Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Learn more

Reply
junshou-leow
Frequent Visitor

Best Pratices for Fabric deployment pipeline with direct lake semantic model

‎08-01-2024 07:21 PM

Hi everyone,

I’m currently working on a Fabric solution that consists of four key artifacts:

  1. Dataflow Gen 2: This gathers data from external sources and stores it in the Lakehouse.
  2. Lakehouse: Acts as the main repository for all the data.
  3. DirectLake Semantic Model: Built on top of the Lakehouse.
  4. Power BI Report: Created from the DirectLake Semantic Model.

All four artifacts are currently housed in the same workspace within the development environment. I’m looking for best practices on how to deploy these artifacts to production. The goal is to ensure that users only have access to the Power BI report in the production environment.

 

Should I grant viewer access to users in the development environment, so they have the right to read the Lakehouse data, and then also allow them to view the report in production?

 

I’d appreciate any insights or recommendations on how to best approach this deployment while maintaining a secure and efficient workflow.

 

Thanks in advance!

Labels:
Message 1 of 3
2,796 Views
0
1 ACCEPTED SOLUTION
frithjof_v
Super User
Super User

‎08-03-2024 12:48 AM

Regarding CI/CD:

I don't think your report in prod environment should use any data from a dev environment. I think the report in production should only use data from a production environment.

I think in Fabric, the ways to move items from dev to prod workspaces is either by Git or Deployment pipelines. The third and manual option (generally not recommended) is to manually download and import items in the prod workspace, or recreate items manually from scratch in the prod workspace.

 

Regarding direct lake semantic model:

Create a custom (new) direct lake semantic model. Don't use the default direct lake semantic model. Please consider voting for this idea: https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=b0d89799-fceb-ee11-a73d-000d3a012188

 

Regarding sharing of the report:

 

I have experience with the traditional Power BI, where we use import mode. (Also in Fabric, I'd recommend to consider using import mode semantic models).

 

I would not recommend giving the end users workspace access.

In my opinion, giving an end user workspace access (including viewer role) gives the end user too much access to items and data in the workspace. Check out these docs and also Zoe Douglas' great blog post which I have linked below. The blog post is about RLS but it also explains many other concepts related to sharing of Direct Lake reports.

 

I think of workspaces as a room only for the developers, not for the consumers. So I don't recommend to give end users access to the workspace.

 

Instead, I think a best practice is to use Workspace app to share the report with end users.

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-how-to-collaborate-distribute-d...

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-create-distribute-apps

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-how-to-collaborate-distribute-d...

 

Anyway, it's also important to recognize that security is defined on the Fabric workload that's being used to serve the data. For example, when you share a report, you also share access to the semantic model below. Read more here: 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-how-to-collaborate-distribute-d...

This is a good reason to consider carefully which data you include in the semantic model, and to apply RLS and OLS if required.

 

What are the best practices for sharing reports which are built on direct lake semantic models? I don't have experience with this. However, here are some articles and documentation, and my impression is that the first one is very good:

 

https://www.datazoepowerbi.com/post/setting-up-rls-on-a-direct-lake-semantic-model

(I think this one is very interesting! It also discusses other security related topics other than just RLS. Read the whole article.).

 

https://learn.microsoft.com/en-us/fabric/get-started/lakehouse-power-bi-reporting

(This one also talks about options for direct lake sharing)

 

https://youtu.be/xuEYxJ5gkGA?si=He9Ty5SYEXNwisT-

(Here's a Guy In A Cube video which shows this)

 

https://learn.microsoft.com/en-us/fabric/get-started/direct-lake-overview#single-sign-on-sso-enabled...

 

https://learn.microsoft.com/en-us/fabric/get-started/direct-lake-fixed-identity

 

If I understand the blog, video and documentation correctly, then you can create a fixed identity for the semantic model. That way you don't need to give the end users direct access to the Lakehouse data, instead you can just share the report with the end users (preferably through a Workspace App).

View solution in original post

Message 2 of 3
2,758 Views
2 REPLIES 2
Anonymous
Not applicable

‎08-04-2024 07:01 PM

HI @junshou-leow,

I'd like to suggest you create and design the Lakehouse at the develop level and push it to the production level.
Then you can use the production level Lakehouse to create semantic model and design power bi report with 'directlake' model.

After these steps, you can assign users permissions to the semantic model and reports.
Regards,

Xiaoxin Sheng

Message 3 of 3
2,715 Views
0
frithjof_v
Super User
Super User

‎08-03-2024 12:48 AM

Regarding CI/CD:

I don't think your report in prod environment should use any data from a dev environment. I think the report in production should only use data from a production environment.

I think in Fabric, the ways to move items from dev to prod workspaces is either by Git or Deployment pipelines. The third and manual option (generally not recommended) is to manually download and import items in the prod workspace, or recreate items manually from scratch in the prod workspace.

 

Regarding direct lake semantic model:

Create a custom (new) direct lake semantic model. Don't use the default direct lake semantic model. Please consider voting for this idea: https://ideas.fabric.microsoft.com/ideas/idea/?ideaid=b0d89799-fceb-ee11-a73d-000d3a012188

 

Regarding sharing of the report:

 

I have experience with the traditional Power BI, where we use import mode. (Also in Fabric, I'd recommend to consider using import mode semantic models).

 

I would not recommend giving the end users workspace access.

In my opinion, giving an end user workspace access (including viewer role) gives the end user too much access to items and data in the workspace. Check out these docs and also Zoe Douglas' great blog post which I have linked below. The blog post is about RLS but it also explains many other concepts related to sharing of Direct Lake reports.

 

I think of workspaces as a room only for the developers, not for the consumers. So I don't recommend to give end users access to the workspace.

 

Instead, I think a best practice is to use Workspace app to share the report with end users.

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-how-to-collaborate-distribute-d...

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-create-distribute-apps

 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-how-to-collaborate-distribute-d...

 

Anyway, it's also important to recognize that security is defined on the Fabric workload that's being used to serve the data. For example, when you share a report, you also share access to the semantic model below. Read more here: 

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-how-to-collaborate-distribute-d...

This is a good reason to consider carefully which data you include in the semantic model, and to apply RLS and OLS if required.

 

What are the best practices for sharing reports which are built on direct lake semantic models? I don't have experience with this. However, here are some articles and documentation, and my impression is that the first one is very good:

 

https://www.datazoepowerbi.com/post/setting-up-rls-on-a-direct-lake-semantic-model

(I think this one is very interesting! It also discusses other security related topics other than just RLS. Read the whole article.).

 

https://learn.microsoft.com/en-us/fabric/get-started/lakehouse-power-bi-reporting

(This one also talks about options for direct lake sharing)

 

https://youtu.be/xuEYxJ5gkGA?si=He9Ty5SYEXNwisT-

(Here's a Guy In A Cube video which shows this)

 

https://learn.microsoft.com/en-us/fabric/get-started/direct-lake-overview#single-sign-on-sso-enabled...

 

https://learn.microsoft.com/en-us/fabric/get-started/direct-lake-fixed-identity

 

If I understand the blog, video and documentation correctly, then you can create a fixed identity for the semantic model. That way you don't need to give the end users direct access to the Lakehouse data, instead you can just share the report with the end users (preferably through a Workspace App).

Message 2 of 3
2,759 Views

Helpful resources

Announcements
Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

October Fabric Update Carousel

Fabric Monthly Update - October 2025

Check out the October 2025 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All