Permissions in the new Microsoft Purview Data Catalog preview
In the Microsoft Purview Data Catalog, access to data assets isn't focused on permissions in the data map, but is need-based; divided between applications roles for users, and tenant/organization level roles for owners and stewards.
Here's how the levels of permissions in the data catalog are organized:
- Tenant/organization permissions - Users who own the Microsoft Purview instance and need access to maintain its permissions and information.
- Catalog-level permissions - Grants users permission to create business domains or access data estate health.
- Business domain level permissions - Grants permissions for objects within a business domain (like glossary terms or data products).
Tip
The Data catalog reader role is intended to give users the ability to either discover data, approve access to data, or review the current state of data health. This usually would be all full time employees at the company but would probably exclude guests or other partners that would not normally get access to internal data sources.
What permissions do you need?
In this section we provide a table that shows the most common data catalog scenarios, and the permissions you need to complete them. For more detailed information, later in this article we have a full list of roles, a guide for permissions to search the full catalog, and guides on how to assign organization permissions, application permissions, and business domain permissions.
| Element | Action | Data governance admin | Business domain creator | Business domain owner | Data catalog reader | Data steward | Data product owner | Data health owner | Data health reader | Data quality steward | Data quality reader |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Application role assignments | Read | x | x | ||||||||
| Edit | x | x | |||||||||
| Business domains | Read | x | x | x | x | x | x | ||||
| Edit | x | x | |||||||||
| Data products | Read | x | x | x | x | x | |||||
| Edit | x | ||||||||||
| Health items | Read | x | x | ||||||||
| Edit | x | ||||||||||
| Data quality items | Read | x | x | x | |||||||
| Edit | x | ||||||||||
| Data access policies | Read | x | x | x | x | ||||||
| Edit | x | x |
Note
This table covers the basics, but not all roles, and not all scenarios for each role. Refer to the full list of roles for full details.
Tenant level permissions
These permissions are for administrators and curators, users who need to modify and manage user permissions and data assets.
The currently available tenant-level roles and role groups are:
| Name | Group/role | Description |
|---|---|---|
| Purview administrator | Group | Grants access to create domains in the Data map and grant access to other tenant level roles in Purview. |
| Data governance admin | Role | Delegates the first level of access for business domain creators and other catalog-level permissions. |
Purview administrators can also:
- Upgrade a free account to the enterprise tier.
- Reconcile an existing classic Azure Purview account to the tenant level primary Microsoft Purview portal as the default Data map domain.
Note
These two roles are initially assigned to the person who created your Microsoft Purview account. To identify this user:
- Go to the Azure portal
- Search for Microsoft Purview and select the account you need to access.
- Under Settings, go to Properties and reference the Created by field.
How to assign tenant-level role groups
Important
To be able to assign roles in Microsoft Purview Data Catalog the global administrator or user with the Role Management role must take the steps below. The Purview administrator role can provide this ability.
Tip
You can find the global administrators in Microsoft Entra ID.
Sign in to the Microsoft Purview portal using credential for an admin account that is assigned the Role management role (for example, a global administrator). Go to Settings > Roles and scopes to view and manage.
Select Role groups.
On the Role groups for Microsoft Purview solutions page, select the Data Governance role group.
On the Edit member of the role group page, select Choose users or Choose groups.
Select the check box for all users or groups you want to add to the role group.
Select Select.
Select Next.
Select Save.
Select Done.
Catalog-level permissions
Permissions that are assigned on the data catalog itself, and provide only high-level access.
| Role | Description | Application |
|---|---|---|
| Business domain creator | Creates domains and delegates business domain owner (or remains business domain owner by default) | Data catalog |
| Data health owner | Create, update, and read artifacts in data estate health. | Data estate health |
| Data health reader | Can read artifacts in data estate health. | Data estate health |
How to assign catalog-level roles
Important
To be able to assign roles in Microsoft Purview a user needs to be a data governance admin at the tenant/organization level.
- In the Data catalog application of Purview.
- Select Roles and permissions.
- Select Business domain creators or another role add user icon.
- Search the user you wish to add.
- Select the user.
- Select Save.
Business domain level permission
Tip
The Business domain owner is important to delegate to someone running data governance or the data catalog as it is an essential role to be able to start to build business domains, data products, glossary terms, etc. It's recommended that you have at least two people assigned as business domain owners.
Business domain permissions provide access within a specific business domain, and should be granted to data experts and business users to read and manage objects within the business domain.
These are the business domain roles currently available in the Microsoft Purview Data Catalog:
| Role | Description |
|---|---|
| Business domain owner | Ability to delegate all other business domain permissions, configure data quality scan alerts, and set domain level access policies. |
| Business domain reader | Ability read business domains and monitor their metadata and function. |
| Data steward | Create, update, and read artifacts and policies within their business domain. Can also read artifacts from other business domains. |
| Data product owner* | Create, update, and read data products only within their business domain. Can read artifacts from other domains to build relationships between the concepts. |
| Data catalog reader | Read all published concepts to the catalog across all domains. |
| Data quality stewards | Able to use all data quality features like data profiling, data quality rule management, data quality scanning, browsing data profiling and data quality insights, data quality scheduling, job monitoring, configuring threshold and alerts. |
| Data quality reader | Browse all data quality insight, data quality rules definition, and data quality error files. This role can’t run data quality scanning and data profiling job, and this role won't have access to data profiling column level insight as column level insight. |
| Data quality metadata reader | Browse data quality insights (except profiling results column level insight), data quality rule definition, and rule level scores. This role won't have access to error records and can't run profiling and DQ scanning job. |
| Data profile steward | Run data profiling jobs and have access to browse profiling insight details. This role can also browse through all data quality insights and can monitor profiling jobs. This role can’t create rules and can’t run data quality scanning. |
| Data profile reader | This role will have required permissions to browse all data quality insights and can drill down the profiling results to browse the statistics in column level. |
Note
*To be able to add data assets to a data product, data product owners also need data map permissions to read those data assets in the data map.
How to assign business domain roles
Important
To assign roles in Microsoft Purview a user needs to be a business domain owner in the business domain. This role is assigned by data governance administrators, or business domain creators.
Business domain roles are assigned under the Roles tab in a business domain. For more information, see how to manage business domains.
Permissions to search the full data catalog
No specific permissions are needed in the data catalog to be able to search the data catalog. However, searching the data catalog will only return relevant data assets that you have permissions to view in the data map.
Users can find a data asset in the data catalog when:
- The user searches data products in a business domain where they have catalog reader permissions
- The user has at least read permissions on an available Azure or Microsoft Fabric resource
- The user has data reader permissions on a domain or collection in the Microsoft Purview Data Map where the asset is stored
Permissions to these assets are managed at the resource level and at the Microsoft Purview Data Map level, respectively. For more information on providing this access, follow the links provided.
Tip
If your data catalog is well-curated, day-to-day business users shouldn't need to search the full catalog. They should be able to find data they need in data products. For more information about setting up the data catalog, see: get started with the data catalog, and data catalog best practices.
Data asset lifecycle example
To understand how permissions work between the data map and data catalog, let's look at the full life cycle of an Azure SQL table in the environment:
| Step | Role | Role Assignment Level |
|---|---|---|
| 1. The Azure SQL Database is registered in the data map | data source administrator | data map permissions |
| 2. The Azure SQL Database is scanned in the data map | data curator or data source administrator | data map permissions |
| 3. The Azure SQL table is curated and certified | data curator | data map permissions |
| 4. A business domain is created in the Microsoft Purview Account | Business Domain Creator | application-level role |
| 5. A data product is created in the business domain | Business Domain Owner and/or Data Product Owner | business domain-level role |
| 6. The Azure SQL table is added as an asset to the data product | Data Product Owner and/or Steward | business domain-level role |
| 7. An access policy is added to the data product | Data Product Owner and/or Steward | business domain-level role |
| 8. A user searches the data catalog, looking for data assets that match their needs | Asset permissions or data reader permission | Asset permissions or data map permissions |
| 9. A user searches data products, looking for a product that matches their needs | Data Catalog Reader | application-level role |
| 10. A user requests access to the resources in the Data Product | Data Catalog Reader | application-level role |
| 11. A user views Data Health Insights to track the health of their data catalog | Data Health Reader | application-level role |
| 12. A user wants to develop a new report to track data health progress in their catalog | Data Health Owner | application-level role |
Data catalog roles
Here is the full list of all roles used to access and manage the Microsoft Purview Data Catalog.
| Role | Description | Permission level | Available actions |
|---|---|---|---|
| Data governance admin | Delegates the first level of access for business domain creators and other application-level permissions. | Tenant/organization | roleassignment/read, roleassignment/write |
| Business domain creator | Creates domains and delegates business domain owner (or remains business domain owner by default). | Application | businessdomain/read, businessdomain/write |
| Business domain owner | Ability to delegate all other business domain permissions, configure data quality scan alerts, and set domain level access policies. | Business domain | roleassignment/read, roleassignment/write, businessdomain/read, businessdomain/write, dataquality/scope/read, dataquality/scope/write, dataquality/scheduledscan/read, dataquality/scheduledscan/write, dataquality/scheduledscan/execute, datahealth/alert/read, datahealth/alert/write, dataquality/monitoring/read, dataquality/monitoring/write, dataproduct/read, glossaryterm/read, okr/read, dataaccess/domainpolicy/read, dataaccess/domainpolicy/write, dataaccess/dataproductpolicy/read, dataaccess/glossarytermpolicy/read |
| Data catalog reader | Ability to read all published domains, data products, policies, and OKRs. | Business domain | roleassignment/read, businessdomain/read, dataproduct/read, glossaryterm/read, okr/read, dataaccess/domainpolicy/read, dataaccess/glossarytermpolicy/read |
| Data steward | Create, update, and read critical data elements, glossary terms, OKRs, and policies within their business domain. They can also read and build relationships with concepts in other business domains. | Business domain | roleassignment/read, businessdomain/read, dataquality/observer/write, dataproduct/read, data product/curate, glossaryterm/read, glossaryterm/write, okr/read, okr/write, dataaccess/domainpolicy/read, dataaccess/domainpolicy/write, dataaccess/dataproductpolicy/read, dataaccess/dataproductpolicy/write, dataaccess/glossarytermpolicy/read, dataaccess/glossarytermpolicy/write |
| Data product owner | Create, update, and read data products only within their business domain. They can also read and build relationships with concepts in business domains. | Business domain | roleassignment/read, businessdomain/read, dataproduct/write, dataproduct/read, glossaryterm/read, okr/read, dataaccess/domainpolicy/read, dataaccess/dataproductpolicy/read, dataaccess/dataproductpolicy/write, dataaccess/glossarytermpolicy/read |
| Data health owner | Create, update, and read artifacts in data estate health. | Application | datahealth/read, datahealth/write |
| Data health reader | Can read artifacts in data estate health. | Application | datahealth/read |
| Data quality stewards | Able to use all data quality features like data profiling, data quality rule management, data quality scanning, browsing data profiling and data quality insights, data quality scheduling, job monitoring, configuring threshold and alerts. | Business domain | businessdomain/read, dataquality/scope/read, dataquality/scope/write, dataquality/scheduledscan/read, dataquality/scheduledscan/write, dataquality/scheduledscan/execute/action, datahealth/alert/read, datahealth/alert/write, dataquality/monitoring/read, dataquality/monitoring/write, dataquality/connection/write, dataquality/connection/read, dataquality/schemadetection/execute/action, dataquality/observer/read, dataquality/observer/write, dataquality/observer/execute/action, dataquality/history/scores/read, dataquality/history/ruledetails/read, dataquality/history/ruleerrorfile/read, dataquality/history/ruleerrorfile/delete, dataquality/history/delete, dataquality/profile/read, dataquality/profile/write, dataquality/profile/execute/action, dataquality/profilehistory/read, dataquality/profilehistory/delete, dataproduct/read, glossaryterm/read |
| Data quality reader | Browse all data quality insights and data quality rules definitions. This role can’t run data quality scanning and data profiling jobs, and this role won't have access to data profiling column level insight as column level insight. | Business domain | dataquality/connection/read, dataquality/observer/read, dataquality/observer/execute/action, dataquality/history/scores/read, dataquality/history/ruledetails/read |
| Data profile reader | This role will have required permissions to browse all profiling insights and can drill down the profiling results to browse the statistics in column level. | Business domain | dataquality/connection/read, dataquality/profile/read, dataquality/profilehistory/read |
Next steps
Feedback
Bald verfügbar: Im Laufe des Jahres 2024 werden wir GitHub-Issues stufenweise als Feedbackmechanismus für Inhalte abbauen und durch ein neues Feedbacksystem ersetzen. Weitere Informationen finden Sie unter https://aka.ms/ContentUserFeedback.
Feedback senden und anzeigen für