Merge pull request #233203 from inward-eye/main

changes to generic config for resource moved to another RG

Author: prmerger-automator[bot]

articles/purview/how-to-policies-data-owner-storage.md

@@ -7,7 +7,7 @@ ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: how-to
 ms.custom: references_regions, event-tier1-build-2022
-ms.date: 10/10/2022
+ms.date: 04/03/2023
 ---
 
 # Access provisioning by data owner to Azure Storage datasets (Preview)
@@ -59,6 +59,7 @@ Follow this link for the steps to [update or delete a data owner policy in Micro
 
 ## Data Consumption
 - Data consumer can access the requested dataset using tools such as Power BI or Azure Synapse Analytics workspace.
+- The Copy and Clone commands in Azure Storage Explorer require additional IAM permissions to work in addition to the Allow Modify policy from Purview. Provide Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action permission in IAM to the Azure AD principal.
 - Sub-container access: Policy statements set below container level on a Storage account are supported. However, users will not be able to browse to the data asset using Azure portal's Storage Browser or Microsoft Azure Storage Explorer tool if access is granted only at file or folder level of the Azure Storage account. This is because these apps attempt to crawl down the hierarchy starting at container level, and the request fails because no access has been granted at that level. Instead, the App that requests the data must execute a direct access by providing a fully qualified name to the data object. The following documents show examples of how to perform a direct access. See also the blogs in the *Next steps* section of this how-to-guide.
   - [*abfs* for ADLS Gen2](../hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2.md#access-files-from-the-cluster)
   - [*az storage blob download* for Blob Storage](../storage/blobs/storage-quickstart-blobs-cli.md#download-a-blob)

articles/purview/includes/access-policies-configuration-generic.md

@@ -4,13 +4,18 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: include
-ms.date: 02/03/2023
+ms.date: 04/03/2023
 ms.custom:
 ---
 
+#### Register the data source in Microsoft Purview
+Before a policy can be created in Microsoft Purview for a data resource, you must register that data resource in Microsoft Purview Studio. You will find the instructions related to registering the data resource later in this guide.
+>[!NOTE]
+> If a data source is moved to a new resource group or subscription it first needs to be de-registered and then re-registered for Microsoft Purview's policies to continue to work, as they rely on the data source's ARM path.
+
 #### Configure permissions to enable Data use management on the data source
 
-Before a policy can be created in Microsoft Purview for a resource, you must configure permissions. To enable the **Data use management** toggle for a data source, resource group, or subscription, the *same user* must have *both* specific identity and access management (IAM) privileges on the resource and specific Microsoft Purview privileges: 
+Once a resource is registered, but before a policy can be created in Microsoft Purview for that resource, you must configure permissions. A set of permissions are needed to enable the **Data use management**. This applies to data sources, resource groups, or subscriptions. To enable *Data use management*, the **same user** must have **both** specific identity and access management (IAM) privileges on the resource and specific Microsoft Purview privileges: 
 
 - The user must have *either one* of the following IAM role combinations on the resource's Azure Resource Manager path or any parent of it (that is, using IAM permission inheritance):
    - IAM Owner