The Fabric Access Puzzle: Cracking Permission Problems with Confidence
Description
Permissions got you puzzled? Discover how to crack common access problems, streamline permissions and implement best practices for a secure, well-managed and collaboration-ready Fabric environment; because permissions can make or break your Fabric setup.
Key Takeaways
- Microsoft Data Platform MVP
- Superuser at Microsoft Fabric Community
- 10+ years of industry experience
- Fabric Consultant, London
- Organizer at DataWeekender conference
- Manager at Microsoft Fabric UK User Group
- Contributors can only share if the "Allow contributors to update the app" setting is enabled or if granted itemlevel permissions.
My Notes
Action Items
- [ ]
Resources & Links
Slides
The Fabric Access Puzzle:
Cracking Permission
Problems with Confidence
Pragati Jain
Fabric Consultant
• Microsoft Data Platform MVP
• Superuser at Microsoft Fabric Community
• 10+ years of industry experience
• Fabric Consultant, London
• Organizer at DataWeekender conference
• Manager at Microsoft Fabric UK User Group
Agenda
➢ Introduction
➢ Fabric Security Funnel(Understanding
Hierarchy)
➢ Workspace Roles (The “Big Four”)
➢ OneLake Data Access (Securing the Tables)
➢ Internal Data Mesh (Shortcuts)
➢ Governance & Auditing (Who did What & When)
➢ Troubleshooting & Takeaways
Fabric Security Funnel
Tenant
Capacity
➢Multi-layer security: Tenant → Capacity →
Workspace → Item
➢Workspaces: logical collaboration containers
➢Items: Semantic model, reports, notebooks,
pipelines, etc.
➢Permissions flow top-down, with item-level
overrides
Workspace
Item
Workspace Roles – The “Big Four”
Capability
Admin
Member
Contributor
Viewer
Update/Delete Workspace
Add/Remove Users
Create/Edit/Delete Items
Share Items (Reshare)
*
Read Metadata (See Item)
Read Data (SQL/Spark)
ReadData Needed
- Contributors can only share if the "Allow contributors to update the app" setting is enabled or if granted itemlevel permissions.
Demo 1 – The “Viewer” Trap & Item Sharing
OneLake Security – Locking the Rooms
Demo 2 – Folder level Control
Internal Data Mesh
Data stays in Engineering;
Marketing queries it live.
Demo 3 – Cross Workspace Shortcuts
Governance & Auditing
• The Audit Trail: Every "Share" and "Role
Change" is logged in the Fabric Activity
Events.
• Full Transparency: Identify who granted
access, to whom, and exactly when.
• Proactive Monitoring: Use Purview and
Admin Reports to catch "Permission
Creep."
Demo 4 – Proving “Who’s In”
Common Gotchas
• Visual: * 1. Workspace Roles = Full Data Access.
• Shortcuts require permissions at the Source.
• Token Caching (Sign out/in).
Best Practices Checklist
✓Use Entra ID Groups (Never individuals)
✓Grant Least Privilege (Most developers should
be Contributors, use item-level for consumers).
✓Audit Admins monthly.
✓Review permissions regularly
Takeaway Decision Tree
Troubleshooting Decision Grid
How was
the session?
THANK YOU
Happy to Take
any Questions!
Complete Session Surveys in
for your chance to WIN
PRIZES!
Sound off.
The mic is all yours.
Influence the product roadmap.
Join the Fabric User Panel
Join the SQL User Panel
Share your feedback directly with our
Fabric product group and researchers.
Influence our SQL roadmap and ensure
it meets your real-life needs
https://aka.ms/JoinFabricUserPanel
https://aka.ms/JoinSQLUserPanel