You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/purview/how-to-enable-data-use-governance.md
+7-4Lines changed: 7 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.author: vlrodrig
6
6
ms.service: purview
7
7
ms.subservice: purview-data-policies
8
8
ms.topic: how-to
9
-
ms.date: 3/07/2022
9
+
ms.date: 3/24/2022
10
10
ms.custom:
11
11
---
12
12
@@ -56,8 +56,12 @@ To disable data use governance for a source, resource group, or subscription, a
56
56
57
57
1. Set the **Data use governance** toggle to **Disabled**.
58
58
59
+
## Delegation of access control responsibility to Azure Purview
60
+
Note:
61
+
1. Once a resource has been enabled for *Data use Governance*, **any** Azure Purview *policy author* will be able to create access policies against it, and **any** Azure Purview *Data source admin* will be able to publish those policies at **any point afterwards**.
62
+
1. **Any** Azure Purview *root collection admin* can create **new***Data Source Admin* and *Policy author* roles.
59
63
60
-
### Important considerations related to Data use governance
64
+
##Additional considerations related to Data use governance
61
65
- Make sure you write down the **Name** you use when registering in Azure Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name.
62
66
- To disable a source for *Data use governance*, remove it first from being bound (i.e. published) in any policy.
63
67
- While user needs to have both data source *Owner* and Azure Purview *Data source admin* to enable a source for *Data use governance*, either of those roles can independently disable it.
@@ -68,7 +72,7 @@ To disable data use governance for a source, resource group, or subscription, a
68
72
> - Moving data sources to a different resource group or subscription is not yet supported. If want to do that, de-register the data source in Azure Purview before moving it and then register it again after that happens.
69
73
> - Once a subscription gets disabled for *Data use governance* any underlying assets that are enabled for *Data use governance* will be disabled, which is the right behavior. However, policy statements based on those assets will still be allowed after that.
70
74
71
-
###Data use governance best practices
75
+
## Data use governance best practices
72
76
- We highly encourage registering data sources for *Data use governance* and managing all associated access policies in a single Azure Purview account.
73
77
- Should you have multiple Azure Purview accounts, be aware that **all** data sources belonging to a subscription must be registered for *Data use governance* in a single Azure Purview account. That Azure Purview account can be in any subscription in the tenant. The *Data use governance* toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:
74
78
-**Case 1** shows a valid configuration where a Storage account is registered in an Azure Purview account in the same subscription.
@@ -78,7 +82,6 @@ To disable data use governance for a source, resource group, or subscription, a
78
82
79
83
80
84
81
-
82
85
## Next steps
83
86
84
87
-[Create data owner policies for your resources](how-to-data-owner-policy-authoring-generic.md)
Copy file name to clipboardExpand all lines: articles/purview/includes/access-policies-configuration-generic.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,3 +41,4 @@ Check the section on managing Azure Purview role assignments in this [guide](../
41
41
> **Known issues** related to permissions
42
42
> - In addition to Azure Purview *Policy authors* role, user requires *Directory Reader* permission in Azure Active Directory to create data owner policy. Learn more about permissions for [Azure AD Directory Reader](../../active-directory/roles/permissions-reference.md#directory-readers)
43
43
> - Azure Purview *Policy author* role is not sufficient to create policies. It also requires Azure Purview *Data source admin* role as well.
44
+
> - An issues has been reported when IAM Owner, which is required to enable Data use governance, is not directly applied to the data resource but instead inherited from a management group or a subscription. This issue is currently under investigation.
0 commit comments