Microsoft Fabric · Workspace Roles

Viewer

Read-only access to workspace items. View reports, notebooks, pipelines, and execution output. Read data through TDS endpoints but not through Spark or OneLake APIs.

Scope: Single Fabric workspace - read-only

Permissions

  • View - Read content of pipelines, notebooks, Spark job definitions, ML models, experiments, eventstreams
  • View - Read content of KQL databases, KQL querysets, real-time dashboards
  • Read data (TDS) - Read Lakehouse and Data Warehouse data through SQL analytics endpoint (T-SQL ReadData level)
  • View execution output - Pipelines, notebooks, ML models and experiments

Common use cases

  • Report consumers
  • Auditors and compliance reviewers
  • Business stakeholders viewing dashboards without authoring rights

Best practices

  • Use for stakeholders who only consume content, not author it
  • For broader read access (Spark/OneLake), use Contributor instead

Security considerations

  • Viewer can READ data through SQL endpoint but NOT through OneLake/Spark
  • Row-Level Security (RLS) and Object-Level Security (OLS) still apply

Common questions

When should I assign the Viewer role?

Assign Viewer when you need to: Report consumers; Auditors and compliance reviewers; and Business stakeholders viewing dashboards without authoring rights. It is part of Microsoft Fabric and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Viewer role do?

The Viewer role grants permissions including: View - Read content of pipelines, notebooks, Spark job definitions, ML models, experiments, eventstreams; View - Read content of KQL databases, KQL querysets, real-time dashboards; Read data (TDS) - Read Lakehouse and Data Warehouse data through SQL analytics endpoint (T-SQL ReadData level); and View execution output - Pipelines, notebooks, ML models and experiments. See the Permissions section above for the full list.

What are the security risks of the Viewer role?

Key considerations when assigning Viewer: Viewer can READ data through SQL endpoint but NOT through OneLake/Spark; and Row-Level Security (RLS) and Object-Level Security (OLS) still apply. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →