interact with a Fabric data agent with minimum per...

elhammazizi

I'm trying to minimize permissions while still allowing users to interact with a Fabric data agent that uses:

A Fabric Data Warehouse
A Semantic Model with RLS

now I want to share this fabric data agent with users. the question is

what are the minimum permission that I have to assgin to a user to be able to only interact ( ask questions) with this agent ( not edit or more).

1-workspace role ? (viewer /contributer / nothing)

2-read access to data warehouse ?

3-read access to the fabric data agent ?

4-read access to semantic model ?

AntoineW

Hello @elhammazizi,

Here’s a precise and concise summary of the minimum permissions required for users to interact (ask questions only) with a Fabric Data Agent that uses:

A Fabric Data Warehouse
A Semantic Model with Row-Level Security (RLS)

✅Minimum Permissions Matrix

Component	Required Permission	Notes
Workspace	None or Viewer	Avoid Contributor/Admin to limit access
Data Warehouse	Item-level Read	Enables query access via the agent
Fabric Data Agent	Read on published version	Allows interaction only (no edit)
Semantic Model (RLS)	Item-level Read	RLS applies automatically per user identity

Best Practice

🔹Use Microsoft Entra ID groups to assign permissions instead of adding users individually.
This simplifies management, ensures consistency, and scales better across teams.

🔗Official Source

Fabric Data Agent Sharing – Microsoft Learn

Let me know if you want a script or UI walkthrough to apply these permissions.

Hope it can help you !

Best regards,

Antoine

elhammazizi

Hi @AntoineW

I tried to set these permissions but it doesnt work without assiging Viewr Role , to make the scenario simple , I removed semantic model as a source and now user has :

read acess to DWH
read/ write access to Fabric Data Agent
No role in workspace

this Viewer role is too much access for the user. have u ever managed to interact without Viewr role ?

AntoineW

Hello @elhammazizi,

Key points :

When you share a Fabric Data Agent, you must also share access to the underlying data sources (Lakehouse, Warehouse, Semantic Models, KQL) — the agent honors user permissions (RLS, CLS) when running queries.
For each data source, there is a minimum permission level needed for queries via the agent (as shown in the table in the doc):
• Power BI semantic model: Build (not just Read) — the agent “generates model queries that require Build.”
• Lakehouse: Read on the lakehouse item and table access if row-level or table-level access is enforced.
• Warehouse: Read (SELECT on relevant tables) is sufficient.
If a user lacks the minimum permission on any data source used by the agent, those queries either fail or return no results, depending on the source’s security model.
The agent is strictly read-only: it only issues queries; it cannot write, update, or delete data.

The documentation does not say “Users must have Viewer access to the workspace” in so many words. It says : "Additionally, when you share the Fabric data agent, you must also share access to the underlying data it uses"

Follow least privilege: grant only the data source permissions required (for semantic models this typically means Build without assigning broader workspace roles unless needed).

Hope it can help you !

Best regards,

Antoine

BhaveshPatel

Hi @elhammazizi

In Fabric DWH, there is a row-level security feature that requires the use of T-SQL Programming to restrict access programmatically or Use Lakehouse where you should know Python to restrict access.

Fabric Workspace does not restrict data access ( Admin, Members, Contributor or Viewer - They can still see the data ). The only way is either Fabric DWH to restrict the access or Semantic layer in Power BI ( Row level security ) .

Thanks & Regards,
Bhavesh

Love the Self Service BI.
Please use the 'Mark as answer' link to mark a post that answers your question. If you find a reply helpful, please remember to give Kudos.

elhammazizi

thanks for the response but its totally unrelate to the question , question is why we should assign at least viewer role to a user to interact with fabric data agent ?

BhaveshPatel

Hi @elhammazizi

With the Viewer role, the data is still visible in Fabric Data Agent unless you are assigning permissions to an end user who doesn't want to know how to use Fabric Software.

Thanks & Regards,
Bhavesh

Love the Self Service BI.
Please use the 'Mark as answer' link to mark a post that answers your question. If you find a reply helpful, please remember to give Kudos.

elhammazizi

Hi @AntoineW

I’ve found a solution!

Normally, when we assign the Viewer role to a user, SQL endpoint access is automatically enabled, allowing the Fabric Data Agent to query the Warehouse or Lakehouse.

However, if we don’t want to assign the Viewer role to a user who needs to interact with the Fabric Data Agent, we can simply grant SELECT permissions on the required data source instead.

I would like to add my semantic model to fabric data agent to see what will be happend!

AntoineW

@elhammazizi Nice, well done !