Ask Downloads
Domain 1 โ€” Module 1 of 7 14%
1 of 29 overall
Domain 1: Maintain a Data Analytics Solution Free โฑ ~12 min read

Workspace Access Controls

Secure your Fabric workspace. Workspace roles, item-level permissions, and the principle of least privilege โ€” the first layer of Fabric security.

Securing Fabric workspaces

Simple explanation

Think of workspace security like access cards in an office building.

Some people have a master key (Admin) โ€” they can open every door. Others have a team card (Member) โ€” they can access their floor but not the server room. Visitors get a guest badge (Viewer) โ€” they can walk around and look, but they cannot change anything.

In Fabric, workspace roles are the access cards. They control who can create, modify, share, and view items in the workspace. Item-level permissions are like individual office locks โ€” even if you have floor access, some rooms require additional approval.

Workspace roles

Admin > Member > Contributor > Viewer โ€” grant the minimum needed
CapabilityAdminMemberContributorViewer
View items and read dataYesYesYesYes
Create and edit itemsYesYesYesNo
Share items with othersYesYesNoNo
Manage workspace settings and rolesYesNoNoNo
Delete workspaceYesNoNoNo
Publish contentYesYesYesNo

Best practices

  • Viewers for report consumers
  • Contributors for data engineers and report builders
  • Members for team leads who need to share content
  • Admins for workspace owners only (1-2 people)
  • Use Entra ID security groups for scalable management

Item-level permissions

You can share specific items with users who are NOT workspace members:

PermissionWhat It Grants
ReadView the report or query the model
BuildCreate new reports on top of a shared semantic model
ReshareShare the item with other users
Exam tip: Build permission

Build lets a user create their own reports using a shared semantic model. It does NOT let them edit the model. Build is granted via item sharing, NOT via workspace roles. A workspace Viewer + model Build permission = can view reports AND create their own.

Question

What are the four Fabric workspace roles?

Click or press Enter to reveal answer

Answer

Admin > Member > Contributor > Viewer. Admin manages everything. Member can share. Contributor can create/edit. Viewer can only read.

Click to flip back
Question

What does Build permission on a semantic model allow?

Click or press Enter to reveal answer

Answer

Build lets a user create new reports using the shared semantic model as a data source. It does NOT let them edit the model itself.

Click to flip back
Question

What is the difference between workspace-level and item-level permissions?

Click or press Enter to reveal answer

Answer

Workspace roles apply to ALL items in the workspace (coarse). Item-level permissions (Read, Build, Reshare) apply to specific items and can be granted to users outside the workspace. Use item sharing for cross-workspace collaboration.

Click to flip back
Knowledge Check

James needs a junior analyst to build reports but NOT share them externally. Which role?
Knowledge Check

Raj at Atlas Capital shares a semantic model with 20 analysts via item sharing with Build permission. The analysts are NOT workspace members. Can they create reports on the model?

Next up: Row-Level & Object-Level Security โ€” control what data users see.