Data Policy precedence compared with RBAC

Jayend Nallas 0 Reputation points
2024-06-18T15:27:46.5833333+00:00

Practical Example

  1. RBAC Configuration:
    • Suppose a user is assigned the "Storage Blob Data Contributor" role at the Azure Data Lake Storage Gen2 account level via Azure IAM. This role provides full access to blobs and containers within the storage account.
  2. Purview Data Policy Configuration:
    • A Purview data policy is configured to deny access to a specific container within the Data Lake Storage Gen2.

Which one takes precedence? I thought the data policy in Purview acts as an additional layer of security and takes precedence in restricting data access. But it is not. Am i missing something?

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,224 questions
{count} votes

1 answer

Sort by: Most helpful
  1. William Nieto 535 Reputation points
    2024-06-19T01:16:33.0866667+00:00

    In Azure, Role-Based Access Control (RBAC) and Azure Purview data policies work together to manage access to data. Here's how they interact and determine precedence:

    RBAC Configuration: RBAC controls access at a broad level. For example, assigning the "Storage Blob Data Contributor" role to a user at the Azure Data Lake Storage Gen2 account level provides them full access to blobs and containers within that storage account.

    Purview Data Policy: Purview data policies can enforce more granular controls. These policies can either allow or deny access to specific data assets, such as individual containers within the Data Lake Storage Gen2.

    Precedence: When there’s a conflict between RBAC permissions and Purview data policies, the most restrictive policy takes precedence. Therefore, even if a user has the "Storage Blob Data Contributor" role, a Purview data policy denying access to a specific container will override the RBAC permissions, effectively restricting access as intended.

    Azure’s security model is designed to ensure data protection by applying the principle of least privilege. This means the most restrictive access controls are prioritized when there’s a conflict between different access policies.

    Additionally, Azure’s security and access management is designed to be layered and comprehensive, ensuring that data is protected at all levels. This layered approach provides robust security, offering multiple lines of defense to safeguard your data.

    To summarize, in your scenario, the Purview data policy denying access to a specific container should take precedence over the broader RBAC permissions, thus restricting access to that container as intended.

    I hope this clarifies the interaction between RBAC and Purview data policies.

    Here are the links to the official Azure documentation on RBAC and Purview data policies:

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.