Exam DP-700 topic 1 question 21 discussion

Only member or above can modify warehouse items https://learn.microsoft.com/en-us/fabric/get-started/roles-workspaces

Viewer - Can view all content in the workspace, but can't modify it. Contributor  - Can view and modify all content in the workspace. Member  - Can view, modify, and share all content in the workspace. Can add Members Admin  - Can view, modify, share, and manage all content in the workspace, including managing permissions. - Can add Admins, Members and can delete workspace. So Contributor is the least role who can view and update the tables (modify the content).

they already have access to DW1

contibutor have read/write access to a warehouse:https://learn.microsoft.com/en-us/fabric/data-warehouse/share-warehouse-manage-permissions

If DW (which need modify permission) already has assigned the right permission only with viewer the User3 could view all items

Assign the Viewer role to User3 to allow viewing all workspace items. Object-level permissions already cover updates to DW1, ensuring least privilege is maintained.

This is a really tricky question and the answer does not just lay in the coarse grained workspace roles https://learn.microsoft.com/en-us/fabric/get-started/roles-workspaces The user should be able to view the items in the workspace - VIEWER The user can already update the tables in the DW1 database through object-level permissions So if you apply the Principle of Least privilege, VIEWER is all that is required. All other roles will elevate the user privilege over and above the requirements.

member can create or modify warehouse items according to doc, contributors can’t https://learn.microsoft.com/en-us/fabric/fundamentals/roles-workspaces#-workspace-roles

you could assign viewer role in the workspace which won't overwrite the the appropriate-already-configured object-level permission on dw1 so the user will be able to view all objects in ws1 but will also be able to run update statements within the dw1

Contributor fits the best as being a member would grant the user the power to add other users to the workspace, thus defeating the whole purpose of the question - "Least Privileged Access"

It is not specified that the user should be able to add other users to Workspace. Contributors can modify data, but not add others to Workspace. According to the documentation - Contributor is the least privileged role: https://learn.microsoft.com/en-us/fabric/security/permission-model#workspace-roles

Viewer Can view all content in the workspace, but can't modify it. Contributor  Can view and "modify" all content in the workspace. Member  Can view, modify, and share all content in the workspace. Can add Members Admin  Can view, modify, share, and manage all content in the workspace, including managing permissions. - Can add Admins, Members and can delete workspace. So Contributor is the least role who can view and update the tables (modify the content).

Contributor is the least privilege role according to this. https://learn.microsoft.com/en-us/fabric/security/permission-model

This is wrong in the docs. Read this https://community.fabric.microsoft.com/t5/Service/Create-or-modify-warehouse-items-can-do-with-Contributor-role/m-p/4318708