Merge pull request #218417 from inward-eye/main

added devops policy on resource group or subscription

Author: liljack17

articles/purview/how-to-policies-data-owner-authoring-generic.md

@@ -36,7 +36,7 @@ Before authoring data policies in the Microsoft Purview governance portal, you'l
 ## Create a new policy
 
 This section describes the steps to create a new policy in Microsoft Purview.
-Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-create-or-update-access-policies).
+Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-to-create-update-or-delete-access-policies).
 
 1. Sign in to the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).
 
@@ -120,7 +120,7 @@ The steps to publish a policy are as follows:
 ## Update or delete a policy
 
 Steps to update or delete a policy in Microsoft Purview are as follows.
-Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-needed-to-create-or-update-access-policies)
+Ensure you have the *Policy Author* permission as described [here](how-to-enable-data-use-management.md#configure-microsoft-purview-permissions-to-create-update-or-delete-access-policies)
 
 1. Sign in to the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).
 

articles/purview/how-to-policies-data-owner-resource-group.md

@@ -31,9 +31,7 @@ In this guide we cover how to register an entire resource group or subscription
 [!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
 
 ### Register the subscription or resource group for Data Use Management
-The subscription or resource group needs to be registered with Microsoft Purview to later define access policies.
-
-To register your subscription or resource group, follow the **Prerequisites** and **Register** sections of this guide:
+The subscription or resource group needs to be registered with Microsoft Purview before you can create access policies. To register your subscription or resource group, follow the **Prerequisites** and **Register** sections of this guide:
 
 - [Register multiple sources in Microsoft Purview](register-scan-azure-multiple-sources.md#prerequisites)
 
@@ -44,7 +42,7 @@ In the end, your resource will have the  **Data Use Management** toggle **Enable
 ![Screenshot shows how to register a resource group or subscription for policy by toggling the enable tab in the resource editor.](./media/how-to-policies-data-owner-resource-group/register-resource-group-for-policy.png)
 
 >[!Important]
-> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable *Data use management* to provide their App ID: [See this document](./how-to-policies-data-owner-arc-sql-server.md#register-data-sources-in-microsoft-purview).
+> - If you create a policy on a resource group or subscription and want to have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable *Data use management* which captures their App ID: [See this document](./how-to-policies-devops-arc-sql-server.md#register-data-sources-in-microsoft-purview).
 
 
 ## Create and publish a data owner policy

articles/purview/how-to-policies-devops-resource-group.md

@@ -17,7 +17,6 @@ In this guide we cover how to register an entire resource group or subscription
 
 ## Prerequisites
 [!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)]
-[!INCLUDE [Access policies Azure SQL Database pre-requisites](./includes/access-policies-prerequisites-azure-sql-db.md)]
 
 **Only these data sources are enabled for access policies on resource group or subscription**. Follow the **Prerequisites** section that is specific to the data source(s) in these guides:
 * [DevOps policies on an Azure SQL Database](./how-to-policies-devops-azure-sql-db.md#prerequisites)
@@ -27,20 +26,18 @@ In this guide we cover how to register an entire resource group or subscription
 [!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
 
 ### Register the subscription or resource group for Data Use Management
-The subscription or resource group needs to be registered with Microsoft Purview to later define access policies.
-
-To register your subscription or resource group, follow the **Prerequisites** and **Register** sections of this guide:
+The subscription or resource group needs to be registered with Microsoft Purview before you can create access policies. To register your subscription or resource group, follow the **Prerequisites** and **Register** sections of this guide:
 
 - [Register multiple sources in Microsoft Purview](register-scan-azure-multiple-sources.md#prerequisites)
 
-After you've registered your resources, you'll need to enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md) 
+After you've registered your resources, you'll need to enable the Data Use Management option. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md) 
 
 In the end, your resource will have the  **Data Use Management** toggle **Enabled**, as shown in the screenshot:
 
 ![Screenshot shows how to register a resource group or subscription for policy by toggling the enable tab in the resource editor.](./media/how-to-policies-data-owner-resource-group/register-resource-group-for-policy.png)
 
 >[!Important]
-> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable *Data use management* to provide their App ID: [See this document](./how-to-policies-devops-arc-sql-server.md#register-data-sources-in-microsoft-purview).
+> - If you create a policy on a resource group or subscription and want to have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently and enable *Data use management* which captures their App ID: [See this document](./how-to-policies-devops-arc-sql-server.md#register-data-sources-in-microsoft-purview).
 
 
 ## Create a new DevOps policy

articles/purview/includes/access-policies-configuration-generic.md

@@ -22,27 +22,25 @@ This step is needed before a policy can be created in Microsoft Purview for that
 2) In addition, the same user needs to have Microsoft Purview Data source administrator (DSA) role for the collection or a parent collection (if inheritance is enabled). See the guide on [managing Microsoft Purview role assignments](../catalog-permissions.md#assign-permissions-to-your-users). The following screenshot shows how to assign Data Source Admin at root collection level:
 ![Screenshot shows how to assign Data Source Admin at root collection level.](../media/how-to-policies-data-owner-authoring-generic/assign-purview-permissions.png)
 
-#### Configure Microsoft Purview permissions needed to create or update access policies
+#### Configure Microsoft Purview permissions to create, update or delete access policies
 The following permissions are needed in Microsoft Purview at the **root collection level**:
 - *Policy authors* role can create, update and delete DevOps and Data Owner policies
+- *Policy authors* role can delete Self-service access policies
 
 Check the section on managing Microsoft Purview role assignments in this [guide](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
 
->[!IMPORTANT]
+>[!NOTE]
 > Currently, Microsoft Purview roles related to creating/updating/deleting policies must be configured at **root collection level**.
-
->[!Note]
-> **Known issues** related to permissions
 > In addition to Microsoft Purview *Policy authors* role, user may need *Directory Reader* permission in Azure Active Directory to create a policy. This is a common permission for users in an Azure tenant. You can check permissions for [Azure AD Directory Reader](../../active-directory/roles/permissions-reference.md#directory-readers).
 
 #### Configure Microsoft Purview permissions needed to publish Data Owner policies
-Data owner policies allow for check and balances if you assign the Microsoft Purview *Policy author* and *Data source admin* roles to different people in the organization. With this, before a data policy takes effect, a second person (the *Data source admin*) must review it and explicitly approve it by publishing it. Publishing is automatic once DevOps policies are created/updated so it does not apply to this type of policies.
+Data owner policies allow for check and balances if you assign the Microsoft Purview *Policy author* and *Data source admin* roles to different people in the organization. With this, before a data policy takes effect, a second person (the *Data source admin*) must review it and explicitly approve it by publishing it. Publishing is automatic once DevOps or Self-service access policies are created/updated so it does not apply to these types of policies.
 The following permissions are needed in Microsoft Purview at the **root collection level**:
 - *Data source administrator* role can publish a policy.
 
 Check the section on managing Microsoft Purview role assignments in this [guide](../how-to-create-and-manage-collections.md#add-roles-and-restrict-access-through-collections).
 
->[!IMPORTANT]
+>[!NOTE]
 > Currently, Microsoft Purview roles related to publishing Data Owner policies must be configured at **root collection level**.
 
 #### Delegation of access provisioning responsibility to roles in Microsoft Purview