Our Situation

Within our enterprise we want to expand the Microsoft Fabric Adoption by providing Semantic Models which are maintained by our IT Department (In the past, the IT Department only provided the Capacity Units; everything beyond was business managed n+1 times and not aligned between departments). Currently we have the IT-managed semantic models in a different Fabric Workspace than the IT-managed Lake- and Warehouses. Below a picture which visualizes this setup on an example data source:

Goal 1: All business users of our enterprise should be able to see the semantic model workspace and the names / description / endorsement of the semantic models they contain.

Goal 2: Within the semantic model we want to control what data a user is able to see, e.g. through Column-level security (CLS).

Goal 3: All business users should be able to create reports with semantic models they have access to, while they should not have access to the below whole Lake- or Warehouse (to maintain Goal 2).

Goal 4: If a user has "Viewer"-Access to a workspace, he should be able to see all contained report names in the overview list.

Warehouse Workspace Permissions:

• Business User: Does not have any permissions assigned
• IT User: Has "Member"-Access assigned to workspace

Semantic Model Workspace Permissions:

• Business User: Has "Viewer"-Permission assigned
• IT User: Has "Member"-Access assigned to workspace

Semantic Model Direct access Permissions:

• Business User: Has "Build"-Permission assigned manually and automatically inherit's "Workspace Viewer"-Permission.
• IT User: Has All Permissions assigned

Current Issues we face:

1. User is not able to see semantic model (direct lake SSO mode) if he has no access "Viewer"-Access to the Warehouse Workspace.

This will result in the following UI-behavior: The default workspace view will show "There is nothing here yet" as text.

If you switch to the Lineage-View with the button on the upper right side, the user is able to see the name of the semantic model as expected (Goal 1).

==> We think this is an UI Bug and should be fixed, in order that both views show the same data. In our example this would mean that both views show the name of the semantic model.

Besides the UI-Bug, we are not sure how to handle this one - maybe "direct lake fixed identity mode" could be an option (?). Besides this we could assign "Viewer"-Access to the workspace of the warehouse but would then bypass Goal 2. Happy to recieve some Ideas on this.

2. User is not able to see an existing report within a workspace if he has not the "Build"-Permission assigned to the used semantic model

We would expect that while in the workspace overview, the user is able to see every report name the workspace contains if he has "Viewer"-Workspace-Permissions assigned.

==> The current behavior will give misleading information to the user

The Idea we have

We believe that there are other enterprises as well which want to give the visibility over existing semantic models metadata (title, description, endorsement, etc.) to all their users, while the data access itself is handled differently. There should be an Microsoft Learn Article about the best-practicies to share semantic model metadata with the whole company while enabling users with data access to build custom reports as well.

In addition, the permission view of the semantic model UI should include those instructions as well. Maybe a diagram could be a good option as well to visualize who will have access.

Last words

Our IT Department is still quite new to Microsoft Fabric Permission Management which is why a good documentation and helpfull UI hints are essential to fulfill our Goals 1-4. We want to enable our business to achieve the best results fast!