Auto-generated from: security/roles.sql, security/grants/, security/rls/ — Last scanned: 2026-06-08T13:11:14.876627+00:00
Warehouse Roles
SQL warehouse roles are mapped to Function Profile (FP GER) Entra ID
security groups. FP GER is the canonical naming convention for all platform
security groups -- older sg-fabric-* names are no longer used.
6 roles defined in security/roles.sql:
| Role | Function Profile (Entra Group) | Status | Purpose |
|---|---|---|---|
platform_admin | FP GER Fabric Platform Team (Leads) | Active | Full database control for platform team / SPNs. |
analyst_full | FP GER Fabric Analysts Full | Active | Full read access to Gold + Bronze schemas. |
analyst_gold | FP GER Fabric Analysts | Active | Read access to non-sensitive Gold tables only. No Bronze access. |
app_consumer | FP GER Fabric Apps | Active | Read access to dimension + non-sensitive fact tables only. |
report_viewer | (business FP GER groups via workspace app / semantic model) | Active | No direct SQL access. Data accessed via semantic models (Power BI). |
it_admin | (none -- merged into platform_admin) | DEPRECATED | Historical: full read + metadata for IT administrators. |
Deprecation note: Deprecated roles are retained so existing grants keep working, but no new members should be assigned. Users who previously would have been placed in a deprecated role should be added to
FP GER Fabric Platform Team(→platform_admin) instead.
Workspace-Only Function Profiles (no SQL role)
Not every FP GER group maps to a SQL warehouse role. Some groups get only
Fabric workspace access and never query the Gold warehouse directly. These are
managed via Terraform (terraform/environments/<env>/terraform.tfvars):
| Function Profile (Entra Group) | Workspace Role | Purpose |
|---|---|---|
FP GER Fabric Developers | Viewer on deployed Gold / Bronze / Semantic / Reports (DEV/UAT/PROD); Contributor on their own feature workspaces | Platform developers -- read-only on deployed workspaces. All changes go through feature branch -> PR -> pipeline (ADR-20). No SQL role: direct warehouse writes are blocked by design. Developers who also need warehouse query access are added to FP GER Fabric Analysts Full as well. |
FP GER Fabric Consultants | Viewer on deployed Semantic / Reports (DEV/UAT/PROD); Contributor on their own feature workspaces. No access to Gold or Bronze workspaces. | External Power BI consultants. Same read-only-on-deployed model as Developers, scoped to Semantic + Reports only -- consultants never touch Gold or Bronze, and have no SQL warehouse role. Feature workspaces are pre-provisioned for them by an admin (Workflow 5 -- consultants do not self-provision). |
Grant Files
| File | Grants For |
|---|---|
security/grants/analyst_full.sql | analyst_full |
security/grants/analyst_gold.sql | analyst_gold |
security/grants/app_consumer.sql | app_consumer |
security/grants/bronze_write_protection.sql | bronze_write_protection |
security/grants/cls_analyst_gold.sql | cls_analyst_gold |
security/grants/cls_app_consumer.sql | cls_app_consumer |
security/grants/it_admin.sql | it_admin |
security/grants/platform_admin.sql | platform_admin |
security/grants/report_viewer.sql | report_viewer |
Row-Level Security
| Rule File | Description |
|---|---|
security/rls/commercial_budget_rls.sql | commercial_budget_rls |