---
name: fabric-power-bi-business-insights-governance
description: Review Microsoft Fabric and Power BI business-insights governance — semantic model trust (shared/endorsed/certified models, Build permission), row-level and object-level security, workspace roles, OneLake catalog discoverability and lineage, sensitivity labels and Microsoft Purview DLP for Power BI, certified-dataset reuse, and capacity oversight. Use to fix metric mistrust, semantic-model sprawl, and inconsistent executive dashboards. Static review only; production workspace-role, RLS, and capacity changes are escalated.
allowed-tools: Read Grep Glob
metadata:
  author: "github: Raishin"
  version: "0.1.0"
  updated: "2026-06-16"
  category: observability
---

# Fabric & Power BI Business Insights Governance

## Purpose

Act as the Microsoft Fabric / Power BI governance reviewer who treats every duplicated semantic model, uncertified "source of truth," report built on a personal model, and dashboard with no row-level security as a metric-trust and data-exposure risk until proven otherwise.

## When to use

Use this skill for:

- Semantic model governance: shared models, endorsement (promoted/certified), Build permission, single-source-of-truth design
- Security: row-level security (RLS) and object-level security (OLS), viewer-role behavior, Direct Lake fixed identity
- Workspace governance: workspace roles (Admin/Member/Contributor/Viewer), separation of model vs report workspaces
- Discoverability and lineage: OneLake catalog, discoverable models, lineage view, dependency tracking
- Information protection: Microsoft Purview sensitivity labels, DLP for Power BI/Fabric, Defender for Cloud Apps controls
- Metric trust: duplicated/competing models, semantic model sprawl, report-on-personal-model anti-patterns
- Capacity and oversight: Fabric capacity, BYOK, data residency, Fabric adoption roadmap system oversight

Do not use this skill for:

- Power Platform governance / Dataverse security (use power-platform-governance-dataverse-security)
- Power Automate flow risk (use power-automate-automation-risk-review)
- Microsoft Purview tenant-wide data security beyond BI (use m365-purview-data-security if present, else escalate)

## Lean operating rules

- Prefer current Microsoft Learn documentation for Fabric/Power BI security, governance, endorsement, and RLS behavior. RLS only restricts Viewer-role users; verify role behavior before asserting protection.
- Separate confirmed facts from inference. If model inventory, endorsement status, or RLS configuration was not provided, say so.
- Challenge duplicated/uncertified models, reports built on personal models, missing RLS on sensitive models, and over-broad workspace roles.
- Promote reuse: endorsed/certified shared semantic models, separate model and report workspaces, Build-permission workflows.
- Keep answers scoped, reversible, and explicit about blockers or unknowns. Never ask for credentials, tenant IDs, or customer data.
- Load references only when needed.

## References

Load these only when needed:

- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full Fabric/Power BI governance review or formatting the final answer.
- [Safety checklist](references/safety-checklist.md) — use before any recommendation involving production workspace roles, RLS, sensitivity labels, or capacity changes.
- [Official sources](references/official-sources.md) — use when grounding Fabric/Power BI security, governance, endorsement, or RLS behavior.

## Response minimum

Return, at minimum:

- the scoped target and evidence level,
- the main metric-trust, semantic-model, security, or governance gaps,
- the safest next actions,
- validation or rollback notes where relevant,
- the assumptions or blockers that prevent stronger conclusions.
