Skip to content

Commit 3cb5ed9

Browse files
inward-eyeinward-eye
committed
how to troubleshoot policies
1 parent c7604d0 commit 3cb5ed9

File tree

1 file changed

+20
-15
lines changed

1 file changed

+20
-15
lines changed

articles/purview/troubleshoot-policy-distribution.md

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,12 @@ ms.date: 11/08/2022
1313

1414
[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
1515

16-
In this tutorial, learn how to programmatically fetch access policies that were created in Microsoft Purview. With this you can troubleshoot the communication of policies between Microsoft Purview, where policies are created and updated, and the data sources on which these policies are enforced.
17-
This guide will use Azure SQL Server as an example of data source.
16+
In this tutorial, learn how to programmatically fetch access policies that were created in Microsoft Purview. With this you can troubleshoot the communication of policies between Microsoft Purview, where policies are created and updated, and the data sources, on which these policies are enforced.
1817

1918
To get the necessary context about Microsoft Purview policies, see concept guides listed in [next-steps](#next-steps).
2019

20+
This guide will use examples for Azure SQL Server as data source.
21+
2122
## Prerequisites
2223

2324
* If you don't have an Azure subscription, [create a free one](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.
@@ -61,7 +62,7 @@ where the path /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName
6162
|500|Internal server error|Error|Backend service unavailable|Error data|
6263
|503|Backend service unavailable|Error|Backend service unavailable|Error data|
6364

64-
### Example for Azure SQL Database (Azure SQL Server)
65+
### Example for Azure SQL Server (Azure SQL Database)
6566

6667
##### Example parameters:
6768
- Microsoft Purview account: relecloud-pv
@@ -125,7 +126,7 @@ Provide the syncToken you got from the prior pull in any successive delta pulls.
125126
|500|Internal server error|Error|Backend service unavailable|Error data|
126127
|503|Backend service unavailable|Error|Backend service unavailable|Error data|
127128

128-
### Example for Azure SQL Database (Azure SQL Server)
129+
### Example for Azure SQL Server (Azure SQL Database)
129130

130131
##### Example parameters:
131132
- Microsoft Purview account: relecloud-pv
@@ -144,34 +145,38 @@ https://relecloud-pv.purview.azure.com/pds/subscriptions/b285630c-8185-456b-80ae
144145
```json
145146
{
146147
"count": 2,
147-
"syncToken": "816:0",
148+
"syncToken": "822:0",
148149
"elements": [
149150
{
150-
"eventType": "Microsoft.Purview/PolicyElements/Write",
151-
"id": "6554a0d5-2d18-49fb-b44d-dc26f935fc61",
151+
"eventType": "Microsoft.Purview/PolicyElements/Delete",
152+
"id": "f1f2ecc0-c8fa-473f-9adf-7f7bd53ffdb4",
152153
"scopes": [
153-
"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/providers/Microsoft.AzureArcData/SqlServerInstances/vm-finance"
154+
"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg"
154155
],
155156
"kind": "policyset",
156-
"updatedAt": "2022-11-09T00:46:23.2085292Z",
157+
"updatedAt": "2022-11-04T20:57:20.9389456Z",
157158
"version": 1,
158-
"elementJson": "{\"id\":\"6554a0d5-2d18-49fb-b44d-dc26f935fc61\",\"name\":\"6554a0d5-2d18-49fb-b44d-dc26f935fc61\",\"kind\":\"policyset\",\"version\":1,\"updatedAt\":\"2022-11-09T00:46:23.2085292Z\",\"preconditionRules\":[{\"dnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/providers/Microsoft.AzureArcData/SqlServerInstances/vm-finance/**\"]}]]}],\"policyRefs\":[\"919a18b7-6dfd-4e3c-81c9-3414dcbd0cef\"]}"
159+
"elementJson": "{\"id\":\"f1f2ecc0-c8fa-473f-9adf-7f7bd53ffdb4\",\"name\":\"f1f2ecc0-c8fa-473f-9adf-7f7bd53ffdb4\",\"kind\":\"policyset\",\"version\":1,\"updatedAt\":\"2022-11-04T20:57:20.9389456Z\",\"preconditionRules\":[{\"dnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/**\"]}]]}],\"policyRefs\":[\"9912572d-58bc-4835-a313-b913ac5bef97\"]}"
159160
},
160161
{
161-
"eventType": "Microsoft.Purview/PolicyElements/Write",
162-
"id": "919a18b7-6dfd-4e3c-81c9-3414dcbd0cef",
162+
"eventType": "Microsoft.Purview/PolicyElements/Delete",
163+
"id": "9912572d-58bc-4835-a313-b913ac5bef97",
163164
"scopes": [
164-
"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/providers/Microsoft.AzureArcData/SqlServerInstances/vm-finance"
165+
"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg"
165166
],
166167
"kind": "policy",
167-
"updatedAt": "2022-11-09T00:46:23.2085486Z",
168+
"updatedAt": "2022-11-04T20:57:20.9389522Z",
168169
"version": 1,
169-
"elementJson": "{\"id\":\"919a18b7-6dfd-4e3c-81c9-3414dcbd0cef\",\"name\":\"ArcSQL-Finance_sqlperfmonitor\",\"kind\":\"policy\",\"version\":1,\"updatedAt\":\"2022-11-09T00:46:23.2085486Z\",\"decisionRules\":[{\"kind\":\"decisionrule\",\"effect\":\"Permit\",\"updatedAt\":\"11/09/2022 00:46:23\",\"cnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/providers/Microsoft.AzureArcData/SqlServerInstances/vm-finance/**\"]}],[{\"fromRule\":\"purviewdatarole_builtin_sqlperfmonitor\",\"attributeName\":\"derived.purview.role\",\"attributeValueIncludes\":\"purviewdatarole_builtin_sqlperfmonitor\"}],[{\"attributeName\":\"principal.microsoft.groups\",\"attributeValueIncludedIn\":[\"e119d3ec-8353-4a33-96e7-e1a95680d37d\"]}]]},{\"kind\":\"decisionrule\",\"effect\":\"Permit\",\"id\":\"auto_81cd13c9-0417-4b97-a310-c14009a7c2ed\",\"updatedAt\":\"11/09/2022 00:46:23\",\"cnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/providers/Microsoft.AzureArcData/SqlServerInstances/vm-finance\"]}],[{\"attributeName\":\"request.azure.dataAction\",\"attributeValueIncludedIn\":[\"Microsoft.Sql/sqlservers/Connect\"]}],[{\"attributeName\":\"principal.microsoft.groups\",\"attributeValueIncludedIn\":[\"e119d3ec-8353-4a33-96e7-e1a95680d37d\"]}]]},{\"kind\":\"decisionrule\",\"effect\":\"Permit\",\"id\":\"auto_4b655d27-c8b0-4aa7-aa36-27f95ede2ada\",\"updatedAt\":\"11/09/2022 00:46:23\",\"cnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/providers/Microsoft.AzureArcData/SqlServerInstances/vm-finance/databases/**\"]}],[{\"attributeName\":\"request.azure.dataAction\",\"attributeValueIncludedIn\":[\"Microsoft.Sql/sqlservers/databases/Connect\"]}],[{\"attributeName\":\"principal.microsoft.groups\",\"attributeValueIncludedIn\":[\"e119d3ec-8353-4a33-96e7-e1a95680d37d\"]}]]}]}"
170+
"elementJson": "{\"id\":\"9912572d-58bc-4835-a313-b913ac5bef97\",\"name\":\"Finance-rg_sqlsecurityauditor\",\"kind\":\"policy\",\"version\":1,\"updatedAt\":\"2022-11-04T20:57:20.9389522Z\",\"decisionRules\":[{\"kind\":\"decisionrule\",\"effect\":\"Permit\",\"updatedAt\":\"11/04/2022 20:57:20\",\"cnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/**\"]}],[{\"fromRule\":\"purviewdatarole_builtin_sqlsecurityauditor\",\"attributeName\":\"derived.purview.role\",\"attributeValueIncludes\":\"purviewdatarole_builtin_sqlsecurityauditor\"}],[{\"attributeName\":\"principal.microsoft.groups\",\"attributeValueIncludedIn\":[\"b29c1676-8d2c-4a81-b7e1-365b79088375\"]}]]},{\"kind\":\"decisionrule\",\"effect\":\"Permit\",\"id\":\"auto_0235e4df-0d3f-41ca-98ed-edf1b8bfcf9f\",\"updatedAt\":\"11/04/2022 20:57:20\",\"cnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/**\"]}],[{\"attributeName\":\"request.azure.dataAction\",\"attributeValueIncludedIn\":[\"Microsoft.Sql/sqlservers/Connect\"]}],[{\"attributeName\":\"principal.microsoft.groups\",\"attributeValueIncludedIn\":[\"b29c1676-8d2c-4a81-b7e1-365b79088375\"]}]]},{\"kind\":\"decisionrule\",\"effect\":\"Permit\",\"id\":\"auto_45fa5236-a2a3-4291-9f0a-813b2883f118\",\"updatedAt\":\"11/04/2022 20:57:20\",\"cnfCondition\":[[{\"attributeName\":\"resource.azure.path\",\"attributeValueIncludedIn\":[\"/subscriptions/b285630c-8185-456b-80ae-97296561303e/resourceGroups/Finance-rg/**\"]}],[{\"attributeName\":\"request.azure.dataAction\",\"attributeValueIncludedIn\":[\"Microsoft.Sql/sqlservers/databases/Connect\"]}],[{\"attributeName\":\"principal.microsoft.groups\",\"attributeValueIncludedIn\":[\"b29c1676-8d2c-4a81-b7e1-365b79088375\"]}]]}]}"
170171
}
171172
]
172173
}
173174
```
174175

176+
In this example, the delta pull communicates that the policy has been deleted
177+
per the "eventType": "Microsoft.Purview/PolicyElements/Delete".
178+
179+
175180
## Policy constructs
176181
There are 3 top-level policy constructs used within the full pull (/policyElements) and delta pull (/policyEvents) requests: PolicySet, Policy and AttributeRule.
177182

0 commit comments

Comments
 (0)