Exam DP-700 topic 1 question 21 discussion

Viewer - Can view all content in the workspace, but can't modify it. Contributor  - Can view and modify all content in the workspace. Member  - Can view, modify, and share all content in the workspace. Can add Members Admin  - Can view, modify, share, and manage all content in the workspace, including managing permissions. - Can add Admins, Members and can delete workspace. So Contributor is the least role who can view and update the tables (modify the content).

Only member or above can modify warehouse items https://learn.microsoft.com/en-us/fabric/get-started/roles-workspaces

D is correct

View all the items in Workspace1. Update the tables in DW1. You already assigned the appropriate object-level permissions to DW1. Contributor Can view and modify all content in the workspace. So it is higer option] Viewer + object-level is enough

as per this doc, contributor can create and modify warehouse item : https://learn.microsoft.com/en-us/fabric/fundamentals/roles-workspaces

Explanation: You need to ensure that User3 can: View all items in the workspace Update tables in DW1 Follow the principle of least privilege Roles breakdown: Admin: Too much access (can delete, manage roles, settings, etc.) Member: Also more permissions than needed (can publish and manage content broadly) Viewer: Read-only — cannot update DW1 ✅ Contributor: Can view all items Can edit datasets, dataflows, pipelines, and warehouses (if object-level permissions are granted) Fits the least privilege principle

Contributor role

The Viewer role allows a user to: See all items in the workspace Cannot open notebooks or pipelines Cannot run queries or update data, even if object-level permissions are granted Viewer role is strictly read-only at the workspace level, regardless of object-level permissions. Why Contributor is correct: Can view all items in the workspace Can interact with items (like run pipelines, notebooks) With object-level permissions, can update data in DW1 Does not have management privileges (unlike Member or Admin) Contributor + object-level permissions = just enough rights to view and update without overreaching — perfect for least privilege.

they already have access to DW1

contibutor have read/write access to a warehouse:https://learn.microsoft.com/en-us/fabric/data-warehouse/share-warehouse-manage-permissions

If DW (which need modify permission) already has assigned the right permission only with viewer the User3 could view all items

Assign the Viewer role to User3 to allow viewing all workspace items. Object-level permissions already cover updates to DW1, ensuring least privilege is maintained.

This is a really tricky question and the answer does not just lay in the coarse grained workspace roles https://learn.microsoft.com/en-us/fabric/get-started/roles-workspaces The user should be able to view the items in the workspace - VIEWER The user can already update the tables in the DW1 database through object-level permissions So if you apply the Principle of Least privilege, VIEWER is all that is required. All other roles will elevate the user privilege over and above the requirements.

member can create or modify warehouse items according to doc, contributors can’t https://learn.microsoft.com/en-us/fabric/fundamentals/roles-workspaces#-workspace-roles

you could assign viewer role in the workspace which won't overwrite the the appropriate-already-configured object-level permission on dw1 so the user will be able to view all objects in ws1 but will also be able to run update statements within the dw1

Contributor fits the best as being a member would grant the user the power to add other users to the workspace, thus defeating the whole purpose of the question - "Least Privileged Access"

It is not specified that the user should be able to add other users to Workspace. Contributors can modify data, but not add others to Workspace. According to the documentation - Contributor is the least privileged role: https://learn.microsoft.com/en-us/fabric/security/permission-model#workspace-roles