You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Understand access and permissions in the Microsoft Purview Data Map
3
-
description: This article gives an overview permission, access control, and collections in the Microsoft Purview Data Map. Role-based access control is managed within the Microsoft Purview Data Map itself, so this guide will cover the basics to secure your information.
2
+
title: Understand access and permissions in the Microsoft Purview governance portal
3
+
description: This article gives an overview permission, access control, and collections in the Microsoft Purview governance portal. Role-based access control is managed within the Microsoft Purview Data Map in the governance portal itself, so this guide will cover the basics to secure your information.
4
4
author: viseshag
5
5
ms.author: viseshag
6
6
ms.service: purview
@@ -9,31 +9,30 @@ ms.topic: conceptual
9
9
ms.date: 05/16/2022
10
10
---
11
11
12
-
# Access control in the Microsoft Purview Data Map
12
+
# Access control in the Microsoft Purview governance portal
13
13
14
-
The Microsoft Purview Data Map uses **Collections** to organize and manage access across its sources, assets, and other artifacts. This article describes collections and access management in your Microsoft Purview Data Map.
14
+
The Microsoft Purview governance portal uses **Collections**in the Microsoft Purview Data Map to organize and manage access across its sources, assets, and other artifacts. This article describes collections and access management for your account in the Microsoft Purview governance portal.
15
15
16
16
> [!IMPORTANT]
17
17
> This article refers to permissions required for the Microsoft Purview governance portal, and applications like the Microsoft Purview Data Map, Data Catalog, Data Estate Insights, etc. If you are looking for permissions information for the Microsoft Purview compliance center, follow [the article for permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions).
18
18
19
19
## Collections
20
20
21
-
A collection is a tool Microsoft Purview uses to group assets, sources, and other artifacts into a hierarchy for discoverability and to manage access control. All accesses to Microsoft Purview's resources are managed from collections in the Microsoft Purview account itself.
21
+
A collection is a tool that the Microsoft Purview Data Map uses to group assets, sources, and other artifacts into a hierarchy for discoverability and to manage access control. All accesses to the Microsoft Purview governance portal's resources are managed from collections in the Microsoft Purview Data Map.
22
22
23
23
## Roles
24
24
25
-
Microsoft Purview uses a set of predefined roles to control who can access what within the account. These roles are currently:
25
+
The Microsoft Purview governance portal uses a set of predefined roles to control who can access what within the account. These roles are currently:
26
26
27
-
-**Collection administrator** - a role for users that will need to assign roles to other users in Microsoft Purview or manage collections. Collection admins can add users to roles on collections where they're admins. They can also edit collections, their details, and add subcollections.
27
+
-**Collection administrator** - a role for users that will need to assign roles to other users in the Microsoft Purview governance portal or manage collections. Collection admins can add users to roles on collections where they're admins. They can also edit collections, their details, and add subcollections.
28
28
-**Data curators** - a role that provides access to the data catalog to manage assets, configure custom classifications, set up glossary terms, and view data estate insights. Data curators can create, read, modify, move, and delete assets. They can also apply annotations to assets.
29
29
-**Data readers** - a role that provides read-only access to data assets, classifications, classification rules, collections and glossary terms.
30
-
-**Data source administrator** - a role that allows a user to manage data sources and scans. If a user is granted only to **Data source admin** role on a given data source, they can run new scans using an existing scan rule. To create new scan rules, the user must be also granted as either **Data reader** or **Data curator** roles.
31
-
-**Insights reader** - a role that provides read-only access to insights reports for collections where the insights reader also has at least the **Data reader** role. For more information, see [insights permissions.](insights-permissions.md)
32
-
-**Policy author (Preview)** - a role that allows a user to view, update, and delete Microsoft Purview policies through the policy management app within Microsoft Purview.
30
+
-**Data source administrator** - a role that allows a user to manage data sources and scans. If a user is granted only to **Data source admin** role on a given data source, they can run new scans using an existing scan rule. To create new scan rules, the user must be also granted as either **Data reader** or **Data curator** roles.- **Insights reader** - a role that provides read-only access to insights reports for collections where the insights reader also has at least the **Data reader** role. For more information, see [insights permissions.](insights-permissions.md)
31
+
-**Policy author (Preview)** - a role that allows a user to view, update, and delete Microsoft Purview policies through the policy management app within the Microsoft Purview governance portal.
33
32
-**Workflow administrator** - a role that allows a user to access the workflow authoring page in the Microsoft Purview governance portal, and publish workflows on collections where they have access permissions. Workflow administrator only has access to authoring, and so will need at least Data reader permission on a collection to be able to access the Purview governance portal.
34
33
35
34
> [!NOTE]
36
-
> At this time, Microsoft Purview Policy author role is not sufficient to create policies. The Microsoft Purview Data source admin role is also required.
35
+
> At this time, Microsoft Purview policy author role is not sufficient to create policies. The Microsoft Purview data source admin role is also required.
37
36
38
37
## Who should be assigned to what role?
39
38
@@ -43,38 +42,38 @@ Microsoft Purview uses a set of predefined roles to control who can access what
43
42
|I need to edit information about assets, assign classifications, associate them with glossary entries, and so on.|Data curator|
44
43
|I need to edit the glossary or set up new classification definitions|Data curator|
45
44
|I need to view Data Estate Insights to understand the governance posture of my data estate|Data curator|
46
-
|My application's Service Principal needs to push data to Microsoft Purview|Data curator|
45
+
|My application's Service Principal needs to push data to the Microsoft Purview Data Map|Data curator|
47
46
|I need to set up scans via the Microsoft Purview governance portal|Data curator on the collection **or** data curator **and** data source administrator where the source is registered.|
48
-
|I need to enable a Service Principal or group to set up and monitor scans in Microsoft Purview without allowing them to access the catalog's information |Data source administrator|
49
-
|I need to put users into roles in Microsoft Purview | Collection administrator |
47
+
|I need to enable a Service Principal or group to set up and monitor scans in the Microsoft Purview Data Map without allowing them to access the catalog's information |Data source administrator|
48
+
|I need to put users into roles in the Microsoft Purview governance portal| Collection administrator |
50
49
|I need to create and publish access policies | Data source administrator and policy author |
51
-
|I need to create workflows for my Microsoft Purview account | Workflow administrator |
50
+
|I need to create workflows for my Microsoft Purview account in the governance portal| Workflow administrator |
52
51
|I need to view insights for collections I'm a part of | Insights reader **or** data curator |
53
52
54
-
:::image type="content" source="media/catalog-permissions/catalog-permission-role.svg" alt-text="Chart showing Microsoft Purview roles" lightbox="media/catalog-permissions/catalog-permission-role.svg":::
> **\*Data source administrator permissions on Policies** - Data source administrators are also able to publish data policies.
57
56
58
-
## Understand how to use Microsoft Purview's roles and collections
57
+
## Understand how to use the Microsoft Purview governance portal's roles and collections
59
58
60
-
All access control is managed in Microsoft Purview's collections. Microsoft Purview's collections can be found in the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/). Open your Microsoft Purview account in the [Azure portal](https://portal.azure.com) and select the Microsoft Purview governance portal tile on the Overview page. From there, navigate to the data map on the left menu, and then select the 'Collections' tab.
59
+
All access control is managed through collections in the Microsoft Purview Data Map. The collections can be found in the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/). Open your account in the [Azure portal](https://portal.azure.com) and select the Microsoft Purview governance portal tile on the Overview page. From there, navigate to the data map on the left menu, and then select the 'Collections' tab.
61
60
62
-
When a Microsoft Purview account is created, it starts with a root collection that has the same name as the Microsoft Purview account itself. The creator of the Microsoft Purview account is automatically added as a Collection Admin, Data Source Admin, Data Curator, and Data Reader on this root collection, and can edit and manage this collection.
61
+
When a Microsoft Purview (formerly Azure Purview) account is created, it starts with a root collection that has the same name as the account itself. The creator of the account is automatically added as a Collection Admin, Data Source Admin, Data Curator, and Data Reader on this root collection, and can edit and manage this collection.
63
62
64
-
Sources, assets, and objects can be added directly to this root collection, but so can other collections. Adding collections will give you more control over who has access to data across your Microsoft Purview account.
63
+
Sources, assets, and objects can be added directly to this root collection, but so can other collections. Adding collections will give you more control over who has access to data across your account.
65
64
66
-
All other users can only access information within the Microsoft Purview account if they, or a group they're in, are given one of the above roles. This means, when you create a Microsoft Purview account, no one but the creator can access or use its APIs until they're [added to one or more of the above roles in a collection](how-to-create-and-manage-collections.md#add-role-assignments).
65
+
All other users can only access information within the Microsoft Purview governance portal if they, or a group they're in, are given one of the above roles. This means, when you create an account, no one but the creator can access or use its APIs until they're [added to one or more of the above roles in a collection](how-to-create-and-manage-collections.md#add-role-assignments).
67
66
68
67
Users can only be added to a collection by a collection admin, or through permissions inheritance. The permissions of a parent collection are automatically inherited by its subcollections. However, you can choose to [restrict permission inheritance](how-to-create-and-manage-collections.md#restrict-inheritance) on any collection. If you do this, its subcollections will no longer inherit permissions from the parent and will need to be added directly, though collection admins that are automatically inherited from a parent collection can't be removed.
69
68
70
-
You can assign Microsoft Purview roles to users, security groups and service principals from your Azure Active Directory that is associated with your purview account's subscription.
69
+
You can assign roles to users, security groups, and service principals from your Azure Active Directory that is associated with your subscription.
71
70
72
71
## Assign permissions to your users
73
72
74
-
After creating a Microsoft Purview account, the first thing to do is create collections and assign users to roles within those collections.
73
+
After creating a Microsoft Purview (formerly Azure Purview) account, the first thing to do is create collections and assign users to roles within those collections.
75
74
76
75
> [!NOTE]
77
-
> If you created your Microsoft Purview account using a service principal, to be able to access the Microsoft Purview governance portal and assign permissions to users, you will need to grant a user collection admin permissions on the root collection.
76
+
> If you created your account using a service principal, to be able to access the Microsoft Purview governance portal and assign permissions to users, you will need to grant a user collection admin permissions on the root collection.
78
77
> You can use [this Azure CLI command](/cli/azure/purview/account#az-purview-account-add-root-collection-admin):
79
78
>
80
79
> ```azurecli
@@ -84,7 +83,7 @@ After creating a Microsoft Purview account, the first thing to do is create coll
84
83
85
84
### Create collections
86
85
87
-
Collections can be customized for structure of the sources in your Microsoft Purview account, and can act like organized storage bins for these resources. When you're thinking about the collections you might need, consider how your users will access or discover information. Are your sources broken up by departments? Are there specialized groups within those departments that will only need to discover some assets? Are there some sources that should be discoverable by all your users?
86
+
Collections can be customized for structure of the sources in your Microsoft Purview Data Map, and can act like organized storage bins for these resources. When you're thinking about the collections you might need, consider how your users will access or discover information. Are your sources broken up by departments? Are there specialized groups within those departments that will only need to discover some assets? Are there some sources that should be discoverable by all your users?
88
87
89
88
This will inform the collections and subcollections you may need to most effectively organize your data map.
90
89
@@ -98,9 +97,9 @@ Now that we have a base understanding of collections, permissions, and how they
98
97
99
98
:::image type="content" source="./media/catalog-permissions/collection-example.png" alt-text="Chart showing a sample collections hierarchy broken up by region and department." border="true":::
100
99
101
-
This is one way an organization might structure their data: Starting with their root collection (Contoso, in this example) collections are organized into regions, and then into departments and subdepartments. Data sources and assets can be added to any one these collections to organize data resources by these regions and department, and manage access control along those lines. There's one subdepartment, Revenue, that has strict access guidelines, so permissions will need to be tightly managed.
100
+
This is one way an organization might structure their data: Starting with their root collection (Contoso, in this example) collections are organized into regions, and then into departments and subdepartments. Data sources and assets can be added to any one these collections to organize data resources by these regions and department, and manage access control along those lines. There's one subdepartment, Revenue, that has strict access guidelines so permissions will need to be tightly managed.
102
101
103
-
The [data reader role](#roles) can access information within the catalog, but not manage or edit it. So for our example above, adding the Data Reader permission to a group on the root collection and allowing inheritance will give all users in that group reader permissions on Microsoft Purview sources and assets. This makes these resources discoverable, but not editable, by everyone in that group. [Restricting inheritance](how-to-create-and-manage-collections.md#restrict-inheritance) on the Revenue group will control access to those assets. Users who need access to revenue information can be added separately to the Revenue collection.
102
+
The [data reader role](#roles) can access information within the catalog, but not manage or edit it. So for our example above, adding the Data Reader permission to a group on the root collection and allowing inheritance will give all users in that group reader permissions on sources and assets in the Microsoft Purview Data Map. This makes these resources discoverable, but not editable, by everyone in that group. [Restricting inheritance](how-to-create-and-manage-collections.md#restrict-inheritance) on the Revenue group will control access to those assets. Users who need access to revenue information can be added separately to the Revenue collection.
104
103
Similarly with the Data Curator and Data Source Admin roles, permissions for those groups will start at the collection where they're assigned and trickle down to subcollections that haven't restricted inheritance. Below we have assigned permissions for several groups at collections levels in the Americas sub collection.
105
104
106
105
:::image type="content" source="./media/catalog-permissions/collection-permissions-example.png" alt-text="Chart showing a sample collections hierarchy broken up by region and department showing permissions distribution." border="true":::
@@ -113,7 +112,7 @@ For full instructions, see our [how-to guide for adding role assignments](how-to
113
112
114
113
## Administrator change
115
114
116
-
There may be a time when your [root collection admin](#roles) needs to change. By default, the user who creates the Microsoft Purview account is automatically assigned collection admin to the root collection. To update the root collection admin, there are three options:
115
+
There may be a time when your [root collection admin](#roles) needs to change. By default, the user who creates the account is automatically assigned collection admin to the root collection. To update the root collection admin, there are three options:
117
116
118
117
- You can [assign permissions through the portal](how-to-create-and-manage-collections.md#add-role-assignments) as you have for any other role.
119
118
@@ -127,7 +126,7 @@ There may be a time when your [root collection admin](#roles) needs to change. B
127
126
128
127
## Next steps
129
128
130
-
Now that you have a base understanding of collections, and access control, follow the guides below to create and manage those collections, or get started with registering sources into your Microsoft Purview Resource.
129
+
Now that you have a base understanding of collections, and access control, follow the guides below to create and manage those collections, or get started with registering sources into your Microsoft Purview Data Map.
131
130
132
131
- [How to create and manage collections](how-to-create-and-manage-collections.md)
133
-
- [Microsoft Purview supported data sources](azure-purview-connector-overview.md)
132
+
- [Supported data sources in the Microsoft Purview Data Map](azure-purview-connector-overview.md)
0 commit comments