Hi @frhr,

You’re reading the docs right - deployment pipelines have only one pipeline-level role and it’s Admin. Workspace permissions are separate, and to actually deploy between stages you must be a pipeline admin and have at least Contributor, Member, or Admin on the workspaces connected to those stages. Viewer isn’t enough to perform deployments. See The deployment pipelines process and Get started with deployment pipelines.

What this means for a read-only PROD:

• Keep end users as Viewers in PROD (or consume via an App).
• Create a small “Release Managers” group and give it:
  • Pipeline Admin on the pipeline, and
  • Contributor on the DEV and PROD workspaces so they can deploy but can’t publish or unpublish the App. App publishing is limited to Admins and Members, per Roles in workspaces in Power BI and Publish an app in Power BI.
• Optionally, keep a very small set of App managers as Member in PROD if you want App updates controlled separately from deployments.

If you want zero human editors in PROD: use a service principal as the deployment identity. Grant it Pipeline Admin and Contributor/Member on PROD, and remove edit roles from humans. Service principals can own and operate pipelines and workspaces; see Deployment Pipelines REST API (note the service principal prerequisites on that page).

There isn’t a built-in “deploy-only” permission or a workspace toggle that forces all edits to go through pipelines today. If you want that capability, consider voting for this idea: Make production workspace items read-only (editable only via Deployment Pipeline, Git, or API).

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, please mark this as the solution.