Capacities, workspaces, roles in Microsoft Fabric | DP-600 EXAM PREP (3 of 12)

hey everyone welcome back to the channel today we're going to be continuing our dp600 series and we're going to be looking at implementing and managing a data analytics environment this is the second part of the dp600 syllabus or the study guide that we're going through on the channel and today we're going to be going through these particular elements and these are coming straight from the study guide so number one we're going to be looking at implementing workspace and item level Access Control implementing data sharing for workspace warehouses and lake houses managing sensitivity labels configuring fabric

enabled workspace settings and managing fabric capacity we've got five sample questions so at the end of the video we'll be going through some sample questions to test your knowledge and as with the last video I'll be posting the key points and links to further resources in the school Community available for free I'll leave a link in the description for that we'll continue the scenario that we were developing in the last lesson you're the main character again are you ready let's begin so just to recap you are a consultant and you're working with your client who

is called Camila and in the last engagement you successfully planned their data analytics environment now you've won the contract to support Camila in implementing that solution so Camila is busy doing her resource planning she's thinking about who she's going to need to support this environment in fabric she's asking for your assistance to help her structure her thoughts and also her team so let's have a look at what that looks like in fabric so this is a high level structure of a fabric implementation now you'll notice that it's hierarchical at the top we have tenant level

so this is kind one tenant that you're going to have in your organization then below that you might have one or many capacities and we talked about capacities in the previous lesson we're going to be doing a bit more on capacities in this lesson as well then in each capacity you might have one or multiple workspaces then in each workspace we go down to the item level so you might have a data warehouse and a lake house in your workspace then we can actually go one level deeper than that which is called the object level

So within the data warehouse you have dbo do customer that might be a table in your data warehouse or a view in your data warehouse that's at the object level now when we're administering fabric we need to be aware of these different levels because at each of these different levels Administration happens in a different way in the last lesson we looked at the tenant level admin settings so that's mostly things in the admin portal under the tenant settings section today we will explore item level a little bit later on but first I just want to

look at how we could administer each of these three top levels so here we have a table now the table isn't complete yet we're going to walk through it together so we have the three top levels we got tenant level the capacity level and the workspace level and then on the right hand side we're going to go through what the administrator or who the administrator is what role they require and also where the admin happens right so where are they going to be working where are the settings that they need to administer at each level

so starting at the top level we've got the tenant admin now to get the rights to be able to be a tenant admin we're actually going to go higher than fabric we need an entra ID role of global administrator Power Platform administrator or fabric administrator and we looked at what that looks like in the last lesson and they're going to be working predominantly in the fabric admin portal so if you have any of these three roles that's going to be available to you and you can configure your tenant settings in there one level down at

the capacity level well the capacity admin is assigned when you create a new fabric capacity in Azure now where the administration happens so any sort of administration at that capacity level is going to be done either in the Azure portal as we mentioned before or in the fabric admin portal as a section on capacity settings we're going to have a look at both in a minute at the workspace level so we're going one level down now you're going to have a workspace admin they're going to be the person that is kind of in charge of

that admin level and the role required here is a workspace role so it's going to be a person or a group with the workspace role of admin and again we'll have a look at what that means in more detail a bit later on now they're going to be doing most of their Administration within the workspace settings and also within the manage access so these are the two areas that they're going to be focusing most of their time on now we looked at the tenant level admin settings previously in the last video in this lesson we're

going to focus on the capacity level settings and then the workspace level settings so let's just focus in on the capacity administrator settings for a moment and as I mentioned there's two really places where capacity Administration gets done number one is in Azure because we need to use Azure portal to purchase a capacity right so that's going to be where you go to create a new capacity delete existing capacities changing the size of a capacity so if you've got an F2 skew and you want to go up to an F4 that's going to be done

in the admin portal and also changing the capacity administrator so you can do that within the Azure portal as well as well as that within fabric we can change some of the settings for a particular capacity so we can do things like enabling Disaster Recovery viewing the capacity usage report so how much is our capacity being used we can Define who can create workspaces within that capacity we can Define who is a capacity administrator we can update the powerbi connection settings so who can connect to this capacity or items within this capacity from powerbi and

how does that look like we can permit workspace admins to size their own custom spark pools so this is quite important right because you might want to set some sort of limits on the sizing of the spark pools that workspace owners underneath the capacity or in this Capac capacity you might want to limit how high they can go with their spark poles cuz that's going to have quite a big impact on the overall capacity usage so if you're sitting at the capacity level you might want to add some restrictions on you know the custom spark

configurations that happen in Your Capacity and we can assign workspaces to the capacity in this section as well okay so here we are in the portal and I just wanted to show you some of the capacity settings how to administer a fabric capacity and I'm going to start right from the beginning so how do you actually setup and buyer capacity well you go to Microsoft fabric if it's not already there then you can just search for it here Microsoft fabric this is going to bring you through to the the resource creation tool we're going to

click on Create and we're going to walk through these steps to create a fabric capacity so you need a subscription and a resource Group and you can enter the capacity name so give it a region change the size I'm just going to do an F2 select and here is where you sign the capacity administrator and again we can change that afterwards but that's you need at least one to set it up so it's going to give you the estimated cost per month here and then you press create and it's going to deploy that capacity okay

so now my capacity has been created we can click on go to Resource and this is where we're going to do some of the administration tasks within the Azure portal right so here we can have a look at well firstly we can pause it so if you want to pause the capacity you can do that here delete it as well down the left hand side we've got some useful things here so capacity administrator is that's where you're going to change your capacity administrator we've also got change size so if you're finding that F2 is not

enough for your workloads that you're running you can change it to F4 or f256 if you've got a spare 40 Grand a month to be using on fabric I'm going to keep it as an F2 that's just something to bear in mind there okay now I just want to have a look at what that capacity setting looks like inside fabric so if we go to the admin portal and capacity set if we go over to the fabric capacity tab here we can see that fabric capacity that we've just set up so it's in F2 it's

in UK South and it's active so we've got some actions here we can change the name we can have a look at the admin you can't really do much there there's a link through back into Azure so if you want to make any changes to it from within fabric you need to click on this link here but if you click on the actual capacity name we go through to the capacity settings right so this is where you're going to be doing things like enabling Disaster Recovery having a look at at the usage report for that

capacity turning on notifications so it's going to give you a notification when you've used x amount of% of Your Capacity updating who is the administrator for that capacity can also be done here changing how we can access powerbi and how powerbi can access data in the capacity we've also got data engineering settings it's mainly spark settings and this is where we're going to have that permission to permit people to change the the custom spark poing right so either on or off and we can assign certain workspaces to this capacity so if you just created a

new capacity it's going to be empty and you can move existing workspaces onto that capacity so as a workspace administrator we've got a few different options so here we're stepping down the level into the workspace level and a workspace administrator as we mentioned deals primarily in the workspace settings and here you can edit the license for the workspace so change it from for example for trial capacity to a fabric capacity or from Pro to PPU premium per user we can also configure connections to Azure as well as well as configuring Azure devops connections so if

you want to use Git Version Control for this workspace that's going to be done in the workspace settings another thing we can do in the workspace settings is set up what's called a workspace identity now this is basically having a managed service principle dedicated for your workspace and it basically means you connect to things like ADLs Gen 2 for things like shortcuts and you can do that in a kind of trusted workspace access manner basically this is another pretty new security feature that they've added quite recently and I'll be going through more of the security

principles in more detail probably in a separate video at the end of this series because they're quite important we can also edit some of the powerbi settings in the workspace settings and also the spark settings so particular default environments that we might want to set up within this workspace things like that just note here that managing access is done through the the managing access section so it's slightly separate it's in the same kind of area but it's not necessarily in workspace settings where we add users and add groups into our workspace we'll have a look

at that in a bit more detail okay next I just wanted to walk through some of the workspace settings in a bit more detail so here we are in a workspace it's called Share Hub what we're going to be doing is clicking on this Dot and you can see that we've got two here that are useful for workspace administrator number one is managing access so this is how we're going to give people access to our workspace either person or a group we can add people in here and we can give them admin member contributor or

viewer if we click on these dots again and then go through to the workspace settings this is where we're going to be able to edit some of the settings for our workspace General is where you just do the image and the description and also domains if you're using domains license info so this is where you're going to change the potential capacity and the license that's being used in that workspace so this one is a trial workspace so maybe we want to actually change that to an F2 maybe we've got some fabric capacity we can select

which one we want to use I'm going to be using this fabric F2 learn capacity and that's going to change the license for the workspace we've also got connecting to Azure connecting to git downloading things like the file explorer as well and enabling caching for shortcuts is another workspace setting we've got here managed identities so if you're on an f64 capacity or higher you can make use of workspace identities and that's going to basically allow you to create kind of like a managed service principle just for this workspace so give your workspace an identity and

allow it to connect to ADLs Gen 2 create your shortcuts things like that in a secure manner kind of trusted workspace access is what it's called and if you want to learn more about that I'll leave a link to the workspace identity section in the school Community we can also do things like adding private endpoints and that kind of thing for connecting via Spark to things in Azure you've got your spark settings down here for configuring something about the pool that you're using the spark pool that is being used in this workspace you can change

the default environment that's where you're going to be going to add libraries and things like that so if you want to pre-install python packages onto your spark cluster so that every time you run a notebook or start a new notebook you have those libraries there ready to go that's where you do this change some settings for high con currency and that kind of thing there so Camila says okay great I now have some clarity on administering fabric at the tenant capacity in the workspace level what I'm not sure about is giving access to the people

on my team so that's important right we build all these things in fabric but how can we give people access the right amount of access to these items let's have a look at that in a bit more detail so if we go back to our structure of a fabric implementation generally when we're sharing items with people that's really done at these bottom three levels of our fabric architecture right so sharing things in fabric is normally done at these three levels now object level sharing is possible for the data warehouse and the SQL endpoint in the

lake house but I don't think it's assessed as part of this exam so it's not part of the study guide in any way so we're not going to be covering that in this lesson there's some documentation on the Microsoft learn website and I'll leave a link to that if you're interested in object level sharing if you want a bit learn a bit more about that we're going to be focusing on the workspace level sharing and item level sharing so let's just start with workspace level sharing people or groups can be given workspace level access and

when sharing the personal group is assigned a workspace role as you can see on the right hand side there we've got admin member contributor and viewer now this role applies to all items in the workspace for example a viewer in the workspace will be able to view all of the items in the workspace let's just take a bit of a moment cuz roles are really important and the role that you assign someone dictates basically what they can do in your workspace this image here comes from the Microsoft documentation again I'll leave a link to this

in the school community and I definitely recommend you take some time to study it this is what we're going to be doing here so the first thing to note with this diagram is let's just start with the admin so if you give someone an admin permission what can they do the the first thing is that they can update and delete the workspace so this is really high level permissions that only maybe one or two people really should have people that you trust in your organization they can also add and remove people including other admins so

it's the only role that allows you to add an admin add another admin next we move down to the member and the member can do similar things to an admin but they can't add an admin okay so a member cannot add an admin they can only add people with lower permissions or other members okay the other permission that is unique at the member level is you can give other people the permission to share items so being able to share items is a fairly high level thing to do and you're giving people that permission to share

okay so that's something to bear in mind as well then we move down to the contributor level now contributors can do pretty much everything in the workspace other than as we see here deleting the workspace adding people into the workspace and allowing other people to share but they can do when you're talking about contributing to fabric items anything around lake houses or warehouses or data pipelines they have read and write access to all of these things so the viewer has a unique set of missions those six green ticks and if we go kind of from

top to bottom they can view and read content in a data pipeline a notebook spark job definition machine learning model so they can view kind of the outputs of these things they can also View and read the content of kql databases query sets and realtime dashboards they can connect to the SQL analytics endpoint of a Lakehouse or a data warehouse and they can read Lakehouse and data warehouse data and shortcuts with tsql so the viewer can basically use SQL to analyze data in either The Lakehouse or the data warehouse what they can't do is access

any of the one L apis or spark so they can't run spark jobs or notebooks or anything like that now one unique thing about the viewer permission is in the data pipelines now they can't edit or update any of the activities in a data pipeline but they can execute and cancel the execution of a data pipeline run so that's an important kind of edge case to remember for the exam and they can also finally view the output of data pipelines notebooks and machine learning models so that's kind of a high level overview of all of

these workspace roles and what they can do at each level again this is really important to understand for the exam so I definitely recommend going into the documentation taking some time to understand these different things because you'll probably be tested quite a lot on these so let's just have a bit of a workspace level access example this is John he is a business analyst working in Camila's team and Camila has asked you to give him contributor access to workspace one this is workspace one this is the architecture that they've got here now this is what

John's access currently looks like where the red box is basically no access at all and a green box if there's any access and you can see everything's red So currently has no access to anything you are an admin in the workspace now what steps would you take to give John this access have a little think about that and then we'll talk about it in a second okay so what steps would you take well personally what I would be asking is does JN fit into an existing security group that has contributed access to the workspace because

best practice here is to add people into groups rather than adding them individually just makes maintenance in the future a lot easier where possible we always want to add people into groups before we add them individually now if a security group doesn't exist then you might want to create one for John maybe you want to create an analyst security group so that in the future when another analyst wants to join the team or join the workspace you can just add that person person into the group rather than having this long list of individual contributors in

that workspace so you create an analyst Security Group add John to the security group and give the group contributor access to workspace one so in the picture how does that update well it looks a bit like this right so John now has access to workspace one and everything within it because we've given him access the security group access at that workspace level you'll notice that workspace 2 he still has no access to that he can't even see that so that's something to bear in mind when you're giving workspace level access Camila suddenly Rings you she

realizes that JN shouldn't have access to everything in the workspace instead she wants you to give him access to the data warehouse only not the semantic model not the data pipeline so how would you change what we've just done to reflect this so this is what we're we're looking at here we want to go from this which is the arrangement that we've just done for John at the works Space level to this at the item level now this might be important because it kind of reflects quite an important principle when it comes to giving people

access which is the principle of least privilege now in general in Data Systems information security we want to give people the amount of access that they need to perform their roles and nothing more right so if you don't technically need access to the semantic model or the data pipeline then one way of kind of getting around that is to give people item level access giving people access to only what they need okay just to recap on some of the additional permissions so when you share a data warehouse you get these three additional permissions we have

read all data using SQL and what that means is it allows people to read all objects within the warehouse using tsql we also have the read all one L data and with this you're allowing that person to read the underlying oneel files using spark pipelines anything else basically so in the top one they can only use SQL if you give them the second permission it allows them to basically do anything with that data and the third permission allows the user to build reports on the default semantic model not any custom models just the default semantic

model when it comes to the lake house these permissions are similar but they just worded a little bit differently so again if you give them the read all SQL endpoint data it allows them to perform tsql on the tsql endpoint if you give them read all Apache spark then again it's going to allow them to run notebooks and Spark code on top of that data and again the build reports on the default semantic model does exactly what it says on the tin now one point that I just did want to make here is around one

Lake data access model now this is a very newly announced feature so it might not have made its way into the exam yet but I do think it's going to have a very big impact on how we manage security in fabric going forward so I did want to at least mention it here I'm not going to be going through it in detail but I did just want to flag it you might want to have a look at the documentation page just so that you become aware of it now this feature is not really something I've

looked at yet much in detail but from just from looking at the documentation from how I understand it is it's going to allow you to perform rback so ro-based access control on things like folders so now that they've implemented folders within a workspace it's going to allow you to Define a specific role or give a specific role access control over that folder and then the permissions are going to be inherited for every item in that folder but like I mentioned it's a preview feature and it's relatively new so I'd be surprised if they ask you

about this in the exam but it is very important and I do think it will change quite a lot in fabric so I wanted to mention it and if you look at the study guide it does say for the dp600 exam it does say that most questions cover features that are generally available the exam may contain questions on pre features if those features are commonly used I think at the moment this isn't commonly used because it's only been released a few weeks ago so that's something to bear in mind Camila says thank you now I

understand workspace level and item level sharing in more detail One Last Thing Before You Go we've been working on this government project and I need to apply sensitivity labeling in a workspace can you walk me through it so what even is a sensitivity label well sensitivity labels are a data governance feature and they're created and managed in Microsoft purview so fabric items such as a semantic model can be given a sensitivity label such as confidential right and it's for information protection purposes now in some Industries labeling data and information with a sensitivity label is necessary

for compliance with information protection regulations now to apply a sensitivity label in fabric really there's two main methods if we go into that item for example this Lake housee here what you have in the top toolbar you've got the sensitivity label and you can just click on that drop down change the sensitivity label in there the other option is to go into the settings of that particular fabric item and you can see that in the left hand toolbar there you've got sensitivity label and you can change the sensitivity label in there now one of the

options that you can give it if you go through the settings method is to apply to Downstream items so again we've got that notion or that concept of inheritance of the label that you give it here also applies to everything Downstream okay so now we are going to test some of your knowledge for everything that we've learned in this section of the study guide and we're going to start with a case study style question so we're going to going through a bit of a case study and then going to be asked three maybe four questions

on this particular case study let's begin Toby creates a new workspace with some fabric items to be used by data analysts Toby creates a new security group called Data analysts he includes himself as a member of this Security Group Toby gives the data analyst Security Group a viewer role in the workspace what workspace role does Toby have is it a viewer B member C admin or D contributor pause the video here have a think and then we'll move forward to the answer so the answer here is C now this combines two pretty important Concepts to

understand when we're looking at workspace level sharing number one is that the creator of a work space is always given admin permissions in that workspace now we also have Toby with the viewer role in that workspace because he's in the security group with viewer role and this is another concept if you have more than one level of permission within the workspace you're always given the higher level so he's got admin role because he created the workspace and he's got viewer role because he's in that Security Group Well the admin permissions is always going to be

prioritized he's always going to take that role over his viewer role so let's continue this case study Sarah is also a member of that data analyst Security Group she has no other role in the workspace which of the following can Sarah not do in the workspace a execute a data pipeline run SQL scripts in the data warehouse run spark notebook or review the evaluation metrics of a machine learning model now the answer here is C run the spark notebook now when we looking at the workspace level roles and the permissions for each role we know

that Sarah is a viewer in the work space that's the highest level of permission and you remember that a viewer role can actually execute a data pipeline in a workspace they can also run tsql scripts in data warehouse or a SQL endpoint of a lake house what they can't do is run a spark notebook okay so anything in a notebook they can have a look at the notebook but they can't actually execute any code so C is the right answer cuz what we're looking for is what can she not do in the workspace and D

is review the evaluation me metrics of a machine learning model which we know we can do CU she's just reading the output of that model to continue this case study again Toby wants to delegate some of the management responsibility in the workspace he wants to give this person the ability to share content within the workspace invite new contributors to the workspace but not add new admins to the workspace what role should Toby give this person a admin B member C contributor or D viewer so the answer here is B now the the key point in

the question was but not add new admins to the workspace so we know that to be able to add another admin into a workspace you need to have admin permissions yourself so Toby doesn't want to give that person this ability basically so we know it can't be admin it's not going to be viewer it's not going to be contributor we know that the member is kind of one down from admin and that's going to allow you to do all of these three things they can share content they can invite other contributors because a member can

add new people either members or contributors or viewers but they can't add other admins so it' be B member the next question is completely separate you have admin role in a workspace Sheila is a data engineer in your team she currently has no access to this workspace at all now Sheila needs to update a data transformation script in a pisb notebook and the script gets data from a Lakehouse table cleans it and then writes it to a table in the same lake house now you want to adhere to the principle of leas privilege what action

should you take to enable this is it a you're going to give Sheila the contributor role in the workspace b share the lake house item with read all spark data permission C give Sheila the admin role in the workspace or D share the Lakehouse item with read or spark data permissions and share the notebook with edit permissions so the answer here is D so one of the clues in this question was the line where it says you want to adhere to the principle of least privilege so immediately when you see that giving people workspace level

access is not really good enough so A and C is giving a role in the workspace so it's going to enable her to contribute and change and edit everything in the workspace but it doesn't adhere to the principle of least privilege so we can immediately rule out a and C so another really important point in the question here was Sheila needs to update a data transformation script in a notebook so she needs to edit the code in a notebook She's Not Just executing an existing notebook she need to actually make changes to a notebook and

so for B you wouldn't have that permission you've got read all data for the spark so you can actually execute a notebook but you can't edit a notebook so be able to make these changes really need access to the notebook and the lake house that that notebook is interfacing with that that notebook is reading from because you can't just share the notebook because then you won't have access to the underlying data and we can't just share the lake house because you won't have access to the notebook that's she needs to edit so the answer is

D share the Lakehouse item we're giving spark permissions and we're also giving edit permissions on the notebook next question you have admin role in a workspace you want to pre-install some useful python packages to be used across all notebooks in the workspace how do you achieve this a in the fabric admin portal go to spark settings and install the libraries B go to workspace settings spark settings and then Library management C create an environment install all the packages in the environment go to the workspace settings spark settings and set it as the default environment or

D go to capacity settings and then default libraries so the answer here is C creating an environment and then going into your workspace settings and setting it as the default environment for for spark now this is a bit of a a naughty question because B is the old way so it used to be you go to workspace settings spark settings and there was a section for Library management but that's actually not possible anymore the way to do it as I mentioned is to create an environment and then in your spark settings make it the default

environment A and D don't actually exist these capabilities so these kind of red herrings so the answer is C Camila says thanks she's seriously impressed with your knowledge again in this lesson we covered all five of these elements of the dp600 study guide from workspace and item level sharing data sharing for data warehouses and lake houses sensitivity labeling and then workspace and capacity level settings and the good news is again you've won an extension to the contract Camila would like you to implement control over the entire analytics development life cycle in her organization so for

this we're talking Version Control deployment pipelines powerbi projects all that good stuff that's what we're going to be looking at in the next Lon so click here to continue that lesson