Authorization in Cloud Management Portal

The Cloud Management Portal (CMP) uses Microsoft Entra for authentication and authorization. Roles and permissions are defined to control access to features within the portal. The Fabric Admin role is a built-in Microsoft Entra role; other roles are custom application roles created for CMP. If the Fabric Admin role is required in the table below, it is required in addition to the application role.

Role-based access in CMP

The following table summarizes the actions available to each role in the CMP. Use this matrix to determine which permissions are required for specific tasks.

Action	Fabric Admin	NCC Admin	NCC Member	NCC Contributor	NCC Reader
Domain Wizard	✅	✅
Read Domains		✅	✅	✅	✅
Update Domains	✅	✅
Delete Domains		✅
Create Environments		✅
Read Environments		✅	✅	✅	✅
Update Environments		✅
Delete Environments		✅
Create new data source		✅	✅	✅
Read data source		✅	✅	✅	✅
Update data source		✅	✅
Delete data source		✅
Read Connections		✅	✅	✅	✅
Delete Connections		✅
Create Variables		✅	✅	✅
Read Variables		✅	✅	✅	✅
Update Variables		✅	✅
Delete Variables		✅
Read Retention		✅	✅	✅	✅
Provision Logging	✅	✅
Create Entity		✅	✅
Entity Wizard		✅	✅	✅
Read Entity		✅	✅	✅	✅
Update Entity		✅	✅	✅
Delete Entity		✅	✅
Promotions		✅	✅	✅
Create Load Planner groups		✅	✅
Read Load Planner groups		✅	✅	✅	✅
Update Load Planner groups		✅	✅	✅
Delete Load Planner groups		✅
Add linked entities to Load group		✅	✅	✅
Remove linked entities from Load group		✅	✅
Read Workspaces		✅	✅	✅	✅
Update Workspaces		✅
Delete Workspaces		✅
Read Lakehouses		✅	✅	✅	✅
Update Lakehouses		✅	✅
Delete Lakehouses		✅

Note
The Fabric Admin role is required in addition to the application role for actions where it is indicated.

For more information about Microsoft Entra roles, see Microsoft Entra documentation.