Create, list, update and delete Microsoft Purview DevOps policies

DevOps policies are a type of Microsoft Purview access policies. They allow you to manage access to system metadata on data sources that have been registered for Data use management in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after being saved they get automatically published and then get enforced by the data source.

This how-to guide covers how to provision access from Microsoft Purview to SQL-type data sources via SQL Performance Monitoring or SQL Security Auditing actions. Microsoft Purview access policies apply to Azure AD Accounts only.

Prerequisites

Configuration

Before authoring policies in the Microsoft Purview policy portal, you'll need to configure the data sources so that they can enforce those policies.

  1. Follow any policy-specific prerequisites for your source. Check the Microsoft Purview supported data sources table and select the link in the Access Policy column for sources where access policies are available. Follow any steps listed in the Access policy or Prerequisites sections.
  2. Register the data source in Microsoft Purview. Follow the Prerequisites and Register sections of the source pages for your resources.
  3. Enable the "Data use management" toggle in the data source registration. Additional permissions for this step are described in the linked document.

Create a new DevOps policy

To create a new DevOps policy, ensure first that you have the Microsoft Purview Policy author role at root collection level. Check the section on managing Microsoft Purview role assignments in this guide.

  1. Sign in to the Microsoft Purview governance portal.

  2. Navigate to the Data policy feature using the left side panel. Then select DevOps policies.

  3. Select the New Policy button in the policy page. After that, the policy detail page will open. Screenshot shows to enter SQL DevOps policies to create.

  4. Select the Data source type and then one of the listed data sources under Data source name. Then click on Select. This will take you back to the New Policy experience Screenshot shows to select a data source for policy.

  5. Select one of two roles, SQL Performance monitor or SQL Security auditor. Then select Add/remove subjects. This will open the Subject window. Type the name of an Azure AD principal (user, group or service principal) in the Select subjects box. Note that Microsoft 365 groups are supported but updates to group membership take up to 1 hour to get reflected by Azure AD. Keep adding or removing subjects until you are satisfied. Select Save. This will take you back to the prior window. Screenshot shows to select role and subject for policy.

  6. Select Save to save the policy. A policy has been created and automatically published. Enforcement will start at the data source within 5 minutes.

List DevOps policies

To update a DevOps policy, ensure first that you have one of the following Microsoft Purview roles at root collection level: Policy author, Data source admin, Data curator or Data reader. Check the section on managing Microsoft Purview role assignments in this guide.

  1. Sign in to the Microsoft Purview governance portal.

  2. Navigate to the Data policy feature using the left side panel. Then select DevOps policies.

  3. If any DevOps policies have been created they will be listed as shown in the following screenshot Screenshot shows to enter SQL DevOps policies to list.

Update a DevOps policy

To update a DevOps policy, ensure first that you have the Microsoft Purview Policy author role at root collection level. Check the section on managing Microsoft Purview role assignments in this guide.

  1. Sign in to the Microsoft Purview governance portal.

  2. Navigate to the Data policy feature using the left side panel. Then select DevOps policies.

  3. Enter the policy detail for one of the policies by selecting it from its Data resource path as shown in the following screenshot Screenshot shows to enter SQL DevOps policies to update.

  4. In the policy detail page, select Edit.

  5. Continue same as with step 5 and 6 of the policy create.

Delete a DevOps policy

To delete a DevOps policy, ensure first that you have the Microsoft Purview Policy author role at root collection level. Check the section on managing Microsoft Purview role assignments in this guide.

  1. Sign in to the Microsoft Purview governance portal.

  2. Navigate to the Data policy feature using the left side panel. Then select DevOps policies.

  3. Check one of the policies and then select Delete as shown in the following screenshot: Screenshot shows to enter SQL DevOps policies to delete.

Next steps

Check the blogs, videos and related docs