I am testing who is able to see what in our Fabric environment. My end goal is to be able to have people view reports, without being able to directly view the Semantic Model or Lakehouse tables.
In a single workspace, I have a lakehouse, a semantic model using data from that lakehouse, and a report using the semantic model.
My test user keeps seeing the below message when trying to access the report (see screenshot below):
Error fetching data for this visual
You don't have permission to view the content of Direct Lake table
I have tried these steps to grant them access:
- Granting access to the report via "manage permissions", with the "Allow recipients to share this report" and "Allow recipients to build content with the data associated with this report" options turned OFF
- Granting access to the semantic model via "manage permissions", with the "Allow recipients to modify this semantic model", "Allow recipients to share this semantic model", and "Allow recipients to build content with the data associated with this semantic model" options turned OFF
- Granting access to the Lakehouse via "manage permissions, with the "Read all SQL endpoint data", "Read all Apache Spark and subscribe to events", and "Build reports on the default semantic model" options turned OFF
- Adding as a Viewer to the Workspace
I would have expected the first option would be sufficient for them to see the data in the report, and certainly the final option of adding them as a viewer at the Workspace level.
Have a missed something in the setup, or are some of the options I have kept switched off likely to a) override the Workspace permissions, or b) affect the ability to view reports even though their names don't suggest that they would?
Your semantic model is consuming data from lake right? Which creditentials are used there?
The screenshot that you've shared is for the permission regarding Semantic Model, not regarding how the semantic model connects to the underlying datastore (in that case Lake). But the error you are getting is related with "semantic model's default access to the data."
In your semantic model, you should have a creditential which you use to connect to the lake. The default connection is created using a SSO, means it impersonates the user which is viewing the report.
When you create a service principal (aka fixed identity) to use instead of SSO, when user views your report, instead of using the SSO of the User, it uses the service principal to access onelake.
Check which creditentials are being used/if SSOS is being used by your Semantic Model while connecting to the datasource, doing this:
Alternatively you can create a Workspace Identity (which is also a Service Principal), if you haven't yet:
After that navigate back to the Semantic Model Settings, and choose "Create a connection".
On that screen give it a name, select Workspace Identity, and make sure that SSO is not checked:
Finally, select that one and hit apply:
Give this a try and let us know the outcomes.
😊If this post helped you, feel free to give it some Kudos! 👍
✅And if it answered your question, please mark it as the accepted solution.
Your semantic model is consuming data from lake right? Which creditentials are used there?
The screenshot that you've shared is for the permission regarding Semantic Model, not regarding how the semantic model connects to the underlying datastore (in that case Lake). But the error you are getting is related with "semantic model's default access to the data."
In your semantic model, you should have a creditential which you use to connect to the lake. The default connection is created using a SSO, means it impersonates the user which is viewing the report.
When you create a service principal (aka fixed identity) to use instead of SSO, when user views your report, instead of using the SSO of the User, it uses the service principal to access onelake.
Check which creditentials are being used/if SSOS is being used by your Semantic Model while connecting to the datasource, doing this:
Alternatively you can create a Workspace Identity (which is also a Service Principal), if you haven't yet:
After that navigate back to the Semantic Model Settings, and choose "Create a connection".
On that screen give it a name, select Workspace Identity, and make sure that SSO is not checked:
Finally, select that one and hit apply:
Give this a try and let us know the outcomes.
😊If this post helped you, feel free to give it some Kudos! 👍
✅And if it answered your question, please mark it as the accepted solution.
"You have to use a service principal or a fixed identity for Direct Lake authentication instead of the individual user's identity (SSO)."
Can you expand on this, please? I don't know the difference between "fixed identity" and "individual users' identities". Our users only have a single identity, and I have granted permissions to the semantic model from here:
When I start to type into the email box, it presents a list of staff email addresses.
From the link you shared, I think that aligns with the second option here- "Grant report consumers viewer role on both the report and semantic model individually.":
Permissions to view report only
Use a fixed identity to the Fabric item on the semantic model, and publish the report.
App option: Publish an app from the workspace with the report. Only give report consumers permission in the app.
Item option: Grant report consumers viewer role on both the report and semantic model individually.
Helpful resources
Fabric Monthly Update - April 2026
Check out the April 2026 Fabric update to learn about new features.
Data Days 2026 coming soon!
Sign up to receive a private message when registration opens and key events begin.
New to Fabric Survey
If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.
