Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Atlanta from March 16 - 20, 2026, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM. Register now.

Reply
elhammazizi
Frequent Visitor

interact with a Fabric data agent with minimum permission

‎10-09-2025 07:07 AM

I'm trying to minimize permissions while still allowing users to interact with a Fabric data agent that uses:

  • A Fabric Data Warehouse
  • A Semantic Model with RLS

now I want to share this fabric data agent with users. the question is 

what are the minimum permission that I have to assgin to a user to be able to only interact ( ask questions) with this agent ( not edit or more).

1-workspace role ? (viewer /contributer / nothing)

2-read access to data warehouse ?

3-read access to the fabric data agent ?

4-read access to semantic model ?

Labels:
Message 1 of 10
506 Views
0
1 ACCEPTED SOLUTION
elhammazizi
Frequent Visitor

‎10-13-2025 04:57 AM

Hi @AntoineW 

I’ve found a solution!

 

Normally, when we assign the Viewer role to a user, SQL endpoint access is automatically enabled, allowing the Fabric Data Agent to query the Warehouse or Lakehouse.

However, if we don’t want to assign the Viewer role to a user who needs to interact with the Fabric Data Agent, we can simply grant SELECT permissions on the required data source instead.

 

I would like to add my semantic model to fabric data agent to see what will be happend!

View solution in original post

Message 8 of 10
283 Views
9 REPLIES 9
v-pgoloju
Community Support
Community Support

‎10-15-2025 01:04 AM

Hi @elhammazizi,

 

Thank you for reaching out to the Microsoft Fabric Forum Community, and special thanks to @AntoineW  and @BhaveshPatel for prompt and helpful responses.

 

Could you please mark the working response as the accepted solution? This will help others in the community who are facing a similar issue to find it more easily.

 

Thanks & Regards,

Prasanna Kumar

Message 10 of 10
210 Views
elhammazizi
Frequent Visitor

‎10-13-2025 04:57 AM

Hi @AntoineW 

I’ve found a solution!

 

Normally, when we assign the Viewer role to a user, SQL endpoint access is automatically enabled, allowing the Fabric Data Agent to query the Warehouse or Lakehouse.

However, if we don’t want to assign the Viewer role to a user who needs to interact with the Fabric Data Agent, we can simply grant SELECT permissions on the required data source instead.

 

I would like to add my semantic model to fabric data agent to see what will be happend!

Message 8 of 10
284 Views
AntoineW
Solution Sage
Solution Sage
In response to elhammazizi

‎10-13-2025 05:12 AM

@elhammazizi Nice, well done ! 

Message 9 of 10
280 Views
0
BhaveshPatel
Community Champion
Community Champion

‎10-10-2025 01:36 AM

Hi @elhammazizi 

 

In Fabric DWH, there is a row-level security feature that requires the use of T-SQL Programming to restrict access programmatically or Use Lakehouse where you should know Python to restrict access.

 

Fabric Workspace does not restrict data access ( Admin, Members, Contributor or Viewer - They can still see the data ). The only way is either Fabric DWH to restrict the access or Semantic layer in Power BI ( Row level security ) . 

Thanks & Regards,
Bhavesh

Love the Self Service BI.
Please use the 'Mark as answer' link to mark a post that answers your question. If you find a reply helpful, please remember to give Kudos.
Message 5 of 10
448 Views
0
elhammazizi
Frequent Visitor
In response to BhaveshPatel

‎10-10-2025 01:42 AM

thanks for the response but its totally unrelate to the question , question is why we should assign at least viewer role to a user to interact with fabric data agent ?

Message 6 of 10
443 Views
0
BhaveshPatel
Community Champion
Community Champion
In response to elhammazizi

‎10-10-2025 01:50 AM

Hi @elhammazizi  

 

With the Viewer role, the data is still visible in Fabric Data Agent unless you are assigning permissions to an end user who doesn't want to know how to use Fabric Software. 

Thanks & Regards,
Bhavesh

Love the Self Service BI.
Please use the 'Mark as answer' link to mark a post that answers your question. If you find a reply helpful, please remember to give Kudos.
Message 7 of 10
442 Views
0
AntoineW
Solution Sage
Solution Sage

‎10-09-2025 08:36 AM

Hello @elhammazizi,

 

 

Here’s a precise and concise summary of the minimum permissions required for users to interact (ask questions only) with a Fabric Data Agent that uses:

  • A Fabric Data Warehouse
  • A Semantic Model with Row-Level Security (RLS)

Minimum Permissions Matrix

 

ComponentRequired PermissionNotes
WorkspaceNone or ViewerAvoid Contributor/Admin to limit access
Data WarehouseItem-level ReadEnables query access via the agent
Fabric Data AgentRead on published versionAllows interaction only (no edit)
Semantic Model (RLS)Item-level ReadRLS applies automatically per user identity

 

Best Practice

🔹Use Microsoft Entra ID groups to assign permissions instead of adding users individually.
This simplifies management, ensures consistency, and scales better across teams.

 

🔗Official Source

Let me know if you want a script or UI walkthrough to apply these permissions.

 
Hope it can help you ! 
Best regards,
Antoine
 
 
Message 2 of 10
485 Views
elhammazizi
Frequent Visitor
In response to AntoineW

‎10-10-2025 01:13 AM

Hi @AntoineW 

I tried to set these permissions but it doesnt work without assiging Viewr Role , to make the scenario simple , I removed semantic model as a source and now user has :

  • read acess to DWH 
  • read/ write access to Fabric Data Agent 
  • No role in workspace 

this Viewer role is too much access for the user. have u ever managed to interact without Viewr role ?

Message 3 of 10
451 Views
0
AntoineW
Solution Sage
Solution Sage
In response to elhammazizi

‎10-10-2025 03:35 AM

Hello @elhammazizi,

 

Key points : 

 

  • When you share a Fabric Data Agent, you must also share access to the underlying data sources (Lakehouse, Warehouse, Semantic Models, KQL) — the agent honors user permissions (RLS, CLS) when running queries. 

  • For each data source, there is a minimum permission level needed for queries via the agent (as shown in the table in the doc):
     • Power BI semantic model: Build (not just Read) — the agent “generates model queries that require Build.” 
     • Lakehouse: Read on the lakehouse item and table access if row-level or table-level access is enforced. 
     • Warehouse: Read (SELECT on relevant tables) is sufficient.

  • If a user lacks the minimum permission on any data source used by the agent, those queries either fail or return no results, depending on the source’s security model. 

  • The agent is strictly read-only: it only issues queries; it cannot write, update, or delete data.

 

 

The documentation does not say “Users must have Viewer access to the workspace” in so many words. It says : "Additionally, when you share the Fabric data agent, you must also share access to the underlying data it uses"

 

Follow least privilege: grant only the data source permissions required (for semantic models this typically means Build without assigning broader workspace roles unless needed).

 

Hope it can help you ! 

Best regards,

Antoine

 

 

Message 4 of 10
424 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

September Fabric Update Carousel

Fabric Monthly Update - September 2025

Check out the September 2025 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All