– Add or remove users and assign roles
– Delete the workspace
– Control capacity assignment
– Access and manage all items		– Platform administrators
– Lead analytics engineers
MemberFull content creation and collaboration role.
– Can manage members with same or lower permissions.		Members can:
– Create, edit, and delete Fabric items
– Publish and update semantic models and reports
– Share content
– Run pipelines and notebooks

Members cannot:
– Delete the workspace
– Manage capacity settings		– Analytics engineers
– Senior analysts
Contributor– Content creation with limited governance control
– Can create and manage workspace content		Contributors can:
– Create and modify items they have access to
– Run notebooks, pipelines, and queries
– Publish reports and datasets

Contributors cannot:
– Manage workspace users
– Modify workspace settings		– Data analysts
– Developers contributing content
Viewer– Read-only access to the workspaceViewers can:
– View reports and dashboards
– Read data from semantic models
– Execute queries if explicitly allowed

Viewers cannot:
– Create or edit items
– Publish or share content		– Business users
– Report consumers

How Workspace-Level Security Is Enforced

Workspace-level access controls:

  • Are evaluated before item-level or data-level security
  • Determine whether a user can even see workspace content
  • Apply consistently across all Fabric workloads (Power BI, Lakehouse, Warehouse, Data Factory, Real-Time Analytics)

This makes workspace roles the entry point for all other security mechanisms.

Best Practices for Workspace-Level Access Control

Use Security Groups Instead of Individuals

  • Assign Microsoft Entra ID security groups to workspace roles
  • Simplifies access management
  • Supports scalable governance

Separate Workspaces by Purpose

Common patterns include:

  • Development vs Test vs Production
  • Department-specific workspaces
  • Consumer-only (Viewer) workspaces

Apply Least Privilege

  • Grant users the lowest role necessary
  • Avoid overusing Admin and Member roles

Relationship to Other Security Layers

Workspace-level access controls work alongside:

  • Item-level permissions (e.g., sharing a report)
  • Row-level, column-level, and object-level security in semantic models
  • File-level security in OneLake
  • Capacity-level governance

For exam scenarios, always identify which security layer is being tested.

Common Exam Scenarios to Watch For

You may be asked to:

  • Choose the correct workspace role for a given user persona
  • Identify why a user cannot see or edit workspace content
  • Decide when to use Viewer vs Contributor
  • Understand how workspace roles interact with RLS or file access

Key Exam Takeaways

  • Workspace roles control who can access a workspace and what actions they can perform
  • Admin, Member, Contributor, and Viewer each have distinct permission boundaries
  • Workspace security is broader than item-level sharing
  • Always think workspace first, data second when designing security

Exam Tips

If the question is about who can create, edit, share, or manage content, the answer almost always involves workspace-level access controls.

Expect scenario-based questions that test:

  • Choosing the least-privileged role
  • Understanding the difference between Member vs Contributor
  • Knowing when workspace security is not enough and must be combined with RLS or item-level access

Practice Questions

Question 1 (Single choice)

Which workspace role in Microsoft Fabric allows a user to publish content, manage permissions, and delete the workspace?

A. Viewer
B. Contributor
C. Member
D. Admin

Correct Answer: D

Explanation:

  • Admin is the highest workspace role and includes full control, including managing access, deleting the workspace, and assigning roles.
  • Contributors and Members cannot manage workspace-level permissions.
  • Viewers have read-only access.

Question 2 (Scenario-based)

You want analysts to create and edit items (lakehouses, notebooks, reports) but prevent them from managing access or deleting the workspace. Which role should you assign?

A. Viewer
B. Contributor
C. Member
D. Admin

Correct Answer: C

Explanation:

  • Members can create, edit, and publish content but cannot manage workspace access or delete the workspace.
  • Contributors have more limited permissions.
  • Admins have excessive privileges for this scenario.

Question 3 (Multi-select)

Which actions are possible for a user assigned the Contributor role? (Select all that apply.)

A. Create new items
B. Edit existing items
C. Manage workspace permissions
D. Publish reports to the workspace

Correct Answers: A, B

Explanation:

  • Contributors can create and edit items.
  • They cannot manage permissions or perform full publishing/administrative actions.
  • Publishing to app audiences or managing access requires Member or Admin.

Question 4 (Scenario-based)

A workspace contains sensitive data. You want executives to view reports only, without seeing datasets, lakehouses, or notebooks. What is the BEST approach?

A. Assign Viewer role
B. Assign Contributor role
C. Assign Member role
D. Assign Admin role

Correct Answer: A

Explanation:

  • Viewer role provides read-only access and prevents exposure to underlying assets beyond consumption.
  • Other roles expose authoring and object-level visibility.

Question 5 (Single choice)

Workspace-level access controls in Fabric are applied to:

A. Individual tables only
B. Semantic models only
C. All items within the workspace
D. Reports published to apps only

Correct Answer: C

Explanation:

  • Workspace-level roles apply across all items in the workspace unless further restricted using item-level or semantic-model security.
  • Finer-grained security must be implemented separately.

Question 6 (Scenario-based)

You need to ensure that workspace access is centrally governed and users cannot self-assign roles. What is the BEST practice?

A. Allow Members to manage access
B. Restrict access management to Admins only
C. Use Viewer roles exclusively
D. Disable workspace sharing

Correct Answer: B

Explanation:

  • Only Admins should manage workspace access for governance and compliance.
  • Members should not be allowed to assign roles in controlled environments.

Question 7 (Multi-select)

Which of the following are valid workspace roles in Microsoft Fabric? (Select all that apply.)

A. Viewer
B. Contributor
C. Member
D. Owner

Correct Answers: A, B, C

Explanation:

  • Valid Fabric workspace roles are Viewer, Contributor, Member, and Admin.
  • “Owner” is not a Fabric workspace role.

Question 8 (Scenario-based)

A user can view reports but receives an error when attempting to open a semantic model directly. What is the MOST likely reason?

A. They are a Contributor
B. They are a Viewer
C. The dataset is in Import mode
D. XMLA endpoint is disabled

Correct Answer: B

Explanation:

  • Viewers can consume reports but may not have permissions to explore or access underlying semantic models directly.
  • This behavior aligns with workspace-level access restrictions.

Question 9 (Single choice)

Which statement about workspace-level access vs. item-level security is TRUE?

A. Workspace access overrides all other security
B. Workspace access is more granular than item-level security
C. Item-level security can further restrict access granted by workspace roles
D. Workspace access only applies to reports

Correct Answer: C

Explanation:

  • Workspace roles grant baseline access, which can then be restricted using item-level security, RLS, or object-level permissions.
  • Workspace access does not override more restrictive controls.

Question 10 (Scenario-based)

You want to minimize administrative overhead while allowing self-service analytics. Which workspace role strategy is MOST appropriate?

A. Assign Admin to all users
B. Assign Member to authors and Viewer to consumers
C. Assign Contributor to executives
D. Assign Viewer to data engineers

Correct Answer: B

Explanation:

  • This is a recommended best practice:
    • Members for authors/builders
    • Viewers for consumers
  • It balances governance and agility while minimizing risk.