You control user access in Microsoft Fabric by assigning roles and permissions to each person or group. This ensures your data stays secure and enables effective collaboration. Microsoft Fabric is trusted by 25,000 companies, including 67% of Fortune 500 companies, to manage data and facilitate teamwork. Without properly setting roles or permissions, users might access private data or violate policies. Workspace roles and permission levels allow you to determine who can view, modify, or share information.

Key Takeaways

• Give users and groups clear roles so you can control what they do in Microsoft Fabric workspaces.

• Set permission levels to fit each person’s job. Use scopes like workspace, item, and database.

• Use security groups to manage access for many users. This helps keep permissions the same for everyone.

• Use detailed security like item-level and row-level permissions. This helps protect important data.

• Follow best practices like least privilege and check permissions often. This keeps your data safe and organized.

User Access Model

Roles Overview

It is important to know the main roles in Microsoft Fabric. Each role has its own jobs and tools. Giving someone the right role helps you control their actions in your workspace. The table below lists the most common roles and what they do:

Tip: Give each person a role that matches their work. This helps keep your data safe and your team working well.

Permission Levels

Once you give out roles, you need to set permission levels. Permission levels tell you what users can do. You control User Access by picking the right permission for each person or group. The table below shows the main permission types and what they mean:

You can pick access levels like User, Business Unit, or Organization. For example, a Data Analyst may only need Read and Write access. A Data Engineer might need Create and Delete permissions. Always check User Access settings so each person has what they need for their job.

Permission Scopes

Knowing about permission scopes helps you control actions in Microsoft Fabric. Each scope sets rules for what people can do. You can control access at the workspace, item, or database level.

Workspace Scope

Workspaces are like folders for your data projects. You choose who can make, change, or see things in each workspace. This scope is important for teamwork and keeping things safe.

Tip: Group similar content in workspaces. This helps you control who can see or use it.

Item Scope

You can set permissions for single items, like reports or datasets. This gives you more control over each thing.

• Microsoft Fabric has two kinds of item scopes:

  • Generic scopes work for all items, like:

    • Item.Read.All – lets you see all items

    • Item.ReadWrite.All – lets you see and change all items

    • Item.Execute.All – lets you run all items

    • Item.Reshare.All – lets you share all items

  • Specific scopes are for certain items, like:

    • Notebook.ReadWrite.All – lets you see and change all notebooks

    • Report.Read.All – lets you see all reports

You use these scopes with REST API calls. Users or admins must agree to give these permissions in Azure AD app registrations.

Database Scope

Database scope lets you control who can use tables and other database parts. You can use SQL permissions and roles for this.

1. Give a Microsoft Entra group Read permission on the database.

2. Make a custom database role, like CustomerDataViewer, and let it SELECT a table.

3. Add a database user for the group.

4. Put the user in the custom role.

5. Now, group members can only see the allowed data.

6. You can use the Microsoft Fabric portal UI to set roles and permissions without SQL.

7. This way, you give people only the access they need.

Note: Database scope is good for report developers and app groups who need different access levels.

Assign Roles

To control what people can do in Microsoft Fabric, you start by giving out the right roles. You can add users or groups to your workspace. Using security groups makes User Access simple and safe. Follow these steps to set up your workspace for teamwork.

Add Users or Groups

You can let people or groups join your workspace. This lets them work with your data and reports. Adding groups instead of single users makes User Access easier as your team gets bigger.

Step-by-step: Add Users or Groups to a Workspace

1. Open Microsoft Fabric and find your workspace.

2. Go to the "Access" or "Permissions" tab.

3. Click "Add" to invite users or groups.

4. Type in the email address or group name.

5. Pick a role for each person or group (Admin, Member, Contributor, Viewer).

6. Save your changes.

Tip: Give roles to groups, not just people. This makes it easier to change permissions when your team changes.

Here is a table with best ways to add users or groups:

Manage Workspace Roles

Managing workspace roles helps you decide who can make, change, or see things. You can set up roles for each workspace to fit your team.

How to Manage Workspace Roles:

• Give clear roles for who owns and takes care of content. This means you pick who creates, keeps, and protects workspace content.

• Let teams handle their own workspaces. This gives each group control over their data and projects.

• Use role-based access control (RBAC) with Microsoft Entra ID and security groups. This makes giving out roles faster and safer.

• Organize workspaces by team, project, or data type. This keeps things neat and easy to manage.

• Use groups linked to workspace roles. This helps you grow as your team gets bigger.

• Manage workspace life by using development, test, and production workspaces. This keeps your data safe and your projects sorted.

Note: The Microsoft Fabric Admin Portal works with the Microsoft 365 admin center. You can manage users, groups, and roles in one place. This makes User Access easy and quick.

Use Security Groups

Security groups help you give access to many people at once. You can give a role to a group, and everyone in that group gets the same permissions. This saves time and helps avoid mistakes.

Why Use Security Groups?

• Giving roles to security groups means you only update the group when people join or leave.

• All group members get the same permissions, so User Access stays the same.

• You can check and manage permissions by looking at group members, not each user.

• Microsoft Entra lets you make special groups for roles, making your workspace safer.

• If someone is in more than one group, they get the highest permission level.

Tip: Use Microsoft 365 security groups to manage workspace access in Fabric. This helps you handle roles as your team grows.

Integration with Microsoft 365

Microsoft Fabric works with Microsoft 365 to manage users and groups. You can add or remove users, give licenses, and set admin roles from the Microsoft 365 admin center. Workspace admins can give or take away permissions for data and items. Tenant settings let you control platform access for your whole company or just some teams.

Callout: The Fabric Admin Portal is your main place to manage users, groups, and permissions. You can also use PowerShell or SDKs for advanced tasks and automation.

Granular Security

Granular security in Microsoft Fabric lets you pick who can see or change your data. You can make rules for single items, rows, or columns. This helps keep private information safe and follow rules.

Item Permissions

You can let people use certain items like reports, lakehouses, or warehouses. They do not need to be workspace members. You choose who can see or edit each item. For example, one user may only see one table in a lakehouse. You do this with SQL policies and object-level security.

Tip: Give item-level permissions to share only what is needed. This keeps your data safer and easier to handle.

Row-Level Security

Row-level security (RLS) lets you pick which rows in a table each user can see. You set up rules so users only see their own data. For example, workers can see only their department’s data. RLS works at the database level, so it protects your data in all apps, even Power BI.

• RLS uses roles and rules to filter data.

• You make security policies that decide which rows each user can see.

• Users never see rows they are not allowed to view.

This keeps your private data hidden from people who should not see it. It also makes your security stronger.

Audit Access

Auditing helps you see who looked at your data and what they changed. Microsoft Fabric gives you audit logs in the Data Warehouse. Workspace admins and users with audit permissions can see things like permission changes, logins, and data updates.

• You can set up audit action groups to watch for important events.

• Audit logs help you follow legal and company rules.

• Admins can check logs to find problems or see if someone got in without permission.

Note: Always check audit logs often. This helps you find problems early and keeps your data safe.

Troubleshooting and Best Practices

Common Issues

You might run into some usual problems with User Access in Microsoft Fabric. Knowing about these problems helps you fix them fast and keep your data safe.

• Sometimes, it is not clear who owns a workspace. This can make people unsure about who controls data and settings.

• Setting up security rules for all your environments can be hard. It is tough to make rules work for both development and production.

• Some users get more permissions than they really need. This can cause mistakes or changes you do not want.

• Making sure people only read data can be tricky. If you do not set roles right, workspace members might still change things.

• Giving security for shortcut tables needs extra steps. You have to give access to the source lakehouse too.

• Keeping roles separate and limiting access gets harder as your team grows.

Tip: Try using a hub-and-spoke workspace setup. Keep your development, testing, and production workspaces apart. Give clear roles like Owner, Contributor, and Viewer. This makes it easier to handle permissions and stop mistakes.

Least Privilege Principle

You should always use the least privilege principle. This means you only give users the permissions they need for their jobs.

• Give the Viewer role if someone just needs to see data. Only give Contributor or Admin roles if users must change or manage things.

• Take away default Contributor access from workspace identities. Give roles based on what people really need.

• Check workspace identities often. Make sure no one has more access than they should.

• Limiting permissions lowers the risk of attacks or mistakes. It also keeps your system steady and easier to handle.

Note: Using the least privilege principle lowers the chance of security problems. It also helps you follow company rules and pass audits.

Review Permissions

Checking permissions often keeps your environment safe and follows the rules.

• Look at your role-based access control (RBAC) settings often. Make sure each user or group has the right access.

• Use Microsoft Entra ID for logging in and detailed access control.

• Turn on multi-factor authentication (MFA) for extra safety.

• Manage secrets like passwords and certificates with Azure Key Vault. Only let the right people see or use them.

• Set up naming rules and tagging policies. This helps you track and handle resources.

• Treat your cluster and workspace settings like code. Use templates to keep security the same everywhere.

Callout: Checking permissions often and using groups for management keeps User Access simple and safe. This also helps you meet security and compliance needs.

To control User Access in Microsoft Fabric, do these things:

1. Make service principals and register your apps.

2. Turn on tenant settings to keep access safe.

3. Give out permissions with workspace roles and item controls.

4. Check permissions often so your data stays safe.

Always look at permissions to keep things secure. Learn from guides like the

FAQ

How do you remove a user from a workspace?

Go to your workspace. Click the "Access" tab. Find the user you want to remove. Click the trash icon next to their name. Confirm your choice. The user will lose access right away.

Can you assign different roles to the same user in different workspaces?

Yes, you can. Assign a user as an Admin in one workspace and as a Viewer in another. Each workspace has its own role settings. This helps you control access for each project.

What happens if you add a user to multiple security groups?

The user gets the highest permission from all groups. For example, if one group gives Viewer and another gives Contributor, the user becomes a Contributor. Always check group memberships to avoid giving too much access.

How do you check who has access to a workspace?

Open your workspace. Click on "Access" or "Permissions." You will see a list of users and groups with their roles. Review this list often to keep your data safe.

Do you need to use Microsoft 365 groups for access control?

You do not have to use Microsoft 365 groups, but they help. Groups make it easier to manage permissions for many users. You can add or remove people from the group instead of changing each user’s access.