How to configure and manage data catalog access policies (Preview)

Important

This article is to set access policies on the business concepts including business domain, data product and glossary terms and to manage access requests. If you would like to request access to a data product,follow this article to request access.

Here's how you can manage access to your data products and set up a system to provide access to users who request it.

What does access to a data product give you? Permissions to the data product, and permissions to the data sources inside.

In this article you'll learn:

• How to set up a data product access policy
• How to approve access to data products

Prerequisites

1. Business domain owner can view and manage policies at the business domain.
2. Data product owner can view and manage policies at the data product.
3. Data stewards can view and manage policies at business domains, data products, glossary terms.
4. Data catalog readers can view and request access to data products. Managers and privacy approvers of access requests also need to have a minimum of Data catalog reader to be able to use the Data Catalog and approver requests as part of the tiered approval.

Considerations

In this preview experience, the approvers of the request must provide access to the individual data assets manually and approve.

While not a limitation, please note that the policies such as attestations, including the no copy attestation aren't enforced in the product. Data consumer attests while requesting access.

Notifications around requested duration and expiration of access will be enabled post public preview.

Set up data product access policies

To build access policies, in most situations you'll need data product owner or data steward permissions.

1. In the Microsoft Purview portal, open the data catalog.
2. Select the Data management dropdown and select Data products.
3. Select a data product.
4. On the data product page, select Manage policies.
5. From the Policy configuration window, you're able to create and manage your data product's access policy.

Tip

Your data product needs to be in an unpublished state to manage access policies.

Configure data product access policies

In the Manage policies window, you can view and edit the default values assigned to the default set of data product access policies. The selected values affect what the data consumers see on their access request form and actions they need to take.

1. Under the Permitted access drop-down, add your usage purposes, which are the authorized purposes for accessing and using the data product. There are three values provided by default for which you can edit the description and add other purposes that the consumer will choose from in the request access form.
2. Under the Approval requirements drop down, select the users that will need to approve the access request. The first approver to take action will grant access to the data assets manually and then approve the request. By default, data product owners will be populated and more approvers can be added. you can also add Microsoft Entra ID groups or security groups as approvers and approvers can see detailed status in the request view.
3. Determine if manager approval or privacy and compliance review is required.

   Note

   If selected, the access request form will show that a review is required. The consumer’s manager in Microsoft Entra will be notified for the first tier of approval. The privacy reviewer named by the consumer in the request form will be notified for their approval. The request will first be reviewed by manager, followed by the privacy reviewer, and then by other approvers for approval and granting of access. The request status is final only when all configured levels of approval are complete.

4. Under Attestations, determine if copies of the data are permitted. This is reflected on the access request form for the consumer to attest to.
5. If terms of use are present on a data product, those will also be reflected on the access request form for the consumer to attest to.
6. Add any more attestations by selecting Add attestation and adding a display name and the file location. These are reflected on the request access form for the consumer to attest to.
7. If there are policies inherited from the business domain or glossary term, you can see in the Inherited policies tab. See the following section in this document for details: Policies on business domains and glossary terms (inherited policies)
8. Select Preview request form to see what users see when they access.
9. Select Save changes to save the access policy for the business domain.

The following enhancements are coming soon:

1. Policy to set access time limit, which is the maximum time allowed for data access. This is reflected in the access request form as the access duration the consumer can select.
2. Determine the approval time frame. This is indicated on the access request form as the time taken for approvers to take action once the request is sent.

Policies on business domains, glossary terms and critical data elements (inherited policies)

Following policies can be set on business domains, glossary terms and critical data elements. Data products that are in the business domain or data products the glossary terms or critical data elements are applied or associated to will inherit and aggregate the policies.

You can see the inherited policies in the data product manage policies view and the preview of the consumer form, which is also what the consumer will see on requesting access.

1. Determine if manager approval is required. Data consumer’s manager configured in Microsoft Entra will be notified as first tier of approval.
2. Determine if copies of the data are permitted. This will be reflected on the access request form for the consumer to attest to.
3. Add any more attestations you would like by selecting Add attestation and adding a display name and the file location. These will be reflected on the request access form for the consumer to attest to.

Manage access requests

1. In the Microsoft Purview portal, open the Data Catalog.
2. Select the Data management dropdown and select Data access.
3. In the status column of the business domain table, you can sort by any domains that have open access requests.
4. Select the business domain that you want to manage access requests for.
5. On the details page are two tabs, one for access requests and one for data products.
6. On the access requests tab, you can see a list of the most recent access requests.

Respond to access requests in Microsoft Purview

1. Select the request you want to approve or decline and take action.
2. View the details submitted by the consumer.
3. Select Approve or Deny.
4. The requestor will be notified via email and can also view the status on the Microsoft Purview Data Catalog Data product search page, in the My data access tab.

Respond to access requests through email notification

1. In the email received as a request to approve an access request, select the Approval request link.
2. In the approval in the Microsoft Purview portal, view the details submitted by the consumer.
3. Select Approve or Deny.
4. The requestor will be notified via email and can also view the status on the Microsoft Purview Data Catalog Data product search page, in the My data access tab.