Microsoft Fabric RBAC Roles

Microsoft Fabric tenant, capacity, workspace, and governance-domain roles for governing the OneLake data platform with least privilege.

8 roles across 4 categories. Open the interactive map →

Tenant Administration

Tenant-wide Fabric administration: tenant settings, feature governance, audit, capacity, and embed codes.

  • Fabric Administrator

    Tenant-wide Fabric administration. Enable/disable Fabric features, configure tenant settings, monitor usage, manage audit logs, and govern embed codes. Cross-listed from Microsoft Entra ID (this is…

Capacity Administration

Per-capacity administration: assign workspaces to a capacity, manage capacity-level permissions and workload memory.

  • Capacity Administrator

    Per-capacity administration. Assigned when a Fabric/Power BI capacity is created. Controls workspace assignment to the capacity and workload-level memory configuration.

Workspace Roles

Per-workspace permission tiers. Workspaces sit on OneLake and divide the data lake into independently-secured containers.

  • Workspace Admin

    Highest workspace role. Full control over a Fabric workspace including settings, identity, Git integration, and member management.

  • Member

    Add members or others with lower permissions and reshare items. Full item authoring rights but cannot delete the workspace or manage workspace identity.

  • Contributor

    Create and modify items, execute notebooks/pipelines, read all data. Cannot add members, reshare items, or manage workspace settings.

  • Viewer

    Read-only access to workspace items. View reports, notebooks, pipelines, and execution output. Read data through TDS endpoints but not through Spark or OneLake APIs.

Governance Domains

Domain-level grouping of workspaces (e.g. by business function). Domain admins delegate without needing tenant Fabric Administrator.

  • Domain Admin

    Full administration of a Fabric governance domain. Assign workspaces to the domain, configure domain settings, manage domain contributors, and govern the data products published into the domain.

  • Domain Contributor

    Contribute to a Fabric governance domain. Can assign their own workspaces to the domain and publish content into it, but cannot manage domain settings or other contributors.