|
| 1 | +--- |
| 2 | +title: Provision access to resource groups and subscriptions for DevOps actions |
| 3 | +description: Step-by-step guide showing how to provision access to entire resource groups and subscriptions through Microsoft Purview DevOps policies |
| 4 | +author: inward-eye |
| 5 | +ms.author: vlrodrig |
| 6 | +ms.service: purview |
| 7 | +ms.subservice: purview-data-policies |
| 8 | +ms.topic: how-to |
| 9 | +ms.date: 11/14/2022 |
| 10 | +ms.custom: |
| 11 | +--- |
| 12 | +# Provision access to system metadata in resource groups or subscriptions |
| 13 | + |
| 14 | +[DevOps policies](concept-policies-devops.md) are a type of Microsoft Purview access policies. They allow you to manage access to system metadata (DMVs and DMFs) via *SQL Performance Monitoring* or *SQL Security Auditing* actions. They can be created only on data sources that have been registered for *Data use management* in Microsoft Purview. These policies are configured directly in the Microsoft Purview governance portal, and after being saved they get automatically published and then get enforced by the data source. Microsoft Purview access policies apply to Azure AD Accounts only. |
| 15 | + |
| 16 | +In this guide we cover how to register an entire resource group or subscription and then create a single policy that will manage access to **all** data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards. |
| 17 | + |
| 18 | +## Prerequisites |
| 19 | +[!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)] |
| 20 | +[!INCLUDE [Access policies Azure SQL Database pre-requisites](./includes/access-policies-prerequisites-azure-sql-db.md)] |
| 21 | + |
| 22 | +**Only these data sources are enabled for access policies on resource group or subscription**. Follow the **Prerequisites** section that is specific to the data source(s) in these guides: |
| 23 | +* [DevOps policies on an Azure SQL Database](./how-to-policies-devops-azure-sql-db.md#prerequisites) |
| 24 | +* [DevOps policies on an Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md#prerequisites) |
| 25 | + |
| 26 | +## Microsoft Purview Configuration |
| 27 | +[!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)] |
| 28 | + |
| 29 | +### Register the subscription or resource group for Data Use Management |
| 30 | +The subscription or resource group needs to be registered with Microsoft Purview to later define access policies. |
| 31 | + |
| 32 | +To register your subscription or resource group, follow the **Prerequisites** and **Register** sections of this guide: |
| 33 | + |
| 34 | +- [Register multiple sources in Microsoft Purview](register-scan-azure-multiple-sources.md#prerequisites) |
| 35 | + |
| 36 | +After you've registered your resources, you'll need to enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md) |
| 37 | + |
| 38 | +In the end, your resource will have the **Data Use Management** toggle **Enabled**, as shown in the screenshot: |
| 39 | + |
| 40 | + |
| 41 | + |
| 42 | +>[!Important] |
| 43 | +> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable *Data use management* to provide their App ID: [See this document](./how-to-policies-devops-arc-sql-server.md#register-data-sources-in-microsoft-purview). |
| 44 | +
|
| 45 | + |
| 46 | +## Create a new DevOps policy |
| 47 | +Follow this link for the steps to [create a new DevOps policy in Microsoft Purview](how-to-policies-devops-authoring-generic.md#create-a-new-devops-policy). |
| 48 | + |
| 49 | +## List DevOps policies |
| 50 | +Follow this link for the steps to [list DevOps policies in Microsoft Purview](how-to-policies-devops-authoring-generic.md#list-devops-policies). |
| 51 | + |
| 52 | +## Update a DevOps policy |
| 53 | +Follow this link for the steps to [update a DevOps policies in Microsoft Purview](how-to-policies-devops-authoring-generic.md#update-a-devops-policy). |
| 54 | + |
| 55 | +## Delete a DevOps policy |
| 56 | +Follow this link for the steps to [delete a DevOps policies in Microsoft Purview](how-to-policies-devops-authoring-generic.md#delete-a-devops-policy). |
| 57 | + |
| 58 | + |
| 59 | +### Test the policy |
| 60 | +To test the policy see the DevOps policy guides for the underlying data sources listed in the [next steps section](#next-steps) of this document. |
| 61 | + |
| 62 | +## Next steps |
| 63 | +Check the blog and related docs |
| 64 | +* Blog: [Microsoft Purview DevOps policies enable at scale access provisioning for IT operations](https://techcommunity.microsoft.com/t5/microsoft-purview-blog/microsoft-purview-devops-policies-enable-at-scale-access/ba-p/3604725) |
| 65 | +* Video: [Reduce the effort with Microsoft Purview DevOps policies on resource groups](https://youtu.be/yMMXCeIFCZ8) |
| 66 | +* Doc: [Microsoft Purview DevOps policies on Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md) |
| 67 | +* Doc: [Microsoft Purview DevOps policies on Azure SQL DB](./how-to-policies-devops-azure-sql-db.md) |
0 commit comments