Hi @frhr,
You’re reading the docs right - deployment pipelines have only one pipeline-level role and it’s Admin. Workspace permissions are separate, and to actually deploy between stages you must be a pipeline admin and have at least Contributor, Member, or Admin on the workspaces connected to those stages. Viewer isn’t enough to perform deployments. See The deployment pipelines process and Get started with deployment pipelines.
What this means for a read-only PROD:
- Keep end users as Viewers in PROD (or consume via an App).
- Create a small “Release Managers” group and give it:
- Pipeline Admin on the pipeline, and
- Contributor on the DEV and PROD workspaces so they can deploy but can’t publish or unpublish the App. App publishing is limited to Admins and Members, per Roles in workspaces in Power BI and Publish an app in Power BI.
- Optionally, keep a very small set of App managers as Member in PROD if you want App updates controlled separately from deployments.
If you want zero human editors in PROD: use a service principal as the deployment identity. Grant it Pipeline Admin and Contributor/Member on PROD, and remove edit roles from humans. Service principals can own and operate pipelines and workspaces; see Deployment Pipelines REST API (note the service principal prerequisites on that page).
There isn’t a built-in “deploy-only” permission or a workspace toggle that forces all edits to go through pipelines today. If you want that capability, consider voting for this idea: Make production workspace items read-only (editable only via Deployment Pipeline, Git, or API).
If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, please mark this as the solution.
Proud to be a Super User! |  |
Hi @frhr,
You’re reading the docs right - deployment pipelines have only one pipeline-level role and it’s Admin. Workspace permissions are separate, and to actually deploy between stages you must be a pipeline admin and have at least Contributor, Member, or Admin on the workspaces connected to those stages. Viewer isn’t enough to perform deployments. See The deployment pipelines process and Get started with deployment pipelines.
What this means for a read-only PROD:
- Keep end users as Viewers in PROD (or consume via an App).
- Create a small “Release Managers” group and give it:
- Pipeline Admin on the pipeline, and
- Contributor on the DEV and PROD workspaces so they can deploy but can’t publish or unpublish the App. App publishing is limited to Admins and Members, per Roles in workspaces in Power BI and Publish an app in Power BI.
- Optionally, keep a very small set of App managers as Member in PROD if you want App updates controlled separately from deployments.
If you want zero human editors in PROD: use a service principal as the deployment identity. Grant it Pipeline Admin and Contributor/Member on PROD, and remove edit roles from humans. Service principals can own and operate pipelines and workspaces; see Deployment Pipelines REST API (note the service principal prerequisites on that page).
There isn’t a built-in “deploy-only” permission or a workspace toggle that forces all edits to go through pipelines today. If you want that capability, consider voting for this idea: Make production workspace items read-only (editable only via Deployment Pipeline, Git, or API).
If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, please mark this as the solution.
Proud to be a Super User! | |
Helpful resources
Power BI Monthly Update - May 2026
Check out the May 2026 Power BI update to learn about new features.
Data Days 2026 coming soon!
Sign up to receive a private message when registration opens and key events begin.
New to Fabric Survey
If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.
Power BI DataViz World Championships - June 2026
A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.
