Enable Data use management on your Microsoft Purview sources

Data use management is an option within the data source registration in Microsoft Purview. This option lets Microsoft Purview manage data access for your resources. The high level concept is that the data owner allows its data resource to be available for access policies by enabling Data use management.

Currently, a data owner can enable Data use management on a data resource, which enables it for these types of access policies:

To be able to create any data policy on a resource, Data use management must first be enabled on that resource. This article will explain how to enable Data use management on your resources in Microsoft Purview.

Important

Because Data use management directly affects access to your data, it directly affects your data security. Review additional considerations and best practices below before enabling Data use management in your environment.

Prerequisites

Configure permissions to enable Data use management on the data source

Before a policy can be created in Microsoft Purview for a resource, you must configure permissions. To enable the Data use management toggle for a data source, resource group, or subscription, the same user must have both specific identity and access management (IAM) privileges on the resource and specific Microsoft Purview privileges:

  • The user must have either one of the following IAM role combinations on the resource's Azure Resource Manager path or any parent of it (that is, using IAM permission inheritance):

    • IAM Owner
    • Both IAM Contributor and IAM User Access Administrator

    To configure Azure role-based access control (RBAC) permissions, follow this guide. The following screenshot shows how to access the Access Control section in the Azure portal for the data resource to add a role assignment.

    Screenshot that shows the section in the Azure portal for adding a role assignment.

  • The same user needs to have the Microsoft Purview Data source admin role for the collection or a parent collection (if inheritance is enabled). For more information, see the guide on managing Microsoft Purview role assignments.

    The following screenshot shows how to assign the Data source admin role at the root collection level.

    Screenshot that shows selections for assigning the Data source admin role at the root collection level.

Configure Microsoft Purview permissions to create, update, or delete access policies

The following permissions are needed in Microsoft Purview at the root collection level:

  • The Policy author role can create, update, and delete DevOps and Data Owner policies.
  • The Policy author role can delete self-service access policies.

For more information about managing Microsoft Purview role assignments, see Create and manage collections in the Microsoft Purview Data Map.

Note

Currently, Microsoft Purview roles related to creating, updating, and deleting policies must be configured at the root collection level.

In addition to the Microsoft Purview Policy author role, users might need Directory Readers permission in Azure Active Directory to create a policy. This is a common permission for users in an Azure tenant.

Configure Microsoft Purview permissions for publishing Data Owner policies

Data Owner policies allow for checks and balances if you assign the Microsoft Purview Policy author and Data source admin roles to different people in the organization. Before a data policy takes effect, a second person (Data source admin) must review it and explicitly approve it by publishing it. Publishing is automatic after DevOps or self-service access policies are created or updated, so it doesn't apply to these types of policies.

The following permissions are needed in Microsoft Purview at the root collection level:

  • The Data source admin role can publish a policy.

For more information about managing Microsoft Purview role assignments, see Create and manage collections in the Microsoft Purview Data Map.

Note

Currently, Microsoft Purview roles related to publishing Data Owner policies must be configured at the root collection level.

Delegation of access provisioning responsibility to roles in Microsoft Purview

After a resource has been enabled for Data use management, any Microsoft Purview user with the Policy author role at the root collection level can provision access to that data source from Microsoft Purview.

The IAM Owner role for a data resource can be inherited from a parent resource group, a subscription, or a subscription management group. Check which Azure AD users, groups, and service principals hold or are inheriting the IAM Owner role for the resource.

Note

Any Microsoft Purview root Collection admin can assign new users to root Policy author roles. Any Collection admin can assign new users to a Data source admin role under the collection. Minimize and carefully vet the users that hold Microsoft Purview Collection admin, Data source admin, or Policy author roles.

If a Microsoft Purview account with published policies is deleted, such policies will stop being enforced within an amount of time that depends on the specific data source. This change can have implications on both security and data access availability. The Contributor and Owner roles in IAM can delete Microsoft Purview accounts.

You can check these permissions by going to the Access control (IAM) section for your Microsoft Purview account and selecting Role Assignments. You can also place a lock to prevent the Microsoft Purview account from being deleted through Resource Manager locks.

Enable Data use management

To enable Data use management for a resource, the resource will first need to be registered in Microsoft Purview. To register a resource, follow the Prerequisites and Register sections of the source pages for your resources.

Once you have your resource registered, follow the rest of the steps to enable an individual resource for Data use management.

  1. Go to the Microsoft Purview governance portal.

  2. Select the Data map tab in the left menu.

  3. Select the Sources tab in the left menu.

  4. Select the source where you want to enable Data use management.

  5. At the top of the source page, select Edit source.

  6. Set the Data use management toggle to Enabled, as shown in the image below.

Set Data use management toggle to **Enabled** at the bottom of the menu.

Disable Data use management

To disable Data use management for a source, resource group, or subscription, a user needs to either be a resource IAM Owner or a Microsoft Purview Data source admin. Once you have those permissions follow these steps:

  1. Go to the Microsoft Purview governance portal.

  2. Select the Data map tab in the left menu.

  3. Select the Sources tab in the left menu.

  4. Select the source you want to disable Data use management for.

  5. At the top of the source page, select Edit source.

  6. Set the Data use management toggle to Disabled.

  • Make sure you write down the Name you use when registering in Microsoft Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name.
  • To disable a source for Data use management, you first have to remove any published policies on that data source.
  • While user needs to have both data source Owner and Microsoft Purview Data source admin to enable a source for Data use management, any Data Source admin for the collection can disable it.
  • Disabling Data use management for a subscription will disable it also for all assets registered in that subscription.

Warning

Known issues related to source registration

  • Moving data sources to a different resource group or subscription is not supported. If want to do that, de-register the data source in Microsoft Purview before moving it and then register it again after that happens. Note that policies are bound to the data source ARM path. Changing the data source subscription or resource group makes policies ineffective.
  • Once a subscription gets disabled for Data use management any underlying assets that are enabled for Data use management will be disabled, which is the right behavior. However, policy statements based on those assets will still be allowed after that.

Data use management best practices

  • We highly encourage registering data sources for Data use management and managing all associated access policies in a single Microsoft Purview account.
  • Should you have multiple Microsoft Purview accounts, be aware that all data sources belonging to a subscription must be registered for Data use management in a single Microsoft Purview account. That Microsoft Purview account can be in any subscription in the tenant. The Data use management toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:
    • Case 1 shows a valid configuration where a Storage account is registered in a Microsoft Purview account in the same subscription.
    • Case 2 shows a valid configuration where a Storage account is registered in a Microsoft Purview account in a different subscription.
    • Case 3 shows an invalid configuration arising because Storage accounts S3SA1 and S3SA2 both belong to Subscription 3, but are registered to different Microsoft Purview accounts. In that case, the Data use management toggle will only enable in the Microsoft Purview account that wins and registers a data source in that subscription first. The toggle will then be greyed out for the other data source.
  • If the Data use management toggle is greyed out and cannot be enabled, hover over it to know the name of the Microsoft Purview account that has registered the data resource first.

Diagram shows valid and invalid configurations when using multiple Microsoft Purview accounts to manage policies.

Next steps