Resource group and subscription access provisioning by data owner (Preview)

Important

This feature is currently in PREVIEW. The Supplemental Terms of Use for Microsoft Azure Previews include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Access policies allow you to manage access from Microsoft Purview to data sources that have been registered for Data Use Management.

You can also register an entire resource group or subscription, and create a single policy that will manage access to all data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards. This article describes how this is done.

Prerequisites

• An Azure account with an active subscription. Create an account for free.
• Create a new, or use an existing Microsoft Purview account. You can follow our quick-start guide to create one.
• Create a new, or use an existing resource group, and place new data sources under it. Follow this guide to create a new resource group.

Only these data sources are enabled for access policies on resource group or subscription. Follow the Prerequisites section that is specific to the data source(s) in these guides:

• Data owner policies on an Azure Storage account
• Data owner policies on an Azure SQL Database*
• Data owner policies on an Arc-enabled SQL Server*

(*) Only the SQL Performance monitoring and Security auditing actions are fully supported for SQL-type data sources. The Read action needs a workaround described later in this guide. The Modify action is not currently supported for SQL-type data sources.

Configuration

Register Microsoft Purview as a resource provider in other subscriptions

Execute this step only if the data sources and the Microsoft Purview account are in different subscriptions. Register Microsoft Purview as a resource provider in each subscription where data sources reside by following this guide: Register resource provider.

The Microsoft Purview resource provider is:

Microsoft.Purview

Configure permissions for policy management actions

This section discusses the permissions needed to:

• Make a data resource available for Data Use Management. This step is needed before a policy can be created in Microsoft Purview for that resource.
• Author and publish policies in Microsoft Purview.

Important

Currently, Microsoft Purview roles related to policy operations must be configured at root collection level.

Permissions to make a data resource available for Data Use Management

To enable the Data Use Management (DUM) toggle for a data source, resource group, or subscription, the same user needs to have both certain IAM privileges on the resource and certain Microsoft Purview privileges.

1. User needs to have either one of the following IAM role combinations on the resource's ARM path or any parent of it (using inheritance).

   • IAM Owner
   • Both IAM Contributor + IAM User Access Administrator

   Follow this guide to configure Azure RBAC role permissions. The following screenshot shows how to access the Access Control section in Azure portal experience for the data resource to add a role assignment:

2. In addition, the same user needs to have Microsoft Purview Data source administrator (DSA) role at the root collection level. See the guide on managing Microsoft Purview role assignments. The following screenshot shows how to assign Data Source Admin at root collection level:

Permissions for policy authoring and publishing

The following permissions are needed in Microsoft Purview at the root collection level:

• Policy authors role can create or edit policies.
• Data source administrator role can publish a policy.

Check the section on managing Microsoft Purview role assignments in this guide.

Note

Known issues related to permissions

• In addition to Microsoft Purview Policy authors role, user may need Directory Reader permission in Azure Active Directory to create data owner policy. This is a common permission for users in an Azure tenant. You can check permissions for Azure AD Directory Reader

Delegation of access control responsibility to Microsoft Purview

Warning

• IAM Owner role for a data source can be inherited from parent resource group, subscription or subscription Management Group.
• Once a resource has been enabled for Data Use Management, any Microsoft Purview root-collection policy author will be able to create access policies against it, and any Microsoft Purview root-collection Data source admin will be able to publish those policies at any point afterwards.
• Any Microsoft Purview root Collection admin can assign new root-collection Data Source Admin and Policy author roles.
• If the Microsoft Purview account is deleted then any published policies will stop being enforced within an amount of time that is dependent on the specific data source. This can have implications both on security and data access availability.

With these warnings in mind, here are some suggested best practices for permissions:

• Minimize the number of people that hold Microsoft Purview root Collection admin, root Data Source Admin or root Policy author roles.
• To ensure check and balances, assign the Microsoft Purview Policy author and Data source admin roles to different people in the organization. With this, before a data policy takes effect, a second person (the Data source admin) must review it and explicitly approve it by publishing it.
• A Microsoft Purview account can be deleted by Contributor and Owner roles in IAM. You can check these permissions by navigating to the Access control (IAM) section for your Microsoft Purview account and selecting Role Assignments. You can also place a lock to prevent the Microsoft Purview account from being deleted through ARM locks.

Register the subscription or resource group for Data Use Management

The subscription or resource group needs to be registered with Microsoft Purview to later define access policies.

To register your subscription or resource group, follow the Prerequisites and Register sections of this guide:

• Register multiple sources in Microsoft Purview

After you've registered your resources, you'll need to enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. Go through the secure practices related to Data Use Management in this guide: How to enable Data Use Management

In the end, your resource will have the Data Use Management toggle Enabled, as shown in the picture:

Important

• If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently for Data use management to provide their App ID.

Create and publish a data owner policy

Execute the steps in the Create a new policy and Publish a policy sections of the data-owner policy authoring tutorial. The result will be a data owner policy similar to the example shown in the image: a policy that provides security group sg-Finance modify access to resource group finance-rg. Use the Data source box in the Policy user experience.

Important

• Publish is a background operation. For example, Azure Storage accounts can take up to 2 hours to reflect the changes.
• Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.

Warning

Known Issues

• No implicit connect permission is provided to SQL type data sources (e.g.: Azure SQL DB, SQL server on Azure Arc-enabled servers) when creating a policy with Read action on a resource group or subscription. To support this scenario, provide the connect permission to the Azure AD principals locally, i.e. directly in the SQL-type data sources.

Additional information

• Creating a policy at subscription or resource group level will enable the Subjects to access Azure Storage system containers, for example, $logs. If this is undesired, first scan the data source and then create finer-grained policies for each (that is, at container or sub-container level).

Limits

The limit for Microsoft Purview policies that can be enforced by Storage accounts is 100 MB per subscription, which roughly equates to 5000 policies.

Next steps

Check blog, demo and related tutorials:

• Concepts for Microsoft Purview data owner policies
• Blog: resource group-level governance can significantly reduce effort
• Video: Demo of data owner access policies for Azure Storage