Adding permissions needed for SHIR

Author: whhender

articles/purview/catalog-permissions.md

@@ -54,6 +54,7 @@ The Microsoft Purview governance portal uses a set of predefined roles to contro
 |I need to create workflows for my Microsoft Purview account in the governance portal| Workflow administrator |
 |I need to share data from sources registered in Microsoft Purview | Data share contributor|
 |I need to view insights for collections I'm a part of | Insights reader **or** data curator |
+|I need to create or manage our [self-hosted integration runtime (SHIR)](manage-integration-runtimes.md) | Data source administrator |
 
 :::image type="content" source="media/catalog-permissions/catalog-permission-role.svg" alt-text="Chart showing Microsoft Purview governance portal roles" lightbox="media/catalog-permissions/catalog-permission-role.svg":::
 >[!NOTE]

articles/purview/concept-best-practices-security.md

@@ -138,6 +138,7 @@ Examples of control plane operations and data plane operations:
 |Deploy a Microsoft Purview account     | Control plane         | Azure subscription owner or contributor         | Azure RBAC roles         |
 |Set up a Private Endpoint for Microsoft Purview     | Control plane         | Contributor         | Azure RBAC roles        |
 |Delete a Microsoft Purview account      | Control plane         | Contributor         | Azure RBAC roles        |
+|Add or manage a [self-hosted integration runtime (SHIR)](manage-integration-runtimes.md) | Control plane | Data source administrator |Microsoft Purview roles |
 |View Microsoft Purview metrics to get current capacity units       | Control plane         | Reader       | Azure RBAC roles        |
 |Create a collection      | Data plane           | Collection Admin        | Microsoft Purview roles        |
 |Register a data source    | Data plane          | Collection Admin         | Microsoft Purview roles         |

articles/purview/manage-integration-runtimes.md

@@ -52,6 +52,8 @@ Installation of the self-hosted integration runtime on a domain controller isn't
 > For your source, **[refer to each source article for prerequisite details.](azure-purview-connector-overview.md)**
 > Any requirements will be listed in the **Prerequisites** section.
 
+- To add and manage a SHIR in Microsoft Purview, you'll need [data source administrator permissions](catalog-permissions.md) in Microsoft Purview.
+
 - Self-hosted integration runtime requires a 64-bit Operating System with .NET Framework 4.7.2 or above. See [.NET Framework System Requirements](/dotnet/framework/get-started/system-requirements) for details.
 
 - Ensure Visual C++ Redistributable for Visual Studio 2015 or higher is installed on the self-hosted integration runtime machine. If you don't have this update installed, [you can download it here](/cpp/windows/latest-supported-vc-redist#visual-studio-2015-2017-2019-and-2022).
@@ -76,6 +78,9 @@ To create and set up a self-hosted integration runtime, use the following proced
 
 ### Create a self-hosted integration runtime
 
+>[!NOTE]
+> To add or manage a SHIR in Microsoft Purview, you'll need [data source administrator permissions](catalog-permissions.md) in Microsoft Purview.
+
 1. On the home page of the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/), select **Data Map** from the left navigation pane.
 
 2. Under **Sources and scanning** on the left pane, select **Integration runtimes**, and then select **+ New**.
@@ -110,13 +115,13 @@ You can register multiple nodes for a self-hosted integration runtime using the
 
 ## Manage a self-hosted integration runtime
 
-You can edit a self-hosted integration runtime by navigating to **Integration runtimes** in the Microsoft Purview governance portal, hover on the IR then click the **Edit** button. 
+You can edit a self-hosted integration runtime by navigating to **Integration runtimes** in the Microsoft Purview governance portal, hover on the IR then select the **Edit** button. 
 
 In the **Settings** tab, you can update the description, copy the key, or regenerate new keys. In the **Nodes** tab, you can manage the registered nodes. And in the **Version** tab, you can see the IR version status.
 
 :::image type="content" source="media/manage-integration-runtimes/edit-integration-runtime-settings.png" alt-text="edit IR details.":::
 
-You can delete a self-hosted integration runtime by navigating to **Integration runtimes**, hover on the IR then click the **Delete** button. 
+You can delete a self-hosted integration runtime by navigating to **Integration runtimes**, hover on the IR then select the **Delete** button. 
 
 ### Notification area icons and notifications
 
@@ -141,7 +146,7 @@ Make sure the account has the permission of Log-on as a service. Otherwise self-
 You can associate a self-hosted integration runtime with multiple on-premises machines or virtual machines in Azure. These machines are called nodes. You can have up to four nodes associated with a self-hosted integration runtime. The benefits of having multiple nodes are:
 
 - Higher availability of the self-hosted integration runtime so that it's no longer the single point of failure for scan. This availability helps ensure continuity when you use up to four nodes.
-- Run more concurrent scans. Each self-hosted integration runtime can empower a number of scans at the same time, auto determined based on the machine's CPU/memory. You can install additional nodes if you have more concurrency need. Each scan will be executed on one of the nodes. Having more nodes doesn't improve the performance of a single scan execution.
+- Run more concurrent scans. Each self-hosted integration runtime can empower many scans at the same time, auto determined based on the machine's CPU/memory. You can install more nodes if you have more concurrency need. Each scan will be executed on one of the nodes. Having more nodes doesn't improve the performance of a single scan execution.
 
 You can associate multiple nodes by installing the self-hosted integration runtime software from [Download Center](https://www.microsoft.com/download/details.aspx?id=39717). Then, register it by using the same authentication key.