Solved: Permissions deployment in Fabric

PraveenVeli · ‎02-24-2025

I come from the database world, where we manage the lifecycle of security and permissions through source control and deployments. I want to understand how we can manage permissions with Fabric. When we add permissions to an item within a workspace and want to transfer those permissions to different regional workspaces, such as Dev-Test-Prod, how would we do that? This applies to Workspace level permissions aswell.

v-aatheeque · ‎03-12-2025

Hi @PraveenVeli ,
Apologies for the inconvenience caused.

To effectively manage permissions through source control in Fabric:

Microsoft Fabric offers Git integration to manage the lifecycle of various items, including permissions, through source control.
This integration allows you to version, collaborate, and deploy content across different environments such as development testing and production.

References : https://learn.microsoft.com/en-us/fabric/cicd/best-practices-cicd

https://www.youtube.com/watch?v=gzmln7ONVyk

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

View solution in original post

nilendraFabric · ‎02-24-2025

hello @PraveenVeli

Workspace Roles
• Admin/Member/Contributor/Viewer roles control access to all items in a workspace.
• Example: Assigning `Viewer` at the workspace level grants read-only access to all items in that workspace.
• Deployment Limitation: Workspace roles are not automatically propagated across environments (e.g., Dev → Prod). You must manually replicate roles in each workspace.

2. Item-Level Permissions ():
• Granular permissions (e.g., `ReadData`, `WriteData`) can be assigned to specific items (e.g., a lakehouse or warehouse) independently of workspace roles.
• Example: Share a Prod warehouse with a user who lacks Prod workspace access by granting direct `ReadData` permissions.

some best practices

Workspace Separation by Environment :

• Use separate workspaces for Dev, Test, and Prod.
• Assign workspace roles (e.g., `Admin` for Dev, restricted `Viewer` for Prod) to limit overprivileged access.
• Best Practice: Isolate Prod workspaces using security groups and strict role assignments.

Security Groups for Role Assignment ():
• Assign workspace roles to security groups (e.g., `Prod-Data-Viewers`) instead of individual users.
• Update group memberships centrally to propagate changes across environments.

Apply RLS in Power BI reports or semantic models to restrict data visibility based on user roles

References:

https://learn.microsoft.com/en-us/fabric/security/permission-model

https://learn.microsoft.com/en-us/fabric/fundamentals/roles-workspaces

if this is helpful please accept the answer

PraveenVeli · ‎03-03-2025

@nilendraFabric , Manually replicating permissions will be a challenging task, I believe. Is there any way to source code the permissions for Fabric so that we can deploy them from ADO release pipelines or through a method where we can code for users/groups that require access to specific items/workspaces? That is what we do for a SQL Server, where we source code all permissions based on regions and deploy them to the necessary region. This way, we maintain clear visibility of who has what level of access and so on.

v-aatheeque · ‎03-05-2025

Hi @PraveenVeli ,

Yes, you can manage permissions for Microsoft Fabric using source code and deploy them through ADO release pipelines.
However, there are ways to automate and manage permissions programmatically, similar to how you handle SQL Server permissions.

By leveraging the Power BI REST API, Azure DevOps pipelines, and scripting, you can effectively manage and deploy permissions in Microsoft Fabric.

References :

https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=azure-devops

https://learn.microsoft.com/en-us/rest/api/power-bi/

If our response addressed by the community member for your query, please mark it as Accept Answer and click Yes if you found it helpful.

Should you have any further questions, feel free to reach out.
Thank you for being a part of the Microsoft Fabric Community Forum!

v-aatheeque · ‎03-10-2025

Hi @PraveenVeli ,

Just checking in to see if you've made any progress with the information provided. If you found the guidance helpful, please click "Accept Answer" and "Yes" to the question "Was this answer helpful?"

And of course, if you have any further questions or need more assistance, feel free to reach out.

Thank you!

PraveenVeli · ‎03-11-2025

Hi @v-aatheeque , Sorry, I'm still struggling to find a clear way around it, as the links above mainly discuss the permissions needed to perform tasks rather than how to deploy various Fabric-related items' permissions through source control. Please correct me if I'm wrong.

v-aatheeque · ‎03-12-2025

Hi @PraveenVeli ,
Apologies for the inconvenience caused.

To effectively manage permissions through source control in Fabric:

Microsoft Fabric offers Git integration to manage the lifecycle of various items, including permissions, through source control.
This integration allows you to version, collaborate, and deploy content across different environments such as development testing and production.

References : https://learn.microsoft.com/en-us/fabric/cicd/best-practices-cicd

https://www.youtube.com/watch?v=gzmln7ONVyk

If this post was helpful, please consider marking Accept as solution to assist other members in finding it more easily.

If you continue to face issues, feel free to reach out to us for further assistance!

v-aatheeque · ‎03-18-2025

Hi @PraveenVeli ,

We haven't heard back from you regarding our last response and wanted to check if your issue has been resolved.

If the solution was helpful, kindly click "Accept Answer" and "Yes" for "Was this answer helpful?" If you have any further questions, feel free to let us know.

Thank you!