MicrosoftDocs
diff --git a/‎articles/purview/how-to-data-owner-policy-authoring-generic.md
Lines changed: 61 additions & 43 deletions b/‎articles/purview/how-to-data-owner-policy-authoring-generic.md
Lines changed: 61 additions & 43 deletions
diff --git a/‎articles/purview/how-to-enable-data-use-governance.md
Lines changed: 93 additions & 0 deletions b/‎articles/purview/how-to-enable-data-use-governance.md
Lines changed: 93 additions & 0 deletions
diff --git a/‎articles/purview/includes/authentication-to-enumerate-resources.md
Lines changed: 13 additions & 0 deletions b/‎articles/purview/includes/authentication-to-enumerate-resources.md
Lines changed: 13 additions & 0 deletions
@@ -6,39 +6,56 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: how-to
-ms.date: 2/22/2022
-ms.custom:
+ms.date: 2/24/2022
 ---
 
-# Authoring and publishing data owner access policies (preview)
-This tutorial describes how a data owner can create, update and publish access policies in Azure Purview.
+# Authoring and publishing data owner access policies (Preview)
+
+[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
+
+Access policies allow data owners to manage access to datasets from Azure Purview. Data owners can monitor and manage data use from within the Azure Purview Studio, without directly modifying the resource where the data is housed.
+
+This tutorial describes how a data owner can create, update, and publish access policies in Azure Purview.
 
 ## Prerequisites
-The following actions are needed before authoring access policies in Azure Purview:
-1. Configure permissions in the data source and in Azure Purview
-1. Register the data source in Azure Purview for Data Use Governance
 
-These tutorials list the pre-requisites of supported data sources
-- [Azure Storage](./tutorial-data-owner-policies-storage.md#configuration)
-- [Resource Groups and Subscriptions](./tutorial-data-owner-policies-resource-group.md#configuration)
+### Required permissions
+
+>[!IMPORTANT]
+> - Currently, policy operations are only supported at **root collection level** and not child collection level.
+
+- User needs Azure Purview *Data source administrator* role at the root collection level to:
+  - Register a data source, resource group or subscription for *Data use governance*.
+  - Publish a policy.
+- User needs Azure Purview *Policy authors* role at root collection level to create or edit policies.
+
+For more information, see the guide on [managing Azure Purview role assignments](catalog-permissions.md#assign-permissions-to-your-users).
+
+### Source configuration
+
+To apply these policies to data sources in your environment, you'll need to configure your sources.
+
+1. Your source needs to already be registered to Azure Purview. To register a resource, follow the **Prerequisites** and **Register** sections of the [source pages](azure-purview-connector-overview.md) for your resources.
+1. [Enable data use governance on your resource](how-to-enable-data-use-governance.md#enable-data-use-governance).
+1. Follow any policy-specific prerequisites for your source. Check the [Azure Purview supported data sources table](azure-purview-connector-overview.md#azure-purview-data-sources) and select the link in the **Access Policy** column for sources where access policies are available. Follow any steps listed in the Access policy or Prerequisites sections.
 
 ## Create a new policy
 
 This section describes the steps to create a new policy in Azure Purview.
 
-1. Sign in to Azure Purview Studio.
+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
 
 1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
 
 1. Select the **New Policy** button in the policy page.
 
-    ![Image shows how a data owner can access the Policy functionality in Azure Purview when it wants to create policies.](./media/access-policies-common/policy-onboard-guide-1.png)
+    :::image type="content" source="./media/access-policies-common/policy-onboard-guide-1.png" alt-text="Data owner can access the Policy functionality in Azure Purview when it wants to create policies.":::
 
 1. The new policy page will appear. Enter the policy **Name** and **Description**.
 
 1. To add policy statements to the new policy, select the **New policy statement** button. This will bring up the policy statement builder.
 
-    ![Image shows how a data owner can create a new policy statement.](./media/access-policies-common/create-new-policy.png)
+    :::image type="content" source="./media/access-policies-common/create-new-policy.png" alt-text="Data owner can create a new policy statement.":::
 
 1. Select the **Effect** button and choose *Allow* from the drop-down list.
 
@@ -50,63 +67,64 @@ This section describes the steps to create a new policy in Azure Purview.
     - To create a broad policy statement that covers an entire data source, resource group, or subscription that was previously registered, use the **Data sources** box and select its **Type**.
     - To create a fine-grained policy, use the **Assets** box instead. Enter the **Data Source Type** and the **Name** of a previously registered and scanned data source. See example in the image.
 
-    ![Image shows how a data owner can select a Data Resource when editing a policy statement.](./media/access-policies-common/select-data-source-type.png)
+    :::image type="content" source="./media/access-policies-common/select-data-source-type.png" alt-text="Data owner can select a Data Resource when editing a policy statement.":::
 
-1. Select the **Continue** button and transverse the hierarchy to select and underlying data-object (e.g. folder, file, etc).  Select **Recursive** to apply the policy from that point in the hierarchy down to any child data-objects. Then select the **Add** button. This will take you back to the policy editor.
+1. Select the **Continue** button and transverse the hierarchy to select and underlying data-object (for example: folder, file, etc.).  Select **Recursive** to apply the policy from that point in the hierarchy down to any child data-objects. Then select the **Add** button. This will take you back to the policy editor.
 
-    ![Image shows how a data owner can select the asset when creating or editing a policy statement.](./media/access-policies-common/select-asset.png)
+    :::image type="content" source="./media/access-policies-common/select-asset.png" alt-text="Data owner can select the asset when creating or editing a policy statement.":::
 
 1. Select the **Subjects** button and enter the subject identity as a principal, group, or MSI. Then select the **OK** button. This will take you back to the policy editor
 
-    ![Image shows how a data owner can select the subject when creating or editing a policy statement.](./media/access-policies-common/select-subject.png)
+    :::image type="content" source="./media/access-policies-common/select-subject.png" alt-text="Data owner can select the subject when creating or editing a policy statement.":::
 
 1. Repeat the steps #5 to #11 to enter any more policy statements.
 
-1. Select the **Save** button to save the policy
+1. Select the **Save** button to save the policy.
 
-## Update or delete a policy
+Now that you have created your policy, you will need to publish it for it to become active.
 
-Steps to create a new policy in Azure Purview are as follows.
+## Publish a policy
 
-1. Sign in to Azure Purview Studio.
+A newly created policy is in the **draft** state. The process of publishing associates the new policy with one or more data sources under governance. This is called "binding" a policy to a data source.
 
-1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
+The steps to publish a policy are as follows:
 
-    ![Image shows how a data owner can access the Policy functionality in Azure Purview when it wants to update a policy.](./media/access-policies-common/policy-onboard-guide-2.png)
+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
 
-1. The Policy portal will present the list of existing policies in Azure Purview. Select the policy that needs to be updated.
+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
 
-1. The policy details page will appear, including Edit and Delete options. Select the **Edit** button, which brings up the policy statement builder. Now, any parts of the statements in this policy can be updated. To delete the policy, use the **Delete** button.
+    :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Data owner can access the Policy functionality in Azure Purview when it wants to update a policy by selecting 'Data policies'.":::
 
-    ![Image shows how a data owner can edit or delete a policy statement.](./media/access-policies-common/edit-policy.png)
+1. The Policy portal will present the list of existing policies in Azure Purview. Locate the policy that needs to be published. Select the **Publish** button on the right top corner of the page.
 
-## Publish the policy
+    :::image type="content" source="./media/access-policies-common/publish-policy.png" alt-text="Data owner can publish a policy.":::
 
-A newly created policy is in the draft state. The process of publishing associates the new policy with one or more data sources under governance. This is called "binding" a policy to a data source.
+1. A list of data sources is displayed. You can enter a name to filter the list. Then, select each data source where this policy is to be published and then select the **Publish** button.
 
-The steps to publish a policy are as follows
+    :::image type="content" source="./media/access-policies-common/select-data-sources-publish-policy.png" alt-text="Data owner can select the data source where the policy will be published.":::
 
-1. Sign in to Azure Purview Studio.
+>[!Note]
+> After making changes to a policy, there is no need to publish it again for it to take effect if the data source(s) continues to be the same.
 
-1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
+## Update or delete a policy
 
-    ![Image shows how a data owner can access the Policy functionality in Azure Purview when it wants to publish a policy.](./media/access-policies-common/policy-onboard-guide-2.png)
+Steps to update or delete a policy in Azure Purview are as follows.
 
-1. The Policy portal will present the list of existing policies in Azure Purview. Locate the policy that needs to be published. Select the **Publish** button on the right top corner of the page.
+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
 
-    ![Image shows how a data owner can publish a policy.](./media/access-policies-common/publish-policy.png)
+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
 
-1. A list of data sources is displayed. You can enter a name to filter the list. Then, select each data source where this policy is to be published and then select the **Publish** button.
+    :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Data owner can access the Policy functionality in Azure Purview when it wants to update a policy.":::
 
-    ![Image shows how a data owner can select the data source where the policy will be published.](./media/access-policies-common/select-data-sources-publish-policy.png)
+1. The Policy portal will present the list of existing policies in Azure Purview. Select the policy that needs to be updated.
 
->[!Note]
-> - After making changes to a policy, there is no need to publish it again for it to take effect if the data source(s) continues to be the same.
+1. The policy details page will appear, including Edit and Delete options. Select the **Edit** button, which brings up the policy statement builder. Now, any parts of the statements in this policy can be updated. To delete the policy, use the **Delete** button.
+
+    :::image type="content" source="./media/access-policies-common/edit-policy.png" alt-text="Data owner can edit or delete a policy statement.":::
 
 ## Next steps
-Check blog, demo and related tutorials
 
-* [What's New in Azure Purview at Microsoft Ignite 2021](https://techcommunity.microsoft.com/t5/azure-purview/what-s-new-in-azure-purview-at-microsoft-ignite-2021/ba-p/2915954)
-* [Demo of data owner access policies for Azure Storage](https://www.youtube.com/watch?v=CFE8ltT19Ss)
-* [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./tutorial-data-owner-policies-resource-group.md)
-* [Enable Azure Purview data owner policies on an Azure Storage account](./tutorial-data-owner-policies-storage.md)
+For specific guides on creating policies, you can follow these tutorials:
+
+- [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./tutorial-data-owner-policies-resource-group.md)
+- [Enable Azure Purview data owner policies on an Azure Storage account](./tutorial-data-owner-policies-storage.md)
@@ -0,0 +1,93 @@
+---
+title: Enabling data use governance on your Azure Purview sources
+description: Step-by-step guide on how to enable data use access for your registered sources.
+author: inward-eye
+ms.author: vlrodrig
+ms.service: purview
+ms.subservice: purview-data-policies
+ms.topic: how-to
+ms.date: 2/24/2022
+ms.custom:
+---
+
+# Enable data use governance on your Azure Purview sources
+
+[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
+
+Data use governance is a feature within your registered Azure Purview resources that lets Azure Purview administrators manage data use from within Azure Purview.
+
+## Prerequisites
+
+To register a data source, resource group, or subscription in Azure Purview with the *Data use Governance* option set, a user needs to have **either one of the following** IAM role combinations on that resource:
+
+- IAM *Owner*
+- Both IAM *Contributor* + IAM *User Access Administrator*
+
+Follow this [guide to configure Azure RBAC role permissions](../role-based-access-control/check-access.md).
+
+
+## Enable data use governance
+
+To enable data use governance for a resource, the resource will first need to be registered in Azure Purview.
+To register a resource, follow the **Prerequisites** and **Register** sections of the [source pages](azure-purview-connector-overview.md) for your resources.
+
+Once you have your resource registered, follow the rest of the steps to enable an individual resource for data use governance.
+
+1. Go to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
+
+1. Select the **Data map** tab in the left menu.
+
+1. Select the **Sources** tab in the left menu.
+
+1. Select the source you want to enable data use governance for.
+
+1. At the top of the source page, select **Edit source**.
+
+1. Enable the data source for data use governance in Azure Purview by setting the **Data use governance** toggle to **Enabled**, as shown in the image below.
+
+    :::image type="content" source="./media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png" alt-text="Set Data use governance toggle to **Enabled** at the bottom of the menu.":::
+
+> [!WARNING]
+> **Known issues** related to source registration:
+>
+> - Moving data sources to a different resource group or subscription is not yet supported. If want to do that, de-register the data source in Azure Purview before moving it and then register it again after that happens.
+> - Once a subscription gets disabled for *Data use governance* any underlying assets that are enabled for *Data use governance* will be disabled, which is the right behavior. However, policy statements based on those assets will still be allowed after that.
+
+
+## Disable data use governance
+
+>[!Note]
+>If your resource is currently a part of any active access policy, you will not be able to disable data use governance. First [remove the resource from the policy](how-to-data-owner-policy-authoring-generic.md#update-or-delete-a-policy), then disable data use governance.
+
+To disable data use governance for a source, resource group, or subscription, a user needs to either be a data source **Owner** or an Azure Purview **Data source admin**. Once you have those permissions follow these steps:
+
+1. Go to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
+
+1. Select the **Data map** tab in the left menu.
+
+1. Select the **Sources** tab in the left menu.
+
+1. Select the source you want to disable data use governance for.
+
+1. At the top of the source page, select **Edit source**.
+
+1. Set the **Data use governance** toggle to **Disabled**.
+
+>[!NOTE]
+> Disabling **Data use governance** for a subscription source will disable it also for all assets registered in that subscription.
+
+## Data use governance best practices
+
+- We highly encourage registering data sources for *Data use governance* and managing all associated access policies in a single Azure Purview account.
+- Should you have multiple Azure Purview accounts, be aware that **all** data sources belonging to a subscription must be registered for *Data use governance* in a single Azure Purview account. That Azure Purview account can be in any subscription in the tenant. The *Data use governance* toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:
+  - **Case 1** shows a valid configuration where a Storage account is registered in an Azure Purview account in the same subscription.
+  - **Case 2** shows a valid configuration where a Storage account is registered in an Azure Purview account in a different subscription.
+  - **Case 3** shows an invalid configuration arising because Storage accounts S3SA1 and S3SA2 both belong to Subscription 3, but are registered to different Azure Purview accounts. In that case, the *Data use governance* toggle will only work in the Azure Purview account that wins and registers a data source in that subscription first. The toggle will then be greyed out for the other data source.
+
+    :::image type="content" source="./media/access-policies-common/valid-and-invalid-configurations.png" alt-text="Diagram shows valid and invalid configurations when using multiple Azure Purview accounts to manage policies.":::
+
+## Next steps
+
+- [Create data owner policies for your resources](how-to-data-owner-policy-authoring-generic.md)
+- [Enable Azure Purview data owner policies on all data sources in a subscription or a resource group](./tutorial-data-owner-policies-resource-group.md)
+- [Enable Azure Purview data owner policies on an Azure Storage account](./tutorial-data-owner-policies-storage.md)
@@ -0,0 +1,13 @@
+---
+author: whhender
+ms.author: whhender
+ms.service: purview
+ms.topic: include
+ms.date: 02/04/2022
+---
+
+1. Go to the subscription or the resource group in the Azure portal. 
+1. Select **Access Control (IAM)** from the left menu.
+1. Select **+Add**.
+1. In the **Select input** box, select the **Reader** role and enter your Azure Purview account name (which represents its MSI file name).
+1. Select **Save** to finish the role assignment. This will allow Azure Purview to list resources under a subscription or resource group.