Development Documentation
View as:

Frequently Asked Questions

Questions are organized by audience. Each answer gives a brief summary — follow the links for full details.

General

Where do I find reports?

Reports are published through a Fabric Workspace App organized by business domain. In production, access it via a link shared by your team lead. The app has 5 sections: Logistics, Trade, Finance, Supply, and MT.

If you don't see the app or a section, your Entra ID security group may not have access. Contact the platform team. See Workspace Roles — App Access Model for how access is configured.

How often is data refreshed?

Bronze data is near real-time (via shortcuts) or daily (via Azure Functions). Gold is rebuilt nightly via dbt. DirectLake semantic models reflect Gold changes immediately — no separate refresh needed. See Data Flow Pipeline — Data Freshness for the full freshness table.

Who do I contact for access?

Access is managed through Entra ID security groups (the "FP GER" groups). Ask your manager to request membership in the appropriate group. The platform team adds your group via a PR to deployment/ENV.yml. See RBAC Architecture for the full access model.

Is there an API for accessing the data?

No public API. Business users consume data through Power BI reports. Analysts with the right security group can query the Gold Warehouse via SQL endpoint. Automated exports (SQL → Excel → email) are available — see Export System.

Developer

Why DuckDB for local development?

Speed and independence — full builds in seconds, no network needed, no Fabric CU cost. The trade-off is maintaining dual-dialect SQL. See Technology Stack — Why DuckDB for the full rationale and Dual-Dialect Patterns for the compatibility matrix.

Why CLI authentication instead of SPN?

ODBC Driver 18's SPN auth times out on Azure DevOps Ubuntu agents. CLI auth (az account get-access-token) is reliable. See Technology Stack — Why CLI Auth for details.

Why 4 workspaces per environment?

Terraform-created items and git-synced items cannot coexist in the same Fabric workspace. See Workspace Layout for the full explanation and workspace matrix.

Why cherry-pick promotion instead of branch merges?

Granular control — a bug fix can reach PROD without carrying unfinished features. See Technology Stack — Why Cherry-Pick and Promotion Workflow for the step-by-step process.

IT Admin

How are secrets managed?

All secrets live in a single Azure Key Vault: kv-fabric-dbt-keys. One vault for all environments — simplicity over isolation at this scale. Pipelines authenticate via the fabric-ci-service-connection service connection. See SPN Access Map — Key Vault Access for the full secret inventory.

What SPNs exist and what do they do?

Two SPNs (sp-fabric-platform-admin and sp-fabric-data-worker) plus two service accounts (geris_fabric_admin and svc-powerplatform). See SPN Access Map for the complete identity inventory, permissions, and workspace access matrix.

How do I rotate SPN credentials?

SPN secrets have a 1-year expiry. See SPN Access Map — Credential Rotation for the step-by-step rotation procedure, or Emergency Procedures — SPN Credential Rotation for the operations runbook version.

Where is the Key Vault?

kv-fabric-dbt-keys in resource group rg-fabric-dbt-platform. See SPN Access Map — Key Vault Access for access details.

How is access audited?

Every access change is committed as a PR. Check git log -- terraform/environments/*/terraform.tfvars for workspace roles and git log -- deployment/*.yml for report audience. See RBAC Architecture — Audit Trail for the full audit reference.

What monitoring exists?

The platform includes an ETL Monitoring report (pipeline runs, dbt metrics, data freshness) and Application Insights for Function App telemetry. CU utilization monitoring is blocked pending paid capacity. See Emergency Procedures — Monitoring and Alerting for details.