Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric certified for FREE! Don't miss your chance! Learn more

Reply
ak-5537
New Member

Seeking advice on structuring workspaces for centralized data & departmental self-service

Monday

Hi everyone,

We currently operate an MVP data platform designed around a medallion architecture. All processing runs in a single workspace and is orchestrated through a metadata-driven master pipeline. Operational metadata, monitoring, and watermarks are stored in a Fabric SQL database.

As we prepare the platform for production, I'd really appreciate advice on how best to organize the workspaces. The key requirements are:

  1. Centralized Gold layer
    The platform should produce centralized Gold tables that can be reused across departments.

  2. Central ownership of semantic models and reports
    The data engineering team (2 people) will develop and own centralized semantic models and reports. Access to reports and models will likely need to be restricted by department, so that different business teams see different content.

  3. Department-level reuse and self-service
    Departments should be able to:

    • Reuse centralized semantic models to build their own reports

    • Consume and reuse centrally managed reports

    • Potentially publish and share reports within their own department in the future

Our end users are not highly technical. Today, most of their work is done in Excel, but they are going through training. We want to give them enough freedom to experiment while still keeping the platform governed and manageable. Departments are relatively small, typically 8-10 users.

Currently, I'm considering a Hub-and-Spoke workspace model with three main workspace types: HUB, REPORTING_HUB, and SPOKE (per department).

draft_workspace_design.png

HUB workspace

  • Contains the core data platform (Bronze/Silver/Gold processing).
  • Has two main environments: TEST and PROD
  • Feature development is done in temporary FEATURE workspaces
  • Responsible for producing centralized Gold tables
  • Data access to Gold tables would be manages with OneLake security


REPORING_HUB workspace

  • Contains:
    • A Lakehouse with shortcuts to the centralized Gold data
    • Centralized semantic models
    • Centrally managed reports
  • Also split into TEST and PROD, with development done in temporary FEATURE workspaces
  • Uses Org Apps to distribute reports to relevant user groups, with access scoped by department


SPOKE workspaces(per department)

  • Each department has:
    • A Lakehouse with shortcuts to the centralized Gold data (relevant for the Department)
    • A shared DEV workspace for experimentation and report development
    • A PROD workspace for published departmental content
  • Promotion from DEV to PROD is handled via Fabric deployment pipelines.
  • Business users are granted Build permissions on centralized semantic models relevant to their role, allowing them to:
    • Create their own reports on top of the centralized models
    • Copy and adapt centrally managed reports
    • (In the future) publish and share reports within their own department

Questions:

1. Does the proposed Hub / Reporting Hub / Spoke workspace model align with good practices for a production data platform?

2. Am I missing anything important (for example around security, governance, scaling as more department are added, or deployment perspective)?
3. Are there any recommended improvements or adjustments to the workspace structure?


Thank you in advance for your time and feedback!

Labels:
Message 1 of 3
144 Views
0
2 REPLIES 2
v-tejrama
Community Support
Community Support

Thursday

Hi @ak-5537 ,


Thanks for reaching out to the Microsoft fabric community forum.

This design demonstrates thorough planning and consideration for both MVP and long term production needs. Centralizing Bronze, Silver, and Gold processing in one workspace establishes a strong foundation, streamlining ownership, support, and troubleshooting, while clearly separating data engineering from business data consumption.

Setting up a dedicated reporting workspace for semantic models and centrally managed reports is an effective approach. This structure supports efficient model management, RLS implementation, and access control, while enabling multiple departments to leverage the same trusted resources. Managing access through apps and security groups is a proven method, particularly as teams continue to build familiarity with Fabric and Power BI.

Department-specific spoke workspaces, with a shared DEV environment for experimentation and a controlled PROD environment for publishing, provide users with learning opportunities without compromising platform stability. Utilizing shortcuts to Gold data, rather than duplicating it, enhances consistency and reduces potential issues.

It is important to maintain strict permission controls. Leverage Entra ID security groups, restrict write access to core data and central models to the data team, and grant business users build access only where necessary. Applying RLS at the semantic layer will further support model flexibility and reusability.

Overall, this architecture is well-positioned to scale as more departments are onboarded and should support a smooth transition from MVP to a robust production environment.

 


Best Regards,
Tejaswi.
Community Support

Message 3 of 3
33 Views
ati_puri
Resolver I
Resolver I

Wednesday

Hi @ak-5537 ,

 

Few suggestions and soltuions for the above approach:

1) Best-practice pattern for Gold-layer serving is to expose views and grant access to views (not base tables), manage roles/groups, and keep security artifacts deployable—often via pipelines/Git.

2) If users are non-technical, it is recommended to give limited access to Gold tables and most users consume via semantic models/apps. Only PBI users should get the build permissions.

3) Users who has contributor access to reporting workspace automatically gets build permissions to semantic models.

4) Since your users are not highly technical, you will want to avoid accidental data leakage and model misuse.

  • Create Entra groups like  dept_finance_pbi_builders, dept_finance_pbi_consumers
  • Grant Build only to the Builders group for the relevant centralized models
  • Everyone else consumes via app audiences (read-only experience)

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

 

Thanks

Ati

Message 2 of 3
68 Views
0

Helpful resources

Announcements
Sticker Challenge 2026 Carousel

Join our Community Sticker Challenge 2026

If you love stickers, then you will definitely want to check out our Community Sticker Challenge!

Free Fabric Certifications

Free Fabric Certifications

Get Fabric certified for free! Don't miss your chance.

January Fabric Update Carousel

Fabric Monthly Update - January 2026

Check out the January 2026 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All