You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/purview/how-to-enable-data-use-governance.md
+8-4Lines changed: 8 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.author: vlrodrig
6
6
ms.service: purview
7
7
ms.subservice: purview-data-policies
8
8
ms.topic: how-to
9
-
ms.date: 3/07/2022
9
+
ms.date: 3/24/2022
10
10
ms.custom:
11
11
---
12
12
@@ -56,8 +56,13 @@ To disable data use governance for a source, resource group, or subscription, a
56
56
57
57
1. Set the **Data use governance** toggle to **Disabled**.
58
58
59
+
## Delegation of access control responsibility to Azure Purview
60
+
1. Once a resource has been enabled for *Data use Governance*, **any** Azure Purview *policy author* will be able to create access policies against it, and **any** Azure Purview *Data source admin* will be able to publish those policies at **any point afterwards**
61
+
1. **Any** Azure Purview *root collection admin* can create **new***Data Source Admin* and *Policy author* roles
59
62
60
-
### Important considerations related to Data use governance
63
+
Also, we mention in the documentation that root collection policy author / DSA are needed to create / publish policies. Have we tested or can we confirm that non-root policy authors or DSAs are prevented from creating or publishing policies? What other negative testing have we done?
64
+
65
+
## Additional considerations related to Data use governance
61
66
- Make sure you write down the **Name** you use when registering in Azure Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name.
62
67
- To disable a source for *Data use governance*, remove it first from being bound (i.e. published) in any policy.
63
68
- While user needs to have both data source *Owner* and Azure Purview *Data source admin* to enable a source for *Data use governance*, either of those roles can independently disable it.
@@ -68,7 +73,7 @@ To disable data use governance for a source, resource group, or subscription, a
68
73
> - Moving data sources to a different resource group or subscription is not yet supported. If want to do that, de-register the data source in Azure Purview before moving it and then register it again after that happens.
69
74
> - Once a subscription gets disabled for *Data use governance* any underlying assets that are enabled for *Data use governance* will be disabled, which is the right behavior. However, policy statements based on those assets will still be allowed after that.
70
75
71
-
###Data use governance best practices
76
+
## Data use governance best practices
72
77
- We highly encourage registering data sources for *Data use governance* and managing all associated access policies in a single Azure Purview account.
73
78
- Should you have multiple Azure Purview accounts, be aware that **all** data sources belonging to a subscription must be registered for *Data use governance* in a single Azure Purview account. That Azure Purview account can be in any subscription in the tenant. The *Data use governance* toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:
74
79
-**Case 1** shows a valid configuration where a Storage account is registered in an Azure Purview account in the same subscription.
@@ -78,7 +83,6 @@ To disable data use governance for a source, resource group, or subscription, a
78
83
79
84
80
85
81
-
82
86
## Next steps
83
87
84
88
-[Create data owner policies for your resources](how-to-data-owner-policy-authoring-generic.md)
0 commit comments