DP-600 Maintain a data analytics solution
Maintain a data analytics solution
Detailed list of DP-600 knowledge points
Maintain a data analytics solution Detailed Explanation
1. Definition & mental model
Think of “maintaining” a Fabric analytics solution as keeping a living product safe, trustworthy, and deployable. You’re not just building reports once—you’re continuously:
Governing access and trust (who can see what, how data is labeled, and what’s promoted for reuse).
Managing change safely (version control, controlled deployments, and understanding downstream impact).
In DP-600 terms, this Parent blends two skills: security & governance plus development lifecycle operations.
2. Key concepts & data flows
A practical way to picture the flow:
People & roles enter through a Workspace (team boundary).
They interact with items—like a Semantic Model (Dataset), Lakehouse, Warehouse, reports, and pipelines.
Access controls decide what they can do:
Workspace-level access controls: broad permissions tied to the Workspace (e.g., can publish, can manage).
Item-level access controls: permissions on specific items (who can view/edit a particular semantic model or report).
Data-level controls inside models and files:
Row-level security (RLS): restrict rows.
Column-level/object-level security (CLS/OLS): hide columns/objects.
File-level access control: control access to underlying files/artifacts when applicable.
- Governance signals change how items are discovered and trusted:
Sensitivity labels: classification that influences handling and sharing expectations.
Endorsements: signals like “Promoted/Certified” (trust and discoverability cues).
Then, for change management:
Source changes live in versioned assets (e.g., Power BI Desktop project (.pbip)).
Those changes move across environments via Deployment Pipeline (dev → test → prod).
Impacts are checked using dependency/impact analysis before or after a release.
3. Typical deployment and operations scenarios
Scenario A: Secure sharing across teams
You manage a shared Workspace containing a Semantic Model (Dataset) used by Finance and Sales.
Finance can see all rows; Sales can only see their region (RLS).
Analysts can build reports, but only a few maintainers can edit the semantic model.
You apply sensitivity labels to the semantic model and key reports so handling rules stay consistent.
You endorse the “gold” semantic model so builders can find the right asset quickly and stop duplicating datasets.
Scenario B: Controlled releases with fewer surprises
A team iterates daily, but production must stay stable.
You connect the Workspace to version control and standardize development in .pbip format for reviewable changes.
You use a Deployment Pipeline to push tested changes forward.
Before deploying a schema change to a Lakehouse/Warehouse-backed model, you run impact analysis to identify downstream reports and other dependencies that will break or change behavior.
Scenario C: Enterprise admin-style maintenance
In a larger org, you might need to:
Deploy/manage semantic models via the XMLA Endpoint (for enterprise workflows and tooling).
Publish reusable assets (templates like .pbit, connection definitions like .pbids, and shared semantic models) so teams can start from approved patterns instead of reinventing.
4. Common mistakes, risks, and troubleshooting hints
Mixing up Workspace roles vs item permissions: a user can be “in the Workspace” but still fail to access a specific item (or vice versa). When troubleshooting, confirm both layers.
Assuming RLS is “on” without testing the user experience: always validate using a test identity or role-based checks—especially after deployment.
Forgetting the governance “signals”: without sensitivity labels and endorsements, users often duplicate datasets because they can’t tell what’s approved.
Pipeline surprises: deployments can shift configuration or dependencies if environments aren’t aligned. When a deployment “worked” but users report missing access, re-check permissions and model security settings post-deploy.
Skipping impact analysis: changes to a Semantic Model (Dataset), Lakehouse, or Warehouse schema can quietly break reports; impact analysis is your early warning system.
5. Exam relevance & study checkpoints
What you’ll be expected to do (at a high level):
Map a requirement to the right control: Workspace-level, item-level, RLS/CLS/OLS, or file-level.
Choose when to use sensitivity labels and endorsements to improve governance and reuse.
Explain how to set up and operate the lifecycle: version control, .pbip, Deployment Pipeline, impact analysis, and XMLA Endpoint management.
Diagnose common symptoms: “user can’t see data,” “deployment changed behavior,” or “downstream reports broke after a model update.”
6. Summary and suggested next steps
If you remember only one thing: maintaining a Fabric solution is govern + ship safely.
Govern: roles/permissions + data security + labels/endorsements.
Ship: version control + .pbip workflow + deployment pipelines + impact analysis + enterprise model operations via XMLA.
Next, we’ll move into preparing data—where you’ll focus on ingestion choices, transformation patterns, and query/analysis behaviors.
Maintain a data analytics solution (Additional Content)
Implement security and governance
Layering access controls without “permission spaghetti”
A high-signal way to reason about Fabric security is to separate where control is applied:
Workspace-level access controls: who can manage/publish/manage the overall container. Use this for “team boundary” and operational privileges.
Item-level access controls: who can read/edit a specific item (like a Semantic Model (Dataset) or report). Use this for “asset boundary” and reuse scenarios (many teams, one governed asset).
Data-level controls inside the model:
Row-level security (RLS): restrict records (most common for region/BU separation).
Column-level/object-level security (CLS/OLS): hide sensitive attributes or whole tables/objects (use when “seeing the column exists” is itself sensitive).
File-level access control: use when access must be constrained at the file/artifact layer (common in broader governance programs, and when raw files should never be broadly browsable).
A practical exam-grade rule: Workspace is for operations, item is for reuse boundaries, RLS/OLS is for “what data appears,” and labels/endorsements are for governance signals—not access.
Security interactions that cause “looks like a bug” symptoms
Many “mystery issues” are simply interactions between layers:
RLS + relationships + measures: totals can look “wrong” if the security filter propagates in unexpected directions or if a measure assumes a broader context than the secured slice.
Item permission vs data permission: a user may open a report (item access) but see blank visuals (data-level security or missing permission to the underlying Semantic Model (Dataset)).
OLS/CLS vs report visuals: visuals can error or silently omit fields when the model hides columns/objects; this is expected behavior, not a refresh failure.
When debugging, always ask: “Is the failure at Workspace entry, item open, model query, or row/column visibility?”
Sensitivity labels & endorsements: what they change vs what they don’t
Treat these as governance “signals” with side effects on handling and trust:
Sensitivity labels: communicate classification expectations (how the item should be handled/shared) and can integrate into broader governance controls and auditing patterns.
Endorsements (Promoted/Certified): communicate trust and discoverability. They’re a “use this first” hint for builders.
What they do not do: they do not magically grant access. A common trap is assuming “Certified” means “everyone can open it.” Certified can still be locked down by Workspace/item/security rules.
Troubleshooting decision path (fast and exam-friendly)
When the prompt says “User can find it but can’t use it,” walk this order:
Can the user access the Workspace at all? (Workspace-level access controls)
Can the user open the item (report / Semantic Model (Dataset))? (item-level access controls)
If the item opens but visuals are blank/wrong:
Check RLS role mapping and effective identity
Check OLS/CLS (missing fields)
Check relationship paths that carry the security filter
If users complain “it’s labeled/certified but still blocked,” explain the separation: governance signals ≠ permissions.
Maintain the analytics development lifecycle
Version control + .pbip: make changes reviewable
A strong lifecycle setup is about making changes auditable and safe:
Configure version control for a Workspace so model/report changes are trackable and revertible.
Use Power BI Desktop project (.pbip) format when you want clearer diffs and cleaner reviews than “one big binary file.”
Standardize what “done” means in PRs: updated measures, updated model metadata, and a short “impact note” describing downstream risk (reports/pages affected).
Exam pattern: if the prompt mentions “reviewable changes,” “team collaboration,” or “controlled promotion,” it’s usually nudging you toward version control + .pbip + Deployment Pipeline.
Deployment Pipeline: promotion with environment awareness
A Deployment Pipeline is not just “copy dev to prod.” The hard part is what must differ between environments:
Data source bindings and credentials can be environment-specific.
Capacity/workspace constraints may differ (performance changes can appear “after deploy”).
Security validation must be repeated after promotion (role mappings, item access, and any environment-specific identities).
A reliable checklist after each stage promotion:
Validate “can open” (item-level access controls)
Validate “can query” (model access + refresh/connectivity)
Validate “sees correct slice” (RLS/OLS/CLS)
Validate “performance stayed acceptable” (at least one representative report)
Impact analysis: think “blast radius,” not “root cause”
For DP-600-style impact analysis of downstream dependencies, focus on what breaks when you change:
Upstream: Lakehouse/Warehouse/Dataflow Gen2 schema and data shape
Middle: Semantic Model (Dataset) tables, relationships, measures
Downstream: Reports, visuals, and any reused assets built atop the model
A solid exam response explains impact in plain language:
“This change alters a column used by measures, so reports using those measures will break or change totals.”
“This refresh timing change alters data freshness; consumers may see stale data during peak hours.”
XMLA Endpoint: why it shows up in enterprise scenarios
The XMLA Endpoint typically appears when:
You need enterprise-scale management and automation patterns
You manage semantic models with more advanced tooling and deployment workflows
You need repeatable operations (deploy, compare, validate) beyond click-ops
In exam prompts, keywords like “enterprise automation,” “central dataset management,” or “scripted deployment” often indicate XMLA Endpoint is relevant.
Reusable assets: reduce drift across teams
Reusable assets are how you stop “metric drift” and “duplicate models”:
Power BI template (.pbit): standard report patterns without embedding sensitive data.
Power BI data source (.pbids): consistent connection definitions.
Shared semantic models: the real “single source of truth” for measures and business logic.
A practical governance tie-in: templates and shared models should usually be paired with clear labels/endorsement policies so builders know what is “approved.”
Frequently Asked Questions
How do workspace roles interact with item-level permissions in Microsoft Fabric?
Workspace roles define baseline access to all items in a workspace, while item-level permissions can extend or restrict access for specific artifacts.
Fabric workspace roles such as Admin, Member, Contributor, and Viewer apply broadly to all items in that workspace. These roles determine default capabilities such as editing content, managing pipelines, or viewing reports. Item-level permissions allow more granular control for individual artifacts like semantic models or reports. For example, a user who is not a workspace member may still receive access to a specific report if explicitly granted permission. However, item permissions cannot elevate capabilities beyond the role’s limitations for workspace members. A Viewer role, even with item access, cannot modify content. Governance strategies typically rely on workspace roles for baseline security and item permissions for selective sharing scenarios.
Demand Score: 78
Exam Relevance Score: 86
What governance controls are available through Fabric tenant settings?
Fabric tenant settings allow administrators to centrally control capabilities such as data sharing, external access, workspace creation, and feature availability across the organization.
Tenant settings are configured in the Fabric admin portal and apply globally or to selected security groups. Administrators can restrict who can create workspaces, enable or disable features like external data sharing, and enforce organizational governance rules. These settings are critical for controlling adoption and preventing uncontrolled resource creation. For example, limiting workspace creation to a governance group ensures that environments follow naming standards and lifecycle processes. Tenant settings also regulate features such as cross-tenant sharing, export capabilities, and integration options. Because these policies apply before workspace-level configuration, they serve as a foundational governance layer in enterprise Fabric deployments.
Demand Score: 71
Exam Relevance Score: 84
How do deployment pipelines support the analytics development lifecycle in Microsoft Fabric?
Deployment pipelines enable controlled promotion of Fabric items between development, test, and production workspaces.
A deployment pipeline organizes workspaces into stages that represent different lifecycle environments. Developers create and modify artifacts such as semantic models, notebooks, or reports in the development stage. Once validated, the pipeline promotes these items to the test stage and eventually to production. The pipeline tracks item relationships and deployment differences to ensure consistency across environments. This structured process helps prevent accidental overwrites and supports governance policies for controlled releases. Pipelines also allow selective deployment of individual artifacts rather than entire workspaces, enabling teams to update specific components while maintaining stability in production environments.
Demand Score: 70
Exam Relevance Score: 82
What commonly causes deployment failures when promoting items through Fabric deployment pipelines?
Deployment failures often occur due to missing dependencies, incompatible workspace configurations, or mismatched data sources.
Fabric items frequently depend on other artifacts such as semantic models, dataflows, or linked services. If these dependencies do not exist in the target workspace, the deployment pipeline may fail or skip deployment. Another common issue occurs when workspace settings differ between environments—for example, when required capacities or features are not enabled in the destination workspace. Data source configuration differences, such as credentials or gateway mappings, can also cause failures during deployment. To prevent these issues, teams typically standardize workspace configurations and ensure all required dependencies are present before promoting artifacts between environments.
Demand Score: 67
Exam Relevance Score: 79
