Concepts for Microsoft Purview Data owner policies (preview)
This article discusses concepts related to managing read or modify access to assets in your data estate from within the Microsoft Purview governance portal.
This capability does not offer access control for Microsoft Purview itself. Granting access to Microsoft Purview internal roles is described in Access control in Microsoft Purview. This capability is used to grant data plane access, i.e., access to the data itself in data systems like Azure Storage. It does not allow you to grant control plane access. Control plane access provides visibility and ability manage resources in your subscription. You can manage control plane access via Identity and Access Management (IAM)
Access policies in Microsoft Purview enable you to manage access to different data systems across your entire data estate. For example:
A user needs read access to an Azure Storage account that has been registered in Microsoft Purview. You can grant this access directly in Microsoft Purview by creating a data access policy through the Data policy app in the Microsoft Purview governance portal.
Data owner policies can be enforced only on data systems that have been enabled for policy enforcement in Microsoft Purview i.e., with the Data policy enforcement option turned on in data source registration.
Data owner policy
A Data owner policy is a named set of policy statements. When a policy is published to one or more data systems under Microsoft Purview’s governance, it's then enforced by them. A policy definition includes a policy name, description, and a list of one or more policy statements.
Currently only a single policy statement is supported per policy.
A policy statement is a human readable instruction that dictates how the data source should handle a specific data access operation. The policy statement comprises Effect, Action, Data Resource and Subject.
An action is the operation being permitted or denied as part of this policy. For example: Read or Modify. These high-level logical actions map to one (or more) data actions in the data system where they are enforced.
The effect indicates what should be outcome if there is a match on the Data resource and Subject of the policy statement. Currently, the only supported value is Allow.
The data resource is the fully qualified data asset path to the object the policy statement applies. It conforms to the following format:
Azure Storage data-asset-path format:
Azure SQL DB data-asset-path format:
It is a list of the end-user identities from Microsoft Entra ID for whom this policy statement is applicable. Each identity can be a service principal, an individual user, a group, or a managed service identity (MSI).
Allow Read on Data Asset: /subscription/finance/resourcegroups/prod/providers/Microsoft.Storage/storageAccounts/finDataLake/blobservice/default/containers/FinData to group Finance-analyst
In the above policy statement, the effect is Allow, the action is Read, the data resource is Azure Storage container FinData, and the subject is Microsoft Entra group Finance-analyst. If any user that belongs to this group attempts to read data from the storage container FinData, the request will be allowed.
Hierarchical enforcement of policies
The data resource specified in a policy statement is hierarchical by default. This means that the policy statement applies to the data object itself and to all the children objects contained by the data object. For example, a policy statement on Azure Storage container applies to all the blobs contained within it.
Policy combining algorithm
A data source combines all the applicable local policies with all policies from Microsoft Purview and provides a consolidated decision when a user tries to access an asset. The combining strategy picks the most restrictive policy.
For example, let’s assume two different policies on an Azure Storage container FinData as follows,
Policy 1 - Allow Read on Data Asset /subscription/…./containers/FinData to group Finance-analyst
Policy 2 - Deny Read on Data Asset /subscription/…./containers/FinData to group Finance-contractors
Then let’s assume that user ‘user1’, who is part of two groups: Finance-analyst and Finance-contractors, executes a call to the blob read API. Since both policies will be applicable, Azure Storage will choose the most restrictive one, which is Deny of Read. Thus, the access request will be denied.
A newly created policy exists in the draft mode state, only visible in Microsoft Purview. The act of publishing initiates enforcement of a policy in the specified data systems. It's an asynchronous action that can take between 5 minutes and 2 hours to be effective, depending on the data source type. For more information, consult the Data owner policies how-to guides related to each data source type.
A policy published to a data source could contain policy statements that refer to a different data source. Such references will be ignored since the asset in question does not exist in the data source where the policy is applied.
Check the guides on how to create policies in Microsoft Purview that get enforced in specific data systems. Beyond the UI, you can now try the Data owner policies API.
- Doc: How to enable policy enforcement for a data source
- Doc: Provision access to Azure Storage datasets
- Doc: Provision access to all data sources in a subscription or a resource group
- Doc: Provision access to Azure SQL Database assets
- Doc: Provision access to SQL Server 2022 (Arc-enabled) assets
- Blog: Grant users access to data assets in your enterprise via API