Users should be able to create custom workspace roles to enforce the principle of least privilege by granting specific permissions to users, groups, and applications based on their exact job responsibilities, exactly like Azure RBAC does. Current state of the workspace roles is way out of date with the state of the product itself.

Few examples:

1. When using a Service Principal (SP) to deploy assets (semantic models, reports, etc) to workspaces from e.g. Azure Devops pipelines or Github actions, the SP must have Member level access to the workspace. This level of access grants the SP much more privileges it needs to accomplish the task it is used for. 
2. Often semantic model refreshes are triggered as a part of the ETL process outside of Fabric, e.g. from Azure Data Factory (ADF) via REST API. In this case, the ADF Managed Identity (MI) is a convinient way to authenticate the request. However, this requires a Contributor workspace role for the MI, which again provides far too many privileges to the MI than it actually needs.