Merge pull request #218355 from inward-eye/main

added devops policy on resource group or subscription

Author: 19BMG00

articles/purview/concept-policies-devops.md

@@ -59,6 +59,7 @@ Bob and Alice are DevOps users at their company. Given their role, they need to
 
 ## Next steps
 To get started with DevOps policies, consult the following guides:
-* Document: [Microsoft Purview DevOps policies on Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md)
-* Document: [Microsoft Purview DevOps policies on Azure SQL DB](./how-to-policies-devops-azure-sql-db.md)
+* Doc: [Microsoft Purview DevOps policies on Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md)
+* Doc: [Microsoft Purview DevOps policies on Azure SQL DB](./how-to-policies-devops-azure-sql-db.md)
+* Doc: [Microsoft Purview DevOps policies on resource groups and subscriptions](./how-to-policies-devops-resource-group.md)
 * Blog: [New granular permissions for SQL Server 2022 and Azure SQL to help PoLP](https://techcommunity.microsoft.com/t5/sql-server-blog/new-granular-permissions-for-sql-server-2022-and-azure-sql-to/ba-p/3607507)

articles/purview/how-to-policies-data-owner-arc-sql-server.md

@@ -65,19 +65,26 @@ Execute the steps in the **Create a new policy** and **Publish a policy** sectio
 > - Publish is a background operation. It can take up to **5 minutes** for the changes to be reflected in this data source.
 > - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.
 
-### Test the policy
+
+## Unpublish a data owner policy
+Follow this link for the steps to [unpublish a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#unpublish-a-policy).
+
+## Update or delete a data owner policy
+Follow this link for the steps to [update or delete a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#update-or-delete-a-policy).
+
+## Test the policy
 
 The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
 
-#### Force policy download
+### Force policy download
 It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
 
 ```sql
 -- Force immediate download of latest published policies
 exec sp_external_policy_refresh reload
 ```  
 
-#### Analyze downloaded policy state from SQL
+### Analyze downloaded policy state from SQL
 The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
 
 ```sql

articles/purview/how-to-policies-data-owner-azure-sql-db.md

@@ -49,19 +49,26 @@ Execute the steps in the **Create a new policy** and **Publish a policy** sectio
 > - Publish is a background operation. It can take up to **5 minutes** for the changes to be reflected in this data source.
 > - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.
 
-### Test the policy
+
+## Unpublish a data owner policy
+Follow this link for the steps to [unpublish a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#unpublish-a-policy).
+
+## Update or delete a data owner policy
+Follow this link for the steps to [update or delete a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#update-or-delete-a-policy).
+
+## Test the policy
 
 The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
 
-#### Force policy download
+### Force policy download
 It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
 
 ```sql
 -- Force immediate download of latest published policies
 exec sp_external_policy_refresh reload
 ```  
 
-#### Analyze downloaded policy state from SQL
+### Analyze downloaded policy state from SQL
 The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
 
 ```sql

articles/purview/how-to-policies-data-owner-resource-group.md

@@ -56,6 +56,11 @@ Execute the steps in the **Create a new policy** and **Publish a policy** sectio
 > - Publish is a background operation. For example, Azure Storage accounts can take up to **2 hours** to reflect the changes.
 > - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.
 
+## Unpublish a data owner policy
+Follow this link for the steps to [unpublish a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#unpublish-a-policy).
+
+## Update or delete a data owner policy
+Follow this link for the steps to [update or delete a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#update-or-delete-a-policy).
 
 ## Additional information
 - Creating a policy at subscription or resource group level will enable the Subjects to access Azure Storage system containers,  for example, *$logs*. If this is undesired, first scan the data source and then create finer-grained policies for each (that is, at container or sub-container level).

articles/purview/how-to-policies-data-owner-storage.md

@@ -50,6 +50,13 @@ Execute the steps in the **Create a new policy** and **Publish a policy** sectio
 >[!Important]
 > - Publish is a background operation. Azure Storage accounts can take up to **2 hours** to reflect the changes.
 
+
+## Unpublish a data owner policy
+Follow this link for the steps to [unpublish a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#unpublish-a-policy).
+
+## Update or delete a data owner policy
+Follow this link for the steps to [update or delete a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#update-or-delete-a-policy).
+
 ## Data Consumption
 - Data consumer can access the requested dataset using tools such as Power BI or Azure Synapse Analytics workspace.
 - Sub-container access: Policy statements set below container level on a Storage account are supported. However, users will not be able to browse to the data asset using Azure portal's Storage Browser or Microsoft Azure Storage Explorer tool if access is granted only at file or folder level of the Azure Storage account. This is because these apps attempt to crawl down the hierarchy starting at container level, and the request fails because no access has been granted at that level. Instead, the App that requests the data must execute a direct access by providing a fully qualified name to the data object. The following documents show examples of how to perform a direct access. See also the blogs in the *Next steps* section of this how-to-guide.

articles/purview/how-to-policies-devops-arc-sql-server.md

@@ -9,7 +9,7 @@ ms.topic: how-to
 ms.date: 11/04/2022
 ms.custom:
 ---
-# Provision access to Arc-enabled SQL Server for DevOps actions (preview)
+# Provision access to system metadata in Arc-enabled SQL Server (preview)
 
 [!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
 
@@ -47,8 +47,6 @@ The Arc-enabled SQL Server data source needs to be registered first with Microso
 Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this picture. 
 ![Screenshot shows how to register a data source for policy.](./media/how-to-policies-data-owner-sql/register-data-source-for-policy-arc-sql.png)
 
-> [!Note]
-> If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently for *Data use management* to provide their App ID.
 
 ## Create a new DevOps policy
 Follow this link for the steps to [create a new DevOps policy in Microsoft Purview](how-to-policies-devops-authoring-generic.md#create-a-new-devops-policy).
@@ -65,19 +63,19 @@ Follow this link for the steps to [delete a DevOps policies in Microsoft Purview
 >[!Important]
 > DevOps policies are auto-published and changes can take up to **5 minutes** to be enforced by the data source.
 
-### Test the policy
+## Test the policy
 
 The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
 
-#### Force policy download
+### Force policy download
 It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
 
 ```sql
 -- Force immediate download of latest published policies
 exec sp_external_policy_refresh reload
 ```  
 
-#### Analyze downloaded policy state from SQL
+### Analyze downloaded policy state from SQL
 The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
 
 ```sql
@@ -130,3 +128,4 @@ Check the blog and related docs
 * Video: [Microsoft Purview DevOps policies on data sources and resource groups](https://youtu.be/YCDJagrgEAI)
 * Video: [Reduce the effort with Microsoft Purview DevOps policies on resource groups](https://youtu.be/yMMXCeIFCZ8)
 * Doc: [Microsoft Purview DevOps policies on Azure SQL DB](./how-to-policies-devops-azure-sql-db.md)
+* Doc: [Microsoft Purview DevOps policies on resource groups and subscriptions](./how-to-policies-devops-resource-group.md)

articles/purview/how-to-policies-devops-azure-sql-db.md

@@ -9,7 +9,7 @@ ms.topic: how-to
 ms.date: 11/04/2022
 ms.custom: references_regions
 ---
-# Provision access to Azure SQL Database for DevOps actions (preview)
+# Provision access to system metadata in Azure SQL Database (preview)
 
 [!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
 
@@ -49,18 +49,18 @@ Follow this link for the steps to [delete a DevOps policies in Microsoft Purview
 >[!Important]
 > DevOps policies are auto-published and changes can take up to **5 minutes** to be enforced by the data source.
 
-### Test the policy
+## Test the policy
 The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
 
-#### Force policy download
+### Force policy download
 It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
 
 ```sql
 -- Force immediate download of latest published policies
 exec sp_external_policy_refresh reload
 ```  
 
-#### Analyze downloaded policy state from SQL
+### Analyze downloaded policy state from SQL
 The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
 
 ```sql
@@ -113,4 +113,6 @@ Check the blog and related docs
 * Video: [Microsoft Purview DevOps policies on data sources and resource groups](https://youtu.be/YCDJagrgEAI)
 * Video: [Reduce the effort with Microsoft Purview DevOps policies on resource groups](https://youtu.be/yMMXCeIFCZ8)
 * Doc: [Microsoft Purview DevOps policies on Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md)
+* Doc: [Microsoft Purview DevOps policies on resource groups and subscriptions](./how-to-policies-devops-resource-group.md)
+
 

articles/purview/how-to-policies-devops-resource-group.md

@@ -0,0 +1,67 @@
+---
+title: Provision access to resource groups and subscriptions for DevOps actions
+description: Step-by-step guide showing how to provision access to entire resource groups and subscriptions through Microsoft Purview DevOps policies
+author: inward-eye
+ms.author: vlrodrig
+ms.service: purview
+ms.subservice: purview-data-policies
+ms.topic: how-to
+ms.date: 11/14/2022
+ms.custom:
+---
+# Provision access to system metadata in resource groups or subscriptions
+
+[DevOps policies](concept-policies-devops.md) are a type of Microsoft Purview access policies. They allow you to manage access to system metadata (DMVs and DMFs) via *SQL Performance Monitoring* or *SQL Security Auditing* actions. They can be created only on data sources that have been registered for *Data use management* in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after being saved they get automatically published and then get enforced by the data source. Microsoft Purview access policies apply to Azure AD Accounts only.
+
+In this guide we cover how to register an entire resource group or subscription and then create a single policy that will manage access to **all** data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards.
+
+## Prerequisites
+[!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)]
+[!INCLUDE [Access policies Azure SQL Database pre-requisites](./includes/access-policies-prerequisites-azure-sql-db.md)]
+
+**Only these data sources are enabled for access policies on resource group or subscription**. Follow the **Prerequisites** section that is specific to the data source(s) in these guides:
+* [DevOps policies on an Azure SQL Database](./how-to-policies-devops-azure-sql-db.md#prerequisites)
+* [DevOps policies on an Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md#prerequisites)
+
+## Microsoft Purview Configuration
+[!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
+
+### Register the subscription or resource group for Data Use Management
+The subscription or resource group needs to be registered with Microsoft Purview to later define access policies.
+
+To register your subscription or resource group, follow the **Prerequisites** and **Register** sections of this guide:
+
+- [Register multiple sources in Microsoft Purview](register-scan-azure-multiple-sources.md#prerequisites)
+
+After you've registered your resources, you'll need to enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md) 
+
+In the end, your resource will have the  **Data Use Management** toggle **Enabled**, as shown in the screenshot:
+
+![Screenshot shows how to register a resource group or subscription for policy by toggling the enable tab in the resource editor.](./media/how-to-policies-data-owner-resource-group/register-resource-group-for-policy.png)
+
+>[!Important]
+> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable *Data use management* to provide their App ID: [See this document](./how-to-policies-devops-arc-sql-server.md#register-data-sources-in-microsoft-purview).
+
+
+## Create a new DevOps policy
+Follow this link for the steps to [create a new DevOps policy in Microsoft Purview](how-to-policies-devops-authoring-generic.md#create-a-new-devops-policy).
+
+## List DevOps policies
+Follow this link for the steps to [list DevOps policies in Microsoft Purview](how-to-policies-devops-authoring-generic.md#list-devops-policies).
+
+## Update a DevOps policy
+Follow this link for the steps to [update a DevOps policies in Microsoft Purview](how-to-policies-devops-authoring-generic.md#update-a-devops-policy).
+
+## Delete a DevOps policy
+Follow this link for the steps to [delete a DevOps policies in Microsoft Purview](how-to-policies-devops-authoring-generic.md#delete-a-devops-policy).
+
+
+### Test the policy
+To test the policy see the DevOps policy guides for the underlying data sources listed in the [next steps section](#next-steps) of this document.
+
+## Next steps
+Check the blog and related docs
+* Blog: [Microsoft Purview DevOps policies enable at scale access provisioning for IT operations](https://techcommunity.microsoft.com/t5/microsoft-purview-blog/microsoft-purview-devops-policies-enable-at-scale-access/ba-p/3604725)
+* Video: [Reduce the effort with Microsoft Purview DevOps policies on resource groups](https://youtu.be/yMMXCeIFCZ8)
+* Doc: [Microsoft Purview DevOps policies on Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md)
+* Doc: [Microsoft Purview DevOps policies on Azure SQL DB](./how-to-policies-devops-azure-sql-db.md)

articles/purview/toc.yml

@@ -30,6 +30,10 @@ items:
       href: quickstart-data-share.md
     - name: .NET data sharing
       href: quickstart-data-share-dotnet.md
+  - name: Data Policy
+    items:
+    - name: Create a simple DevOps policy
+      href: how-to-policies-devops-azure-sql-db.md
 - name: Tutorials
   items:
   - name: Deployment checklist
@@ -355,6 +359,8 @@ items:
         href: how-to-policies-devops-azure-sql-db.md
       - name: DevOps policies - Azure Arc enabled SQL Servers
         href: how-to-policies-devops-arc-sql-server.md
+      - name: DevOps policies - Resource groups or Subscriptions
+        href: how-to-policies-devops-resource-group.md
     - name: Data owner policies
       items:
       - name: Data owner policies - Author and publish policies