Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Data Days is here! Join us now for 60+ days of learning, challenges, and connection. Learn more

Custom Workspace Roles

Users should be able to create custom workspace roles to enforce the principle of least privilege by granting specific permissions to users, groups, and applications based on their exact job responsibilities, exactly like Azure RBAC does. Current state of the workspace roles is way out of date with the state of the product itself.

 

Few examples:

  1. When using a Service Principal (SP) to deploy assets (semantic models, reports, etc) to workspaces from e.g. Azure Devops pipelines or Github actions, the SP must have Member level access to the workspace. This level of access grants the SP much more privileges it needs to accomplish the task it is used for. 
  2. Often semantic model refreshes are triggered as a part of the ETL process outside of Fabric, e.g. from Azure Data Factory (ADF) via REST API. In this case, the ADF Managed Identity (MI) is a convinient way to authenticate the request. However, this requires a Contributor workspace role for the MI, which again provides far too many privileges to the MI than it actually needs.
Status: New