Merge pull request #216397 from inward-eye/main

updated policies config generic

Author: 19BMG00

articles/purview/how-to-enable-data-use-management.md

@@ -68,8 +68,8 @@ To disable Data use management for a source, resource group, or subscription, a
 
 ## Additional considerations related to Data use management
 - Make sure you write down the **Name** you use when registering in Microsoft Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name.
-- To disable a source for *Data use management*, remove it first from being bound (i.e. published) in any policy.
-- While user needs to have both data source *Owner* and Microsoft Purview *Data source admin* to enable a source for *Data use management*, either of those roles can independently disable it.
+- To disable a source for *Data use management*, you first have to remove any published policies on that data source.
+- While user needs to have both data source *Owner* and Microsoft Purview *Data source admin* to enable a source for *Data use management*, **any** Data Source admin for the collection can disable it.
 - Disabling *Data use management* for a subscription will disable it also for all assets registered in that subscription.
 
 > [!WARNING]

articles/purview/how-to-policies-data-owner-authoring-generic.md

@@ -36,7 +36,7 @@ Before authoring data policies in the Microsoft Purview governance portal, you'l
 ## Create a new policy
 
 This section describes the steps to create a new policy in Microsoft Purview.
-Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-create-and-publish-data-owner-policies).
+Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-create-or-update-access-policies).
 
 1. Sign in to the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).
 
@@ -81,7 +81,7 @@ Now that you have created your policy, you will need to publish it for it to bec
 ## Publish a policy
 A newly created policy is in the **draft** state. The process of publishing associates the new policy with one or more data sources under governance. This is called "binding" a policy to a data source.
 
-Ensure you have the *Data Source Admin* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-create-and-publish-data-owner-policies)
+Ensure you have the *Data Source Admin* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-publish-data-owner-policies)
 
 The steps to publish a policy are as follows:
 
@@ -105,7 +105,7 @@ The steps to publish a policy are as follows:
 ## Update or delete a policy
 
 Steps to update or delete a policy in Microsoft Purview are as follows.
-Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-create-and-publish-data-owner-policies)
+Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-create-or-update-access-policies)
 
 1. Sign in to the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).
 

articles/purview/includes/access-policies-configuration-generic.md

@@ -4,7 +4,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: include
-ms.date: 10/10/2022
+ms.date: 10/28/2022
 ms.custom:
 ---
 
@@ -17,32 +17,37 @@ This step is needed before a policy can be created in Microsoft Purview for that
 
    Follow this [guide to configure Azure RBAC role permissions](../../role-based-access-control/check-access.md). The following screenshot shows how to access the Access Control section in Azure portal experience for the data resource to add a role assignment:
 
-   ![Screenshot shows how to access Access Control in Azure Portal to add a role assignment](../media/how-to-policies-data-owner-authoring-generic/assign-IAM-permissions.png)
+   ![Screenshot shows how to access Access Control in Azure Portal to add a role assignment.](../media/how-to-policies-data-owner-authoring-generic/assign-IAM-permissions.png)
 
-2) In addition, the same user needs to have Microsoft Purview Data source administrator (DSA) role at the **root collection level**. See the guide on [managing Microsoft Purview role assignments](../catalog-permissions.md#assign-permissions-to-your-users). The following screenshot shows how to assign Data Source Admin at root collection level:
-![Screenshot shows how to assign Data Source Admin at root collection level](../media/how-to-policies-data-owner-authoring-generic/assign-purview-permissions.png)
+2) In addition, the same user needs to have Microsoft Purview Data source administrator (DSA) role for the collection or a parent collection (if inheritance is enabled). See the guide on [managing Microsoft Purview role assignments](../catalog-permissions.md#assign-permissions-to-your-users). The following screenshot shows how to assign Data Source Admin at root collection level:
+![Screenshot shows how to assign Data Source Admin at root collection level.](../media/how-to-policies-data-owner-authoring-generic/assign-purview-permissions.png)
 
->[!IMPORTANT]
-> Currently, Microsoft Purview roles related to access policy operations must be configured at **root collection level**.
+#### Configure Microsoft Purview permissions needed to create or update access policies
+The following permissions are needed in Microsoft Purview at the **root collection level**:
+- *Policy authors* role can create, update and delete DevOps and Data Owner policies
+
+Check the section on managing Microsoft Purview role assignments in this [guide](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
 
-#### Delegation of access provisioning responsibility to roles in Microsoft Purview
 >[!IMPORTANT]
-> - Once a resource has been enabled for *Data Use Management*, **any** Microsoft Purview user with *Policy author* role at root-collection level will be able to provision access to that data source from Microsoft Purview.
-> - The IAM Owner role for a data resource can be inherited from parent resource group, subscription or subscription Management group. Check which AAD users, groups and service principals hold or are inheriting IAM Owner for the resource.
-> - Note that **Any** Microsoft Purview root *Collection admin* can assign **new** users to root-collection *Data Source Admin* and *Policy author* roles. Minimize and carefully vet the users that hold Microsoft Purview *Collection admin*, *Data Source Admin* or *Policy author* roles at root collection level.
-> - If a Microsoft Purview account with published policies is deleted, such policies will stop being enforced within an amount of time dependent on the specific data source. This can have implications both on security and data access availability. The Contributor and Owner roles in IAM are able to delete Microsoft Purview accounts. You can check these permissions by navigating to the Access control (IAM) section for your Microsoft Purview account and selecting **Role Assignments**. You can also place a lock to prevent the Microsoft Purview account from being deleted through [ARM locks](../../azure-resource-manager/management/lock-resources.md).
+> Currently, Microsoft Purview roles related to creating/updating/deleting policies must be configured at **root collection level**.
+
+>[!Note]
+> **Known issues** related to permissions
+> In addition to Microsoft Purview *Policy authors* role, user may need *Directory Reader* permission in Azure Active Directory to create a policy. This is a common permission for users in an Azure tenant. You can check permissions for [Azure AD Directory Reader](../../active-directory/roles/permissions-reference.md#directory-readers).
 
-#### Configure Microsoft Purview permissions needed to create and publish data owner policies
-Data owner policies allow for check and balances if you assign the Microsoft Purview *Policy author* and *Data source admin* roles to different people in the organization. With this, before a data policy takes effect, a second person (the *Data source admin*) must review it and explicitly approve it by publishing it.
+#### Configure Microsoft Purview permissions needed to publish Data Owner policies
+Data owner policies allow for check and balances if you assign the Microsoft Purview *Policy author* and *Data source admin* roles to different people in the organization. With this, before a data policy takes effect, a second person (the *Data source admin*) must review it and explicitly approve it by publishing it. Publishing is automatic once DevOps policies are created/updated so it does not apply to this type of policies.
 The following permissions are needed in Microsoft Purview at the **root collection level**:
-- *Policy authors* role can create or edit policies.
 - *Data source administrator* role can publish a policy.
 
 Check the section on managing Microsoft Purview role assignments in this [guide](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
 
 >[!IMPORTANT]
-> Currently, Microsoft Purview roles related to access policy operations must be configured at **root collection level**.
+> Currently, Microsoft Purview roles related to publishing Data Owner policies must be configured at **root collection level**.
 
->[!Note]
-> **Known issues** related to permissions
-> In addition to Microsoft Purview *Policy authors* role, user may need *Directory Reader* permission in Azure Active Directory to create a policy. This is a common permission for users in an Azure tenant. You can check permissions for [Azure AD Directory Reader](../../active-directory/roles/permissions-reference.md#directory-readers).
+#### Delegation of access provisioning responsibility to roles in Microsoft Purview
+>[!IMPORTANT]
+> - Once a resource has been enabled for *Data use management*, **any** Microsoft Purview user with *Policy author* role at root-collection level will be able to provision access to that data source from Microsoft Purview.
+> - The IAM Owner role for a data resource can be inherited from parent resource group, subscription or subscription Management group. Check which AAD users, groups and service principals hold or are inheriting IAM Owner for the resource.
+> - Note that **Any** Microsoft Purview root *Collection admin* can assign **new** users to root *Policy author* roles. **Any** *Collection admin* can assign **new** users to *Data Source Admin* under the collection. Minimize and carefully vet the users that hold Microsoft Purview *Collection admin*, *Data Source Admin* or *Policy author* roles.
+> - If a Microsoft Purview account with published policies is deleted, such policies will stop being enforced within an amount of time dependent on the specific data source. This can have implications both on security and data access availability. The Contributor and Owner roles in IAM are able to delete Microsoft Purview accounts. You can check these permissions by navigating to the Access control (IAM) section for your Microsoft Purview account and selecting **Role Assignments**. You can also place a lock to prevent the Microsoft Purview account from being deleted through [ARM locks](../../azure-resource-manager/management/lock-resources.md).