Microsoft Fabric · Workspace Roles
Viewer
Read-only access to workspace items. View reports, notebooks, pipelines, and execution output. Read data through TDS endpoints but not through Spark or OneLake APIs.
Scope: Single Fabric workspace - read-only
Permissions
- View - Read content of pipelines, notebooks, Spark job definitions, ML models, experiments, eventstreams
- View - Read content of KQL databases, KQL querysets, real-time dashboards
- Read data (TDS) - Read Lakehouse and Data Warehouse data through SQL analytics endpoint (T-SQL ReadData level)
- View execution output - Pipelines, notebooks, ML models and experiments
Common use cases
- Report consumers
- Auditors and compliance reviewers
- Business stakeholders viewing dashboards without authoring rights
Best practices
- Use for stakeholders who only consume content, not author it
- For broader read access (Spark/OneLake), use Contributor instead
Security considerations
- Viewer can READ data through SQL endpoint but NOT through OneLake/Spark
- Row-Level Security (RLS) and Object-Level Security (OLS) still apply
Common questions
When should I assign the Viewer role?
Assign Viewer when you need to: Report consumers; Auditors and compliance reviewers; and Business stakeholders viewing dashboards without authoring rights. It is part of Microsoft Fabric and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Viewer role do?
The Viewer role grants permissions including: View - Read content of pipelines, notebooks, Spark job definitions, ML models, experiments, eventstreams; View - Read content of KQL databases, KQL querysets, real-time dashboards; Read data (TDS) - Read Lakehouse and Data Warehouse data through SQL analytics endpoint (T-SQL ReadData level); and View execution output - Pipelines, notebooks, ML models and experiments. See the Permissions section above for the full list.
What are the security risks of the Viewer role?
Key considerations when assigning Viewer: Viewer can READ data through SQL endpoint but NOT through OneLake/Spark; and Row-Level Security (RLS) and Object-Level Security (OLS) still apply. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.