azure purview access permission

Question

azure purview access permission

sakuraime 2,346

What's the web address of a azure purview account ( suppose I am not access purview from Azure portal) .
apart from the role assignments in each individual 'Collections' , do I need extra permission grant at other level , such as IAM at Purview Account level ? I found if i just grant 'Data Readers' at collections level , that people still can't access.

any idea ?

PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2021-11-18T09:24:41.473+00:00
Hello @sakuraime ,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you.

1 answer

Your answer

PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2021-11-18T09:24:41.473+00:00

Hello @sakuraime ,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you.

Answer 1

PRADEEPCHEEKATLA 90,651 Moderator

Hello @sakuraime ,

Thanks for the question and using MS Q&A platform.

By design - Only Purview creator can access the Purview account.

Reason: In the new Purview accounts permissions are controlled via the collection management which gives user access control.

As specified in the official documentation : Access control in Azure Purview, the account creator is the only person who can access Purview account and owner/contributor on the subscription can provide access to the purview account.

How to grant permission for Azure Purview Accounts:

You can use Azure CLI/PowerShell to grant permissions for Azure Purview Accounts.

What are the required details to grant permissions for Azure purview Accounts?

Purview Account Name
Resource Group Name
Object ID of the user

How to get the object ID of the user?

You can get the object ID of the user from Azure Active Directory.

Go to Active Directory, Under Manage section you will find Users, select the user which you want to assign the permission and copy the object ID.

Using Bash to grant permissions for Azure Purview Accounts:

Step1: Open Azure Cloud Shell
Step2: Install Azure Purview CLI module: az extension add --name purview

Step3: Add the administrator for root collection associated with this account: az purview account add-root-collection-admin --name "account1" --object-id "7e8de0e7-2bfc-4e1f-9659-2a5785e4356f" --resource-group "SampleResourceGroup"

Using PowerShell to grant permissions for Azure Purview Accounts:

Step1: Open Azure Cloud Shell
Step2: Install Azure Purview PowerShell module: Install-Module -Name Az.Purview

Step3: Add the administrator for root collection associated with this account: Add-AzPurviewAccountRootCollectionAdmin -AccountName test-pa -ResourceGroupName test-rg -ObjectId xxxxxxxx-5be9-4f43-abd2-04561777c8b0

A few moments later, you will see the Open Purview Studio in the Azure Portal.

What's the web address of a azure purview account ( suppose I am not access purview from Azure portal) .

You can browse to https://web.purview.azure.com, select your Purview account, and sign in to your workspace.

For more details, refer to Access control in Azure Purview.

Hope this will help. Please let us know if any further queries.

Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

sakuraime 2,346 Reputation points

2021-11-12T10:00:53.157+00:00

hi thanks for your explaination , but I am a bit confuse

so everyone need to access the puriew need to add as administrator as above steps ??

Maybe a user only need to view a single collection out of 1000 collections ??
PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2021-11-12T10:51:34.083+00:00
Hello @sakuraime ,

All assigned roles apply to sources, assets, and other objects within the collection where the role is applied.

Collection admins - can edit the collection, its details, and add subcollections. They can also add data curators, data readers, and other Purview roles to a collection scope. Collection admins that are automatically inherited from a parent collection can't be removed.

Data source admins - can manage data sources and data scans.

Data curators - can perform create, read, modify, and delete actions on catalog data objects and establish relationships between objects.

Data readers - can access but not modify catalog data objects.

Maybe a user only need to view a single collection out of 1000 collections ??

Add user with Data Reader role assignment for a single collection out of 1000 collections - so that the user can view only specific collection.

Hope this will help. Please let us know if any further queries.
sakuraime 2,346 Reputation points

2021-11-13T03:59:47.903+00:00

hi thanks for your explanation , but I am a bit confuse

so everyone need to access the purview need to add as administrator as above steps(the powershell command) , even the user only read one of the collection out of 1000 collections ??
PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2021-11-15T08:40:10.547+00:00

Hello @sakuraime ,

To enable to the access to the purview account, you can use Azure CLI (az purview account add-root-collection-admin) and PowerShell (Add-AzPurviewAccountRootCollectionAdmin).

Once you have access to the purview account, you can add the permission like (Collection admin, Data source admins, Data Curators, Data readers) as per your requirement from Azure Purview Studio.

Note: The PowerShell/cli commands for adding permission like (Collection admin, Data source admins, Data Curators, Data readers) are coming soon.

Hope this will help. Please let us know if any further queries.
sakuraime 2,346 Reputation points

2021-11-16T01:48:45.197+00:00

so which mean each user want to access purview account need to be the root-collection-admin first ?
sakuraime 2,346 Reputation points

2021-11-16T03:16:33.433+00:00

After adding another user to purview using the powershell/az command , still facing issue .
sakuraime 2,346 Reputation points

2021-11-16T05:53:58.253+00:00

one thing is : the user is from another tenant , are there any consideration ?
PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2021-11-16T07:05:24.74+00:00
Hello @sakuraime ,

Which mean each user want to access purview account need to be the root-collection-admin first.

No, let me help you understand clearly with the below options:

Option1: By design - Only Purview creator can access the Purview account. In order to grant permission like (Collection admin, Data source admins, Data Curators, Data readers) you can reach out to (Purview creator) and ask to add the required permissions for the specific user.

Option2: In case, if the owner of the subscription wants to add himself to the purview account he can use powershell/cli to add as root-collection-admin first. Once he added has the root-collection-admin then he can grant permission like (Collection admin, Data source admins, Data Curators, Data readers).

one thing is : the user is from another tenant , are there any consideration ?

User should be in same tenant.

Hope this will help. Please let us know if any further queries.
sakuraime 2,346 Reputation points

2021-11-16T07:19:00.627+00:00

okok . let me try some user in the same tenant .
PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2021-11-17T03:52:52.44+00:00

Hello @sakuraime ,

Did you try adding user from the same tenant? Please do let me know if you need any help from my end.
PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2021-11-22T07:58:49.757+00:00

Hello @sakuraime ,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

Share via

azure purview access permission

1 answer

Your answer