You have a Fabric workspace named Workspace1 that contains a warehouse named DW1 and a data pipeline named Pipeline1.
You plan to add a user named User3 to Workspace1.
You need to ensure that User3 can perform the following actions:
View all the items in Workspace1.
Update the tables in DW1.
The solution must follow the principle of least privilege.
You already assigned the appropriate object-level permissions to DW1.
Which workspace role should you assign to User3?
Only member or above can modify warehouse items https://learn.microsoft.com/en-us/fabric/get-started/roles-workspaces
As I understand, the explain "Create or modify warehouse items." in this document means member role can create and modify warehouse. If you check Microsoft documents for item level permission, they all said item on high level, such as lakehouse, warehouse. Item doesn't mean objects inside warehouse. Contributor role can update table data inside warehouse.
Viewer - Can view all content in the workspace, but can't modify it. Contributor - Can view and modify all content in the workspace. Member - Can view, modify, and share all content in the workspace. Can add Members Admin - Can view, modify, share, and manage all content in the workspace, including managing permissions. - Can add Admins, Members and can delete workspace. So Contributor is the least role who can view and update the tables (modify the content).
Assign the Viewer role to User3 to allow viewing all workspace items. Object-level permissions already cover updates to DW1, ensuring least privilege is maintained.
This is a really tricky question and the answer does not just lay in the coarse grained workspace roles https://learn.microsoft.com/en-us/fabric/get-started/roles-workspaces The user should be able to view the items in the workspace - VIEWER The user can already update the tables in the DW1 database through object-level permissions So if you apply the Principle of Least privilege, VIEWER is all that is required. All other roles will elevate the user privilege over and above the requirements.
Yes, tricky question again. We just can guess grant user3 has two steps if we choose role viewer on workspace level. the next step should grant user permission on warehouse roles. However, question doesn't give enough details for just can add user on workspace level or both workspace and item level. It will be changed to clear if Microsoft change this question to "You already assigned the appropriate object-level permissions to User3."
If DW (which need modify permission) already has assigned the right permission only with viewer the User3 could view all items
This is wrong in the docs. Read this https://community.fabric.microsoft.com/t5/Service/Create-or-modify-warehouse-items-can-do-with-Contributor-role/m-p/4318708
Thanks for the link, very useful
This is only a custom-setting that can be given to a Contributor role by an Admin. It is not a default. Default is that contributors cannot modify warehouse items. Only Members and Admins can do so by default.
Contributor is the least privilege role according to this. https://learn.microsoft.com/en-us/fabric/security/permission-model
Viewer Can view all content in the workspace, but can't modify it. Contributor Can view and "modify" all content in the workspace. Member Can view, modify, and share all content in the workspace. Can add Members Admin Can view, modify, share, and manage all content in the workspace, including managing permissions. - Can add Admins, Members and can delete workspace. So Contributor is the least role who can view and update the tables (modify the content).
It is not specified that the user should be able to add other users to Workspace. Contributors can modify data, but not add others to Workspace. According to the documentation - Contributor is the least privileged role: https://learn.microsoft.com/en-us/fabric/security/permission-model#workspace-roles
Contributor fits the best as being a member would grant the user the power to add other users to the workspace, thus defeating the whole purpose of the question - "Least Privileged Access"
you could assign viewer role in the workspace which won't overwrite the the appropriate-already-configured object-level permission on dw1 so the user will be able to view all objects in ws1 but will also be able to run update statements within the dw1
please correct me if i am wrong otherwise is D
member can create or modify warehouse items according to doc, contributors can’t https://learn.microsoft.com/en-us/fabric/fundamentals/roles-workspaces#-workspace-roles
contibutor have read/write access to a warehouse:https://learn.microsoft.com/en-us/fabric/data-warehouse/share-warehouse-manage-permissions
they already have access to DW1