[BUG] Incorrect tenant-level Fabric Administrator requirement for workspace fab acl ls

[Guust-Franssens]

Question

In the documentation it states that fab acl ls requires the Fabric Administrator role:

fabric-cli/docs/commands/acls/index.md

Lines 22 to 32 in fd4f054

	### ls (dir)
	List access control entries for a workspace, item, or OneLake resource.
	!!! info "Listing ACLs for a workspace or item requires tenant-level Fabric Administrator"
	**Usage:**
	```
	fab acl ls <path> [-l] [-q <query>]
	```

When checking the code, to me it does not seem to use any Admin APIs? For example the workspace acl ls:

fabric-cli/src/fabric_cli/client/fab_api_workspace.py

Lines 76 to 81 in fd4f054

	def acl_list_from_workspace(args: Namespace) -> ApiResponse:
	"""https://learn.microsoft.com/en-us/rest/api/fabric/core/workspaces/list-workspace-role-assignments?tabs=HTTP"""
	args.uri = f"workspaces/{args.ws_id}/roleAssignments"
	args.method = "get"
	return fabric_api.do_request(args)

Context

I have tested the fab acl ls with a user that only has workspace admin privileges (not Fabric Admin privileges) and the command succeeds just fine (even the fab cli states it requires Fabric Admin role).

$ fab acl ls DEMO Fabric CICD-feat-cleanup-workspace-after-branch-deletion.Workspace
! Requires Fabric admin role
acl     identity                               type
------------------------------------------------------------------
Admin   XXXXXXXXXXXXXXXXXXXXXX                 Group
Admin   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX   User
Admin   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX   ServicePrincipal

fabric-cli version (if relevant)

1.3.1

Operating System (if relevant)

Not applicable

CLI Mode (if relevant)

Not applicable

Have you checked the documentation?

• I have searched existing GitHub issues
• I have reviewed the fabric-cli documentation

Additional Information

No response

[ayeshurun]

/triaged

Hi @Guust-Franssens,

Thank you for bringing this to our attention. Your findings are correct.

As of today, the fab acl ls command on workspaces uses a core Fabric REST API, which allows users with Member role or higher in the workspace to view ACLs without needing the tenant‑level Fabric Administrator role.

The mismatch you spotted is a documentation and wrong warning‑message on our side. We’ll get that fixed.

Appreciate you helping improve the Fabric CLI.

[microsoft-github-policy-service]

Triage has been completed for this issue.