Workspace Roles
Fabric workspace roles control who can see, edit, and manage items within each workspace. This is Layer 3 of the 7-layer RBAC stack. Workspace roles are managed as Terraform code in terraform/environments/ENV/terraform.tfvars and deployed via the infra-deploy.yml pipeline.
Fabric Workspace Roles Reference
| Role | Capabilities |
|---|---|
| Admin | Full control: create/delete items, manage access, manage git connections |
| Member | Create items, share items; cannot manage workspace settings |
| Contributor | Create and edit items; cannot share or manage settings |
| Viewer | View items only (sufficient for SQL endpoint queries) |
SPN Workspace Roles Matrix
Service principals have fixed roles across all environments:
| SPN | Gold | Bronze | Semantic | Reports | Purpose |
|---|---|---|---|---|---|
sp-fabric-platform-admin | Admin | Admin | Admin | Admin | Terraform management, fabric-cicd deployment |
sp-fabric-data-worker | Contributor | -- | -- | -- | dbt warehouse builds (needs write to Gold only) |
Key constraint: SPNs cannot own semantic models because they lack Pro licenses. Semantic model ownership must be held by geris_fabric_admin@geris.nl.
Fabric Admin — Break-Glass Access (always Admin)
geris_fabric_admin@geris.nl (object ID b7cc889d-ba72-4ff6-b557-bd14d56f38c9) is granted Admin on every workspace the platform provisions — DEV, UAT, PROD, and every feature environment — for all four tiers (Gold, Bronze, Semantic, Reports). This is the break-glass / tenant-visibility identity and must never be omitted.
Implemented in terraform/main.tf as four unconditional module calls gated only on the workspace's existence:
module "fabric_admin_gold" { ... count = var.create_gold_workspace ? 1 : 0 }
module "fabric_admin_bronze" { ... count = var.create_bronze_workspace ? 1 : 0 }
module "fabric_admin_semantic" { ... }
module "fabric_admin_reports" { ... }
The principal id/type are overridable via fabric_admin_principal_id and fabric_admin_principal_type in terraform/variables.tf if the account is ever rotated. Any script or manual API path that creates a Fabric workspace must also grant this principal Admin before reporting success.
Two-Tier Platform Access
Per ADR-20, deployed workspaces (DEV, UAT, PROD) are read/deploy-only for human users. All content changes must go through the pipeline: feature branch, PR, merge, deploy.
| Security Group | Gold | Bronze | Semantic | Reports | Rationale |
|---|---|---|---|---|---|
FP GER Fabric Platform Team (Leads) | Admin | Admin | Admin | Admin | Full operational governance, incident response, manual interventions |
FP GER Fabric Developers | Viewer | Viewer | Viewer | Viewer | Read-only on deployed workspaces; Contributor on their own feature workspaces. Edits flow feature branch -> PR -> pipeline. |
FP GER Fabric Consultants | -- | -- | Viewer | Viewer | External Power BI consultants. Same read-only-on-deployed model as Developers, but scoped to Semantic + Reports only -- no Gold or Bronze access. Contributor on their own feature workspaces (pre-provisioned by an admin, Workflow 5). |
Why Viewer for Developers? This prevents direct edits to deployed environments. Developers can view data and troubleshoot, but all changes must go through code review (PR) and automated deployment. This keeps the git repository as the single source of truth and ensures every change is auditable.
Why Admin for Leads? Leads need Admin for operational tasks that cannot be automated: manual refreshes during incidents, workspace settings changes, git connection management, and emergency fixes. The git audit trail covers automated deployments; Lead actions are tracked in the Fabric activity log.
SQL Endpoint Access Groups
Data consumer groups need Viewer role on workspace SQL endpoints to run queries. These are managed via separate Terraform variables (sql_endpoint_role_assignments and bronze_sql_endpoint_role_assignments).
| Security Group | Gold SQL Endpoint | Bronze SQL Endpoint | Purpose |
|---|---|---|---|
FP GER Fabric Analysts | Viewer | -- | Analysts querying non-sensitive Gold tables |
FP GER Fabric Analysts Full | -- | Viewer | Analysts querying Bronze (ax, dataverse, datacollect) |
FP GER Fabric Apps | Viewer | -- | Service accounts and applications querying Gold |
Note: FP GER Fabric Analysts Full gets Viewer on the Bronze workspace (not just the SQL endpoint), which grants access to the Bronze SQL endpoint. They do NOT get Gold workspace Viewer -- their Gold access comes through the analyst_full SQL role.
Workspace App Access Model
Business users access reports exclusively through the Fabric Workspace App published from the Reports workspace. They do NOT get direct workspace Viewer access. This is the same access model as the legacy system.
graph TD
subgraph "DEV Environment"
DEV_WS[Reports Workspace]
DEV_NOTE["No workspace app<br/>Platform team only"]
end
subgraph "UAT Environment"
UAT_WS[Reports Workspace]
UAT_APP["Workspace App<br/>UAT-specific audience"]
UAT_GRP["FP GER Fabric Platform Team<br/>(internal validation)"]
UAT_WS --> UAT_APP --> UAT_GRP
end
subgraph "PROD Environment"
PROD_WS[Reports Workspace]
PROD_APP["Workspace App<br/>PROD business groups"]
PROD_SEC["Logistics | Trade | Finance | Supply | MT"]
PROD_WS --> PROD_APP --> PROD_SEC
end
DEV -- No Business Access
No workspace app is published. DEV is a development environment -- business users never see it. Only the platform team (Leads + Developers via Viewer role) can access DEV workspaces.
UAT -- Internal Validation
A workspace app is published with a UAT-specific audience for internal testing and validation:
| Section | Audience Groups |
|---|---|
| All sections | FP GER Fabric Platform Team (internal validation only) |
The UAT audience is independent of PROD -- different groups can access UAT vs PROD. This allows testing with a limited audience before exposing reports to the full business.
PROD -- Business Groups
The workspace app is published with tab-level audience control. Each report section is visible only to the relevant business groups:
| Section | Audience Groups |
|---|---|
| Logistics | FP GER Logistics, FP GER Supply Chain |
| Trade | FP GER Commercie, FP GER Derivatives |
| Finance | FP GER Finance |
| Supply | FP GER Supply Chain, FP GER Logistics |
| MT | FP GER Management Team |
Configuration
Workspace app audience is configured in deployment/ENV.yml under workspace_app.sections[].audience_groups[]:
workspace_app:
name: "Geris Fabric Reports"
sections:
- name: "Trade Reports"
audience_groups:
- display_name: "FP GER Commercie"
object_id: "<entra-object-id>"
- display_name: "FP GER Derivatives"
object_id: "<entra-object-id>"
The scripts/publish_workspace_app.py script (called from fabric-deploy.yml after report deployment) reads this config and publishes the workspace app with the specified audience. Audience changes are auditable via git log -- deployment/*.yml.
Terraform Configuration
Workspace roles are defined in terraform/environments/ENV/terraform.tfvars:
gold_role_assignments-- Gold workspace roles (SPNs + platform groups)bronze_role_assignments-- Bronze workspace rolessemantic_role_assignments-- Semantic workspace rolesreports_role_assignments-- Reports workspace rolessql_endpoint_role_assignments-- Gold SQL endpoint access groupsbronze_sql_endpoint_role_assignments-- Bronze SQL endpoint access groups
DEV and UAT tfvars are already populated. PROD is populated during Epic 10 (Go-Live).
How to Activate Security Groups
- Create
FP GER Fabric Developersin Azure Portal (Entra ID > Groups) if not already created - Note Object IDs for all groups from the Azure portal
- Edit tfvars for the target environment with the Object IDs
- Open a PR -- the
infra-deploy.ymlpipeline applies Terraform changes on merge - Verify in the Fabric portal that roles appear correctly
Related Pages
- RBAC Architecture -- 7-layer overview
- SPN Access Map -- service principal identity model
- Warehouse Roles -- SQL-level role definitions