exapand on arc-enabled-sql

Author: inward-eye

articles/purview/how-to-policies-data-owner-arc-sql-server.md

@@ -44,11 +44,9 @@ Register each data source with Microsoft Purview to later define access policies
 
 1. Select **Register** or **Apply** at the bottom
 
-Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this picture. 
+Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this picture.
 ![Screenshot shows how to register a data source for policy.](./media/how-to-policies-data-owner-sql/register-data-source-for-policy-arc-sql.png)
 
-> [!Note]
-> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently for *Data Use Management* to provide their App ID. See this document on how to create policies at resource group or subscription level: [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md).
 
 ## Create and publish a data owner policy
 

articles/purview/how-to-policies-data-owner-resource-group.md

@@ -6,7 +6,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: how-to
-ms.date: 10/10/2022
+ms.date: 11/14/2022
 ms.custom: event-tier1-build-2022
 ---
 
@@ -22,10 +22,10 @@ In this guide we cover how to register an entire resource group or subscription
 
 **Only these data sources are enabled for access policies on resource group or subscription**. Follow the **Prerequisites** section that is specific to the data source(s) in these guides:
 * [Data owner policies on an Azure Storage account](./how-to-policies-data-owner-storage.md#prerequisites)
-* [Data owner policies on an Azure SQL Database](./how-to-policies-data-owner-azure-sql-db.md#prerequisites)*
-* [Data owner policies on an Arc-enabled SQL Server](./how-to-policies-data-owner-arc-sql-server.md#prerequisites)*
+* [Data owner policies on an Azure SQL Database](./how-to-policies-data-owner-azure-sql-db.md#prerequisites)(*)
+* [Data owner policies on an Arc-enabled SQL Server](./how-to-policies-data-owner-arc-sql-server.md#prerequisites)(*)
 
-(*) Only the *SQL Performance monitoring* and *Security auditing* actions are fully supported for SQL-type data sources. The *Read* action needs a workaround described later in this guide. The *Modify* action is not currently supported for SQL-type data sources.
+(*) The *Modify* action is not currently supported for SQL-type data sources.
 
 ## Microsoft Purview configuration
 [!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
@@ -44,7 +44,8 @@ In the end, your resource will have the  **Data Use Management** toggle **Enable
 ![Screenshot shows how to register a resource group or subscription for policy by toggling the enable tab in the resource editor.](./media/how-to-policies-data-owner-resource-group/register-resource-group-for-policy.png)
 
 >[!Important]
-> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently for *Data use management* to provide their App ID.
+> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable *Data use management* to provide their App ID: [See this document](./how-to-policies-data-owner-arc-sql-server.md#register-data-sources-in-microsoft-purview).
+
 
 ## Create and publish a data owner policy
 Execute the steps in the **Create a new policy** and **Publish a policy** sections of the [data-owner policy authoring tutorial](./how-to-policies-data-owner-authoring-generic.md#create-a-new-policy). The result will be a data owner policy similar to the example shown in the image: a policy that provides security group *sg-Finance* *modify* access to resource group *finance-rg*. Use the Data source box in the Policy user experience.
@@ -55,9 +56,6 @@ Execute the steps in the **Create a new policy** and **Publish a policy** sectio
 > - Publish is a background operation. For example, Azure Storage accounts can take up to **2 hours** to reflect the changes.
 > - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.
 
->[!Warning]
-> **Known Issues**
-> - No implicit connect permission is provided to SQL type data sources (e.g.: Azure SQL DB, SQL server on Azure Arc-enabled servers) when creating a policy with *Read* action on a resource group or subscription. To support this scenario, provide the connect permission to the Azure AD principals locally, i.e. directly in the SQL-type data sources.
 
 ## Additional information
 - Creating a policy at subscription or resource group level will enable the Subjects to access Azure Storage system containers,  for example, *$logs*. If this is undesired, first scan the data source and then create finer-grained policies for each (that is, at container or sub-container level).

articles/purview/register-scan-azure-arc-enabled-sql-server.md

@@ -160,14 +160,49 @@ To create and run a new scan, do the following:
 
 ### Supported policies
 The following types of policies are supported on this data resource from Microsoft Purview:
-* [DevOps policies](how-to-policies-devops-arc-sql-server.md)
-* [Data Owner](how-to-policies-data-owner-arc-sql-server.md)
+- [DevOps policies](concept-policies-devops.md)
+- [Data owner policies](concept-policies-data-owner.md)
+
+### Access policy pre-requisites on Arc enabled SQL Server
+[!INCLUDE [Access policies Arc enabled SQL Server pre-requisites](./includes/access-policies-prerequisites-arc-sql-server.md)]
+
+### Configure the Microsoft Purview account for policies
+[!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
+
+### Register the data source and enable Data use management
+The Arc-enabled SQL Server data source needs to be registered first with Microsoft Purview, before policies can be created.
+
+1. Sign in to Microsoft Purview Studio.
+
+1. Navigate to the **Data map** feature on the left pane, select **Sources**, then select **Register**. Type "Azure Arc" in the search box and select **SQL Server on Azure Arc**. Then select **Continue**
+![Screenshot shows how to select a source for registration.](./media/how-to-policies-data-owner-sql/select-arc-sql-server-for-registration.png)
+
+1. Enter a **Name** for this registration. It is best practice to make the name of the registration the same as the server name in the next step.
+
+1. select an **Azure subscription**, **Server name** and **Server endpoint**.
+
+1. **Select a collection** to put this registration in. 
+
+1. Enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md)
+
+1. Upon enabling Data Use Management, Microsoft Purview will automatically capture the **Application ID** of the App Registration related to this Arc-enabled SQL server. Come back to this screen and hit the refresh button on the side of it to refresh, in case the association between the Arc-enabled SQL server and the App Registration changes in the future.
+
+1. Select **Register** or **Apply** at the bottom
+
+Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this picture. 
+![Screenshot shows how to register a data source for policy.](./media/how-to-policies-data-owner-sql/register-data-source-for-policy-arc-sql.png)
+
+### Create a policy
+To create an access policy for Arc-enabled SQL Server, follow these guides:
+* [DevOps policy on a single Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md#create-a-new-devops-policy)
+* [Data owner policy on a single Arc-enabled SQL Server](./how-to-policies-data-owner-arc-sql-server.mdmd#create-and-publish-a-data-owner-policy) - This guide will allow you to provision access on a single Arc-enabled SQL Server in your subscription.
+* [Data owner policy covering all sources in a subscription or resource group](./how-to-policies-data-owner-resource-group.md) - This guide will allow you to provision access on all enabled data sources in a resource group, or across an Azure subscription. The pre-requisite is that the subscription or resource group is registered with the Data use management option enabled.
 
 
 ## Next steps
 
 Now that you have registered your source, follow the below guides to learn more about Microsoft Purview and your data.
-
+- [DevOps policies in Microsoft Purview](concept-policies-devops.md)
 - [Data Estate Insights in Microsoft Purview](concept-insights.md)
 - [Lineage in Microsoft Purview](catalog-lineage-user-guide.md)
 - [Search Data Catalog](how-to-search-catalog.md)