MicrosoftDocs
diff --git a/‎articles/purview/media/tutorial-data-owner-policies-storage/register-storage-source.png
60.3 KB b/‎articles/purview/media/tutorial-data-owner-policies-storage/register-storage-source.png
60.3 KB
diff --git a/‎articles/purview/media/tutorial-data-owner-policies-storage/select-azure-blob-storage.png
42.9 KB b/‎articles/purview/media/tutorial-data-owner-policies-storage/select-azure-blob-storage.png
42.9 KB
diff --git a/‎articles/purview/tutorial-data-owner-policies-storage.md
Lines changed: 136 additions & 48 deletions b/‎articles/purview/tutorial-data-owner-policies-storage.md
Lines changed: 136 additions & 48 deletions
@@ -1,94 +1,182 @@
 ---
-title: Access provisioning by data owner to Azure Storage datasets
-description: Step-by-step guide showing how data owners can create access policies to datasets in Azure Storage
+title: Tutorial to provision access for Azure Storage
+description: This tutorial describes how a data owner can create access policies for Azure Storage resources.
 author: inward-eye
 ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: tutorial
-ms.date: 03/14/2022
-ms.custom:
+ms.date: 04/07/2022
 ---
 
 # Tutorial: Access provisioning by data owner to Azure Storage datasets (preview)
 
 [!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
 
-This tutorial describes how a data owner can leverage Azure Purview to enable access to datasets in Azure Storage. At this point, only the following data sources are supported:
-- Blob storage
-- Azure Data Lake Storage (ADLS) Gen2
+[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
+
+[Policies](concept-data-owner-policies.md) in Azure Purview allow you to enable access to data sources that have been registered to a collection. This tutorial describes how a data owner can leverage Azure Purview to enable access to datasets in Azure Storage though Azure Purview.
 
 In this tutorial, you learn how to:
 > [!div class="checklist"]
-> * Prerequisites
-> * Configure permissions
-> * Register a data asset for Data use governance
-> * Create and publish a policy
+> * Prepare your Azure environment
+> * Configure permissions to allow Azure Purview to connect to your resources
+> * Register your Azure Storage resource for data use governance
+> * Create and publish a policy for your resource group or subscription
 
 ## Prerequisites
+
 [!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)]
 
 [!INCLUDE [Azure Storage specific pre-requisites](./includes/access-policies-prerequisites-storage.md)]
 
 ## Configuration
 [!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
 
-### Register the data sources in Azure Purview for Data use governance
-Register and scan each Storage account with Azure Purview to later define access policies. You can follow these guides:
+### Register the data sources in Azure Purview for data use governance
+
+Your Azure Storage account needs to be registered in Azure Purview to later define access policies, and during registration we will enable data use governance. **Data use governance** is an available feature in Azure Purview that allows users to manage access to a resource from within Azure Purview. This allows you to centralize data discovery and access management, however it is a feature that directly impacts your data security.
+
+> [!WARNING]
+> Before enabling data use governance for any of your resources, read through our [data use governance article](how-to-enable-data-use-governance.md)
+>
+> This article includes data use governance best practices to help you ensure that your information is secure.
+
+
+To register your resource and enable data use governance, follow these steps:
+
+> [!Note]
+> You need to be an owner of the subscription or resource group to be able to add a managed identity on an Azure resource.
+
+1. From the [Azure portal](https://portal.azure.com), find the Azure Blob storage account that you would like to register.
+
+<!--- Migrate image --->
+   :::image type="content" source="media/register-scan-azure-blob-storage-source/register-blob-storage-acct.png" alt-text="Screenshot that shows the storage account":::
+
+1. Select **Access Control (IAM)** in the left navigation and then select **+ Add** --> **Add role assignment**
+
+<!--- Migrate image --->
+   :::image type="content" source="media/register-scan-azure-blob-storage-source/register-blob-access-control.png" alt-text="Screenshot that shows the access control for the storage account":::
+
+1. Set the **Role** to **Storage Blob Data Reader** and enter your _Azure Purview account name_ under the **Select** input box. Then, select **Save** to give this role assignment to your Azure Purview account.
+
+<!--- Migrate image --->
+   :::image type="content" source="media/register-scan-azure-blob-storage-source/register-blob-assign-permissions.png" alt-text="Screenshot that shows the details to assign permissions for the Azure Purview account":::
+
+1. If you have a firewall enabled on your Storage account, follow these steps as well:
+    1. Go into your Azure Storage account in [Azure portal](https://portal.azure.com)
+    1. Navigate to **Security + networking > Networking**
+    1. Choose **Selected Networks** under **Allow access from**
+    1. In the **Exceptions** section, select **Allow trusted Microsoft services to access this storage account** and select **Save**
+        <!--- Migrate image --->
+       :::image type="content" source="media/register-scan-azure-blob-storage-source/register-blob-permission.png" alt-text="Screenshot that shows the exceptions to allow trusted Microsoft services to access the storage account":::
+
+1. Once you have set up authentication for , go to the [Azure Purview Studio](https://web.purview.azure.com/).
+1. Select **Data Map** on the left menu.
+1. Select **Register**.
+1. On **Register sources**, select **Azure Blob Storage**.
+
+   :::image type="content" source="media/tutorial-data-owner-policies-storage/select-azure-blob-storage.png" alt-text="Screenshot that shows the tile for Azure Multiple on the screen for registering multiple sources.":::
+
+1. Select **Continue**.
+1. On the **Register sources (Azure)** screen, do the following:
+   1. In the **Name** box, enter a friendly name that the data source will be listed with in the catalog. 
+   1. In the **Subscription** dropdown list boxes, select the subscription where your storage account is housed. Then select your storage account under **Storage account name**. In **Select a collection** select the collection where you'd like to register your Azure Storage account.
+   
+      :::image type="content" source="media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png" alt-text="Screenshot that shows the boxes for selecting a storage account.":::
+
+   1. In the **Select a collection** box, select a collection or create a new one (optional).
+   1. Set the *Data use governance* toggle to **Enabled**, as shown in the image below.
+
+       :::image type="content" source="./media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png" alt-text="Screenshot that shows Data use governance toggle set to active on the registered resource page.":::
+
+        >[!TIP]
+        >If the data use governance toggle is greyed out and unable to be selected:
+        > 1. Confirm you have followed all prerequisites to enable Data use governance across your resources.
+        > 1. Confirm that you have selected a subscription or a resource group to be registered.
+        > 1. It may be that this resource is already registered in another Azure Purview account. Hover over it to know the name of the Azure Purview account that has registered the data resource.first.
+
+   1. Select **Register** to register the resource group or subscription with Azure Purview with data use governance enabled.
+
+>[!TIP]
+> For more information about data use governance, including best practices or known issues, see our [data use governance article](how-to-enable-data-use-governance.md).
 
--   [Register and scan Azure Storage Blob - Azure Purview](register-scan-azure-blob-storage-source.md)
+## Create a data owner policy
 
--   [Register and scan Azure Data Lake Storage (ADLS) Gen2 - Azure Purview](register-scan-adls-gen2.md)
+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
 
-Follow this link to [Enable the data source for access policies](./how-to-enable-data-use-governance.md) in Azure Purview by setting the **Data use governance** toggle to **Enabled**, as shown in the picture.
+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
 
-![Image shows how to register a data source for policy.](./media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png)
+1. Select the **New Policy** button in the policy page.
 
-## Create and publish a data owner policy
-Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish a policy similar to the example shown in the image: a policy that provides group *Contoso Team* *read* access to Storage account *marketinglake1*:
+    :::image type="content" source="./media/access-policies-common/policy-onboard-guide-1.png" alt-text="Data owner can access the Policy functionality in Azure Purview when it wants to create policies.":::
+
+1. The new policy page will appear. Enter the policy **Name** and **Description**.
+
+1. To add policy statements to the new policy, select the **New policy statement** button. This will bring up the policy statement builder.
+
+    :::image type="content" source="./media/access-policies-common/create-new-policy.png" alt-text="Data owner can create a new policy statement.":::
+
+1. Select the **Effect** button and choose *Allow* from the drop-down list.
+
+1. Select the **Action** button and choose *Read* or *Modify* from the drop-down list.
+
+1. Select the **Data Resources** button to bring up the window to enter Data resource information, which will open to the right.
+
+1. Under the **Data Resources** Panel do one of two things depending on the granularity of the policy:
+    - To create a broad policy statement that covers an entire data source, resource group, or subscription that was previously registered, use the **Data sources** box and select its **Type**.
+    - To create a fine-grained policy, use the **Assets** box instead. Enter the **Data Source Type** and the **Name** of a previously registered and scanned data source. See example in the image.
+
+    :::image type="content" source="./media/access-policies-common/select-data-source-type.png" alt-text="Data owner can select a Data Resource when editing a policy statement.":::
+
+1. Select the **Continue** button and transverse the hierarchy to select and underlying data-object (for example: folder, file, etc.).  Select **Recursive** to apply the policy from that point in the hierarchy down to any child data-objects. Then select the **Add** button. This will take you back to the policy editor.
+
+    :::image type="content" source="./media/access-policies-common/select-asset.png" alt-text="Data owner can select the asset when creating or editing a policy statement.":::
+
+1. Select the **Subjects** button and enter the subject identity as a principal, group, or MSI. Then select the **OK** button. This will take you back to the policy editor
+
+    :::image type="content" source="./media/access-policies-common/select-subject.png" alt-text="Data owner can select the subject when creating or editing a policy statement.":::
+
+1. Repeat the steps #5 to #11 to enter any more policy statements.
+
+1. Select the **Save** button to save the policy.
 
 ![Image shows a sample data owner policy giving access to an Azure Storage account.](./media/tutorial-data-owner-policies-storage/data-owner-policy-example-storage.png)
 
+## Publish a data owner policy
+
+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
+
+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
+
+    :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Data owner can access the Policy functionality in Azure Purview when it wants to update a policy by selecting 'Data policies'.":::
+
+1. The Policy portal will present the list of existing policies in Azure Purview. Locate the policy that needs to be published. Select the **Publish** button on the right top corner of the page.
+
+    :::image type="content" source="./media/access-policies-common/publish-policy.png" alt-text="Data owner can publish a policy.":::
+
+1. A list of data sources is displayed. You can enter a name to filter the list. Then, select each data source where this policy is to be published and then select the **Publish** button.
+
+    :::image type="content" source="./media/access-policies-common/select-data-sources-publish-policy.png" alt-text="Data owner can select the data source where the policy will be published.":::
 
 >[!Important]
 > - Publish is a background operation. It can take up to **2 hours** for the changes to be reflected in Storage account(s).
 
+## Clean up resources
 
-## Additional information
-- Policy statements set below container level on a Storage account are supported. If no access has been provided at Storage account level or container level, then the App that requests the data must execute a direct access by providing a fully qualified name to the data object. If the App attempts to crawl down the hierarchy starting from the Storage account or Container, and there is no access at that level, the request will fail. The following documents show examples of how to do perform a direct access. See also blogs in the *Next steps* section of this tutorial.
-  - [*abfs* for ADLS Gen2](../hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2.md#access-files-from-the-cluster)
-  - [*az storage blob download* for Blob Storage](../storage/blobs/storage-quickstart-blobs-cli.md#download-a-blob)
-- Creating a policy at Storage account level will enable the Subjects to access system containers e.g., *$logs*.  If this is undesired, first scan the data source(s) and then create finer-grained policies for each (i.e., at container or sub-container level).
-
+To delete a policy in Azure Purview, follow these steps:
 
-### Limits
-- The limit for Azure Purview policies that can be enforced by Storage accounts is 100MB per subscription, which roughly equates to 5000 policies.
+1. Sign in to the [Azure Purview Studio](https://web.purview.azure.com/resource/).
 
-### Known issues
+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.
 
-> [!Warning]
-> **Known issues** related to Policy creation
-> - Do not create policy statements based on Azure Purview resource sets. Even if displayed in Azure Purview policy authoring UI, they are not yet enforced. Learn more about [resource sets](concept-resource-sets.md).
+    :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Data owner can access the Policy functionality in Azure Purview when it wants to update a policy.":::
 
-### Policy action mapping
+1. The Policy portal will present the list of existing policies in Azure Purview. Select the policy that needs to be updated.
 
-This section contains a reference of how actions in Azure Purview data policies map to specific actions in Azure Storage.
+1. The policy details page will appear, including Edit and Delete options. Select the **Edit** button, which brings up the policy statement builder. Now, any parts of the statements in this policy can be updated. To delete the policy, use the **Delete** button.
 
-| **Azure Purview policy action** | **Data source specific actions**                                                        |
-|---------------------------|-----------------------------------------------------------------------------------------|
-|||
-| *Read*                    |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/read                      |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read                |
-|||
-| *Modify*                  |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read                |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write               |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action          |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action         |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete              |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/read                      |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/write                     |
-|                           |<sub>Microsoft.Storage/storageAccounts/blobServices/containers/delete                    |
-|||
+    :::image type="content" source="./media/access-policies-common/edit-policy.png" alt-text="Data owner can edit or delete a policy statement.":::
 
 
 ## Next steps