Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
elhammazizi
New Contributor II

interact with a Fabric data agent with minimum permission

4 weeks ago

I'm trying to minimize permissions while still allowing users to interact with a Fabric data agent that uses:

  • A Fabric Data Warehouse
  • A Semantic Model with RLS

now I want to share this fabric data agent with users. the question is 

what are the minimum permission that I have to assgin to a user to be able to only interact ( ask questions) with this agent ( not edit or more).

1-workspace role ? (viewer /contributer / nothing)

2-read access to data warehouse ?

3-read access to the fabric data agent ?

4-read access to semantic model ?

Labels:
Message 1 of 9
298 Views
0
8 REPLIES 8
AntoineW
Contributor III

4 weeks ago

Hello @elhammazizi,

 

 

Here’s a precise and concise summary of the minimum permissions required for users to interact (ask questions only) with a Fabric Data Agent that uses:

  • A Fabric Data Warehouse
  • A Semantic Model with Row-Level Security (RLS)

Minimum Permissions Matrix

 

ComponentRequired PermissionNotes
WorkspaceNone or ViewerAvoid Contributor/Admin to limit access
Data WarehouseItem-level ReadEnables query access via the agent
Fabric Data AgentRead on published versionAllows interaction only (no edit)
Semantic Model (RLS)Item-level ReadRLS applies automatically per user identity

 

Best Practice

🔹Use Microsoft Entra ID groups to assign permissions instead of adding users individually.
This simplifies management, ensures consistency, and scales better across teams.

 

🔗Official Source

Let me know if you want a script or UI walkthrough to apply these permissions.

 
Hope it can help you ! 
Best regards,
Antoine
 
 
Message 2 of 9
277 Views
elhammazizi
New Contributor II
In response to AntoineW

4 weeks ago

Hi @AntoineW 

I tried to set these permissions but it doesnt work without assiging Viewr Role , to make the scenario simple , I removed semantic model as a source and now user has :

  • read acess to DWH 
  • read/ write access to Fabric Data Agent 
  • No role in workspace 

this Viewer role is too much access for the user. have u ever managed to interact without Viewr role ?

Message 3 of 9
243 Views
0
AntoineW
Contributor III
In response to elhammazizi

4 weeks ago

Hello @elhammazizi,

 

Key points : 

 

  • When you share a Fabric Data Agent, you must also share access to the underlying data sources (Lakehouse, Warehouse, Semantic Models, KQL) — the agent honors user permissions (RLS, CLS) when running queries. 

  • For each data source, there is a minimum permission level needed for queries via the agent (as shown in the table in the doc):
     • Power BI semantic model: Build (not just Read) — the agent “generates model queries that require Build.” 
     • Lakehouse: Read on the lakehouse item and table access if row-level or table-level access is enforced. 
     • Warehouse: Read (SELECT on relevant tables) is sufficient.

  • If a user lacks the minimum permission on any data source used by the agent, those queries either fail or return no results, depending on the source’s security model. 

  • The agent is strictly read-only: it only issues queries; it cannot write, update, or delete data.

 

 

The documentation does not say “Users must have Viewer access to the workspace” in so many words. It says : "Additionally, when you share the Fabric data agent, you must also share access to the underlying data it uses"

 

Follow least privilege: grant only the data source permissions required (for semantic models this typically means Build without assigning broader workspace roles unless needed).

 

Hope it can help you ! 

Best regards,

Antoine

 

 

Message 4 of 9
216 Views
0
BhaveshPatel
Honored Contributor

4 weeks ago

Hi @elhammazizi 

 

In Fabric DWH, there is a row-level security feature that requires the use of T-SQL Programming to restrict access programmatically or Use Lakehouse where you should know Python to restrict access.

 

Fabric Workspace does not restrict data access ( Admin, Members, Contributor or Viewer - They can still see the data ). The only way is either Fabric DWH to restrict the access or Semantic layer in Power BI ( Row level security ) . 

Thanks & Regards,
Bhavesh

Love the Self Service BI.
Please use the 'Mark as answer' link to mark a post that answers your question. If you find a reply helpful, please remember to give Kudos.
Message 5 of 9
240 Views
0
elhammazizi
New Contributor II
In response to BhaveshPatel

4 weeks ago

thanks for the response but its totally unrelate to the question , question is why we should assign at least viewer role to a user to interact with fabric data agent ?

Message 6 of 9
235 Views
0
BhaveshPatel
Honored Contributor
In response to elhammazizi

4 weeks ago

Hi @elhammazizi  

 

With the Viewer role, the data is still visible in Fabric Data Agent unless you are assigning permissions to an end user who doesn't want to know how to use Fabric Software. 

Thanks & Regards,
Bhavesh

Love the Self Service BI.
Please use the 'Mark as answer' link to mark a post that answers your question. If you find a reply helpful, please remember to give Kudos.
Message 7 of 9
234 Views
0
elhammazizi
New Contributor II

3 weeks ago

Hi @AntoineW 

I’ve found a solution!

 

Normally, when we assign the Viewer role to a user, SQL endpoint access is automatically enabled, allowing the Fabric Data Agent to query the Warehouse or Lakehouse.

However, if we don’t want to assign the Viewer role to a user who needs to interact with the Fabric Data Agent, we can simply grant SELECT permissions on the required data source instead.

 

I would like to add my semantic model to fabric data agent to see what will be happend!

Message 8 of 9
75 Views
AntoineW
Contributor III
In response to elhammazizi

3 weeks ago

@elhammazizi Nice, well done ! 

Message 9 of 9
72 Views
0

Helpful resources

Announcements
View All
Users online (11,084)