You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
### Important considerations related to Data use governance
61
+
1. Make sure you write down the **Name** you use when registering in Azure Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name.
62
+
2. To disable a source for *Data use governance*, remove it first from being bound (i.e. published) in any policy.
63
+
3. While user needs to have both data source *Owner* and Azure Purview *Data source admin* to enable a source for *Data use governance*, either of those roles can independently disable it.
64
+
4. Disabling *Data use governance* for a subscription will disable it also for all assets registered in that subscription.
65
+
66
+
> [!WARNING]
67
+
> **Known issues** related to source registration
68
+
> - Moving data sources to a different resource group or subscription is not yet supported. If want to do that, de-register the data source in Azure Purview before moving it and then register it again after that happens.
69
+
> - Once a subscription gets disabled for *Data use governance* any underlying assets that are enabled for *Data use governance* will be disabled, which is the right behavior. However, policy statements based on those assets will still be allowed after that.
70
+
71
+
### Data use governance best practices
72
+
- We highly encourage registering data sources for *Data use governance* and managing all associated access policies in a single Azure Purview account.
73
+
- Should you have multiple Azure Purview accounts, be aware that **all** data sources belonging to a subscription must be registered for *Data use governance* in a single Azure Purview account. That Azure Purview account can be in any subscription in the tenant. The *Data use governance* toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:
74
+
-**Case 1** shows a valid configuration where a Storage account is registered in an Azure Purview account in the same subscription.
75
+
-**Case 2** shows a valid configuration where a Storage account is registered in an Azure Purview account in a different subscription.
76
+
-**Case 3** shows an invalid configuration arising because Storage accounts S3SA1 and S3SA2 both belong to Subscription 3, but are registered to different Azure Purview accounts. In that case, the *Data use governance* toggle will only enable in the Azure Purview account that wins and registers a data source in that subscription first. The toggle will then be greyed out for the other data source.
77
+
- If the *Data use governance* toggle is greyed out and cannot be enabled, hover over it to know the name of the Azure Purview account that has registered the data resource first.
78
+
79
+
Copy file name to clipboardExpand all lines: articles/purview/includes/access-policies-registration-generic.md
+2-21Lines changed: 2 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,27 +4,8 @@ ms.author: vlrodrig
4
4
ms.service: purview
5
5
ms.subservice: purview-data-policies
6
6
ms.topic: include
7
-
ms.date: 03/07/2022
7
+
ms.date: 03/14/2022
8
8
ms.custom:
9
9
---
10
10
11
-
### Important considerations related to Data use governance
12
-
1. Make sure you write down the **Name** you use when registering in Azure Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name.
13
-
2. To disable a source for *Data use governance*, remove it first from being bound (i.e. published) in any policy.
14
-
3. While user needs to have both data source *Owner* and Azure Purview *Data source admin* to enable a source for *Data use governance*, either of those roles can independently disable it.
15
-
4. Disabling *Data use governance* for a subscription will disable it also for all assets registered in that subscription.
16
-
17
-
> [!WARNING]
18
-
> **Known issues** related to source registration
19
-
> - Moving data sources to a different resource group or subscription is not yet supported. If want to do that, de-register the data source in Azure Purview before moving it and then register it again after that happens.
20
-
> - Once a subscription gets disabled for *Data use governance* any underlying assets that are enabled for *Data use governance* will be disabled, which is the right behavior. However, policy statements based on those assets will still be allowed after that.
21
-
22
-
### Data use governance best practices
23
-
- We highly encourage registering data sources for *Data use governance* and managing all associated access policies in a single Azure Purview account.
24
-
- Should you have multiple Azure Purview accounts, be aware that **all** data sources belonging to a subscription must be registered for *Data use governance* in a single Azure Purview account. That Azure Purview account can be in any subscription in the tenant. The *Data use governance* toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:
25
-
-**Case 1** shows a valid configuration where a Storage account is registered in an Azure Purview account in the same subscription.
26
-
-**Case 2** shows a valid configuration where a Storage account is registered in an Azure Purview account in a different subscription.
27
-
-**Case 3** shows an invalid configuration arising because Storage accounts S3SA1 and S3SA2 both belong to Subscription 3, but are registered to different Azure Purview accounts. In that case, the *Data use governance* toggle will only enable in the Azure Purview account that wins and registers a data source in that subscription first. The toggle will then be greyed out for the other data source.
28
-
- If the *Data use governance* toggle is greyed out and cannot be enabled, hover over it to know the name of the Azure Purview account that has registered the data resource first.
29
-
30
-
Copy file name to clipboardExpand all lines: articles/purview/tutorial-data-owner-policies-resource-group.md
+2-4Lines changed: 2 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.author: vlrodrig
6
6
ms.service: purview
7
7
ms.subservice: purview-data-policies
8
8
ms.topic: tutorial
9
-
ms.date: 2/3/2022
9
+
ms.date: 3/14/2022
10
10
ms.custom:
11
11
---
12
12
@@ -41,9 +41,7 @@ Enable the resource group or the subscription for access policies in Azure Purvi
41
41
42
42
More here on [registering a data source for Data use governance](./how-to-enable-data-use-governance.md)
44
+
Follow this link for more information and best practices related to [registering a data resource for Data use governance](./how-to-enable-data-use-governance.md)
47
45
48
46
## Create and publish a data owner policy
49
47
Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish a policy similar to the example shown in the image: a policy that provides security group *sg-Finance**modify* access to resource group *finance-rg*:
More here on [registering a data source for Data use governance](./how-to-enable-data-use-governance.md)
47
+
Follow this link for more information and best practices related to [registering a data resource for Data use governance](./how-to-enable-data-use-governance.md)
50
48
51
49
## Create and publish a data owner policy
52
50
Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish a policy similar to the example shown in the image: a policy that provides group *Contoso Team**read* access to Storage account *marketinglake1*:
0 commit comments