< Previous Module - Home - Next Module >
A new feature of Purview is Policies, which enables you to secure your data estate from within the Microsoft Purview Governance Portal. This feature is in Preview as of July 2022.
Data access policies can be enforced through Purview on data systems that have been registered in Purview for scanning and data use management. This feature allows Data stewards and owners to grant read, write access to various data stores from within Purview by creating a data access policy through the Policy Management app in the governance portal, enabling a single dashboard view of all access granted to all systems.
A policy is a named collection of policy statements. When a policy is published to one or more data systems under Purview’s governance, it's then enforced by the system. A policy definition includes a policy name, description, and a list of one or more policy statements.
- An Azure account with an active subscription.
- An Azure Data Lake Storage Gen2 Account (see module 00) in same subscription.
- A Azure SQL DB account in same subscription.
- A Microsoft Purview account (see module 01).
- Register data source for data use management
- Create data owner access policy for Azure Storage
| # | Section | Role |
|---|---|---|
| 1 | Configure permissions for policy management actions | Collection Admin |
| 2 | Author and Publish policies for an Azure Storage | Data Source Administrator / Policy Author |
To make a data resource available for policy management, the Data Use Management (DUM) toggle needs to be enabled. A user, who will manage the policies in Purview, will need certain IAM privileges on the resource and MS Purview in order to enable the DUM toggle.
-
Grant IAM privileges to the user on the storage resource. Navigate to the Access Control (IAM) page of the storage account resource. Click on + Add --> Add role assignment. Grant either of the following IAM role combinations:
- Owner
- Both Contributor and User Access Administrator
-
Grant roles to the same user in MS Purview. In Purview grant the same user Data Source Administrator (DSA) and Policy authors role at the root collection level. Navigate to Collections. Click on the root collection. Click on Role assignments
-
Enable Data Use Management. After a source is registered, edit the source. Set the Data Use Management toggle to Enabled as shown below.
💡 Did you know?
DSA role can publish a policy.
Policy authors role can create or edit a policy.
-
In the Microsoft Purview governance portal, navigate to the Data policy feature using the left side panel as shown
-
On the new policy page, enter the Name and Description of the policy and select the New policy statement button, to add a new policy.
-
Select the Effect dropdown and choose Allow.
-
Select the Action dropdown and choose Read or Modify.
-
Select the Data Resources button This will bring up a window to enter the Data resource information. Use the Assets box and enter the Data Source Type and the Name of a previously registered and scanned data source.
-
Select the Continue button and transverse the hierarchy to select and underlying data-object (for example: folder, file, etc.). Select Recursive to apply the policy from that point in the hierarchy down to any child data-objects. Then select the Add button. This will take you back to the policy editor.
-
Select the Subjects button and enter the subject identity as a principal, group, or MSI. Then select the OK button. This will take you back to the policy editor
-
Select the Save button to save the policy.
-
Select the newly created policy from the list of policies on the the Policy portal. Select the Publish button on the right top corner of the page.
-
A list of data sources is displayed. You can enter a name to filter the list. Then, select each data source where this policy is to be published and then select the Publish button.
-
The data source has to be scanned before the policy can be published on it.
A ) True
B ) False -
Which role is needed for a user to be able to publish the policy.
A ) Policy Author
B ) Owner
c ) Data Source Administrator -
Once the policy is published, it cannot be edited
A ) True
B ) False
Purview policies allow you to manage access to data source from within the governance portal.