Resource group and subscription access provisioning by data owner (Preview)

Important

This feature is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include additional legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.

Data owner policies are a type of Microsoft Purview access policies. They allow you to manage access to user data in sources that have been registered for Data Use Management in Microsoft Purview. These policies can be authored directly in the Microsoft Purview governance portal, and after publishing, they get enforced by the data source.

In this guide we cover how to register an entire resource group or subscription and then create a single policy that will manage access to all data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards.

Prerequisites

Only these data sources are enabled for access policies on resource group or subscription. Follow the Prerequisites section that is specific to the data source(s) in these guides:

(*) The Modify action is not currently supported for SQL-type data sources.

Microsoft Purview configuration

Configure permissions to enable Data use management on the data source

Before a policy can be created in Microsoft Purview for a resource, you must configure permissions. To enable the Data use management toggle for a data source, resource group, or subscription, the same user must have both specific identity and access management (IAM) privileges on the resource and specific Microsoft Purview privileges:

  • The user must have either one of the following IAM role combinations on the resource's Azure Resource Manager path or any parent of it (that is, using IAM permission inheritance):

    • IAM Owner
    • Both IAM Contributor and IAM User Access Administrator

    To configure Azure role-based access control (RBAC) permissions, follow this guide. The following screenshot shows how to access the Access Control section in the Azure portal for the data resource to add a role assignment.

    Screenshot that shows the section in the Azure portal for adding a role assignment.

  • The same user needs to have the Microsoft Purview Data source admin role for the collection or a parent collection (if inheritance is enabled). For more information, see the guide on managing Microsoft Purview role assignments.

    The following screenshot shows how to assign the Data source admin role at the root collection level.

    Screenshot that shows selections for assigning the Data source admin role at the root collection level.

Configure Microsoft Purview permissions to create, update, or delete access policies

The following permissions are needed in Microsoft Purview at the root collection level:

  • The Policy author role can create, update, and delete DevOps and Data Owner policies.
  • The Policy author role can delete self-service access policies.

For more information about managing Microsoft Purview role assignments, see Create and manage collections in the Microsoft Purview Data Map.

Note

Currently, Microsoft Purview roles related to creating, updating, and deleting policies must be configured at the root collection level.

In addition to the Microsoft Purview Policy author role, users might need Directory Readers permission in Azure Active Directory to create a policy. This is a common permission for users in an Azure tenant.

Configure Microsoft Purview permissions for publishing Data Owner policies

Data Owner policies allow for checks and balances if you assign the Microsoft Purview Policy author and Data source admin roles to different people in the organization. Before a data policy takes effect, a second person (Data source admin) must review it and explicitly approve it by publishing it. Publishing is automatic after DevOps or self-service access policies are created or updated, so it doesn't apply to these types of policies.

The following permissions are needed in Microsoft Purview at the root collection level:

  • The Data source admin role can publish a policy.

For more information about managing Microsoft Purview role assignments, see Create and manage collections in the Microsoft Purview Data Map.

Note

Currently, Microsoft Purview roles related to publishing Data Owner policies must be configured at the root collection level.

Delegation of access provisioning responsibility to roles in Microsoft Purview

After a resource has been enabled for Data use management, any Microsoft Purview user with the Policy author role at the root collection level can provision access to that data source from Microsoft Purview.

The IAM Owner role for a data resource can be inherited from a parent resource group, a subscription, or a subscription management group. Check which Azure AD users, groups, and service principals hold or are inheriting the IAM Owner role for the resource.

Note

Any Microsoft Purview root Collection admin can assign new users to root Policy author roles. Any Collection admin can assign new users to a Data source admin role under the collection. Minimize and carefully vet the users that hold Microsoft Purview Collection admin, Data source admin, or Policy author roles.

If a Microsoft Purview account with published policies is deleted, such policies will stop being enforced within an amount of time that depends on the specific data source. This change can have implications on both security and data access availability. The Contributor and Owner roles in IAM can delete Microsoft Purview accounts.

You can check these permissions by going to the Access control (IAM) section for your Microsoft Purview account and selecting Role Assignments. You can also place a lock to prevent the Microsoft Purview account from being deleted through Resource Manager locks.

Register the subscription or resource group for Data Use Management

The subscription or resource group needs to be registered with Microsoft Purview before you can create access policies. To register your subscription or resource group, follow the Prerequisites and Register sections of this guide:

After you've registered your resources, you'll need to enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. Go through the secure practices related to Data Use Management in this guide: How to enable Data Use Management

In the end, your resource will have the Data Use Management toggle Enabled, as shown in the screenshot:

Screenshot shows how to register a resource group or subscription for policy by toggling the enable tab in the resource editor.

Important

  • If you create a policy on a resource group or subscription and want to have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable Data use management which captures their App ID: See this document.

Create and publish a data owner policy

Execute the steps in the Create a new policy and Publish a policy sections of the data-owner policy authoring tutorial. The result will be a data owner policy similar to the example shown in the image: a policy that provides security group sg-Finance modify access to resource group finance-rg. Use the Data source box in the Policy user experience.

Screenshot shows a sample data owner policy giving access to a resource group.

Important

  • Publish is a background operation. For example, Azure Storage accounts can take up to 2 hours to reflect the changes.
  • Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.

Unpublish a data owner policy

Follow this link for the steps to unpublish a data owner policy in Microsoft Purview.

Update or delete a data owner policy

Follow this link for the steps to update or delete a data owner policy in Microsoft Purview.

Additional information

  • Creating a policy at subscription or resource group level will enable the Subjects to access Azure Storage system containers, for example, $logs. If this is undesired, first scan the data source and then create finer-grained policies for each (that is, at container or sub-container level).

Limits

The limit for Microsoft Purview policies that can be enforced by Storage accounts is 100 MB per subscription, which roughly equates to 5000 policies.

Next steps

Check blog, demo and related tutorials: