Merge pull request #230242 from inward-eye/main

JamesJBarnett · web-flow · commit 941a8f925629 · 2023-03-10T11:35:04.000-07:00
updates to devops docs
diff --git a/articles/purview/how-to-policies-devops-arc-sql-server.md b/articles/purview/how-to-policies-devops-arc-sql-server.md
@@ -63,70 +63,14 @@ Follow this link for the steps to [delete a DevOps policies in Microsoft Purview
 >[!Important]
 > DevOps policies are auto-published and changes can take up to **5 minutes** to be enforced by the data source.
 
-## Test the policy
+## Test the DevOps policy
+See how to [test the policy you created](./how-to-policies-devops-authoring-generic.md#test-the-devops-policy)
 
-The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
+## Role definition detail
+See the [mapping of DevOps role to data source actions](./how-to-policies-devops-authoring-generic.md#role-definition-detail)
 
-### Force policy download
-It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
-
-```sql
--- Force immediate download of latest published policies
-exec sp_external_policy_refresh reload
-```  
-
-### Analyze downloaded policy state from SQL
-The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
-
-```sql
-
--- Lists generally supported actions
-SELECT * FROM sys.dm_server_external_policy_actions
-
--- Lists the roles that are part of a policy published to this server
-SELECT * FROM sys.dm_server_external_policy_roles
-
--- Lists the links between the roles and actions, could be used to join the two
-SELECT * FROM sys.dm_server_external_policy_role_actions
-
--- Lists all Azure AD principals that were given connect permissions  
-SELECT * FROM sys.dm_server_external_policy_principals
-
--- Lists Azure AD principals assigned to a given role on a given resource scope
-SELECT * FROM sys.dm_server_external_policy_role_members
-
--- Lists Azure AD principals, joined with roles, joined with their data actions
-SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions
-```
-
-## Additional information
-
-### Policy action mapping
+## Next steps
+See [related videos, blogs and documents](./how-to-policies-devops-authoring-generic.md#next-steps)
 
-This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure Arc-enabled SQL Server.
 
-| **DevOps role definition** | **Data source specific actions**     |
-|-------------------------------------|--------------------------------------|
-|                                     |                                      |
-| *SQL Performance Monitor* |Microsoft.Sql/sqlservers/Connect |
-||Microsoft.Sql/sqlservers/databases/Connect |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabasePerformanceState/rows/select |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/ServerPerformanceState/rows/select |
-|||               
-| *SQL Security Auditor* |Microsoft.Sql/sqlservers/Connect |
-||Microsoft.Sql/sqlservers/databases/Connect |
-||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityState/rows/select |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityState/rows/select |
-||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityMetadata/rows/select |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityMetadata/rows/select |
-|||
 
-## Next steps
-Check the blogs, videos and related docs
-* Blog: [Microsoft Purview DevOps policies enter General Availability](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-purview-devops-policies-enter-ga-simplify-access/ba-p/3674057)
-* Blog: [Microsoft Purview DevOps policies enable at scale access provisioning for IT operations](https://techcommunity.microsoft.com/t5/microsoft-purview-blog/microsoft-purview-devops-policies-enable-at-scale-access/ba-p/3604725)
-* Video: [DevOps policies quick overview](https://aka.ms/Microsoft-Purview-DevOps-Policies-Video)
-* Video: [DevOps policies deep dive](https://youtu.be/UvClpdIb-6g)
-* Video: [Pre-requisite for policies: The "Data use management" option](https://youtu.be/v_lOzevLW-Q)
-* Doc: [Microsoft Purview DevOps policies on Azure SQL DB](./how-to-policies-devops-azure-sql-db.md)
-* Doc: [Microsoft Purview DevOps policies on resource groups and subscriptions](./how-to-policies-devops-resource-group.md)
diff --git a/articles/purview/how-to-policies-devops-authoring-generic.md b/articles/purview/how-to-policies-devops-authoring-generic.md
@@ -79,10 +79,10 @@ To delete a DevOps policy, ensure first that you have the Microsoft Purview Poli
 1. Check one of the policies and then select **Delete** as shown in the following screenshot:
 ![Screenshot shows to enter SQL DevOps policies to delete.](./media/how-to-policies-devops-authoring-generic/enter-devops-policies-to-delete.png)
 
-## Test a DevOps policy
+## Test the DevOps policy
 After creating the policy, any of the Azure AD users in the Subject should now be able to connect to the data sources in the scope of the policy. To test, use SSMS or any SQL client and try to query some DMVs/DMFs. We list here some examples. For more, you can consult the [Microsoft Purview DevOps policies concept guide](/azure/purview/concept-policies-devops.md#mapping-of-popular-dmvsdmfs)
 
-### Testing access for SQL Performance Monitor
+### Testing SQL Performance Monitor access
 If you provided the Subject(s) of the policy SQL Performance Monitor role, you can issue the following commands
 ```sql
 -- Returns I/O statistics for data and log files
@@ -92,7 +92,7 @@ SELECT wait_type, wait_time_ms FROM sys.dm_os_wait_stats
 ```
 ![Screenshot shows test for SQL Performance Monitor.](./media/how-to-policies-devops-authoring-generic/test-access-sql-performance-monitor.png)
 
-### Testing access for SQL Security Auditor
+### Testing SQL Security Auditor access
 If you provided the Subject(s) of the policy SQL Security Auditor role, you can issue the following commands from SSMS or any SQL client
 ```sql
 -- Returns the current state of the audit
@@ -101,7 +101,7 @@ SELECT * FROM sys.dm_server_audit_status
 SELECT * FROM sys.dm_database_encryption_keys
 ```
 
-### Ensure there is no access to user data
+### Ensure no access to user data
 Next, try accessing a table in one of the databases. The Azure AD principal you are testing with should be denied, which means the data is protected from insider threat
 
 ```sql
@@ -112,8 +112,7 @@ SELECT * FROM [databaseName].schemaName.tableName
 ![Screenshot shows test to access user data.](./media/how-to-policies-devops-authoring-generic/test-access-user-data.png)
 
 
-## Policy action mapping
-
+## Role definition detail
 This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure SQL MI.
 
 | **DevOps role definition** | **Data source specific actions**     |
diff --git a/articles/purview/how-to-policies-devops-azure-sql-db.md b/articles/purview/how-to-policies-devops-azure-sql-db.md
@@ -49,71 +49,13 @@ Follow this link for the steps to [delete a DevOps policies in Microsoft Purview
 >[!Important]
 > DevOps policies are auto-published and changes can take up to **5 minutes** to be enforced by the data source.
 
-## Test the policy
-The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
+## Test the DevOps policy
+See how to [test the policy you created](./how-to-policies-devops-authoring-generic.md#test-the-devops-policy)
 
-### Force policy download
-It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
-
-```sql
--- Force immediate download of latest published policies
-exec sp_external_policy_refresh reload
-```  
-
-### Analyze downloaded policy state from SQL
-The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
-
-```sql
-
--- Lists generally supported actions
-SELECT * FROM sys.dm_server_external_policy_actions
-
--- Lists the roles that are part of a policy published to this server
-SELECT * FROM sys.dm_server_external_policy_roles
-
--- Lists the links between the roles and actions, could be used to join the two
-SELECT * FROM sys.dm_server_external_policy_role_actions
-
--- Lists all Azure AD principals that were given connect permissions  
-SELECT * FROM sys.dm_server_external_policy_principals
-
--- Lists Azure AD principals assigned to a given role on a given resource scope
-SELECT * FROM sys.dm_server_external_policy_role_members
-
--- Lists Azure AD principals, joined with roles, joined with their data actions
-SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions
-```
-
-## Additional information
-
-### Policy action mapping
-
-This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure SQL DB.
-
-| **Microsoft Purview policy action** | **Data source specific actions**     |
-|-------------------------------------|--------------------------------------|
-|                                     |                                      |
-| *SQL Performance Monitor* |Microsoft.Sql/sqlservers/Connect |
-||Microsoft.Sql/sqlservers/databases/Connect |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabasePerformanceState/rows/select |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/ServerPerformanceState/rows/select |
-|||               
-| *SQL Security Auditor* |Microsoft.Sql/sqlservers/Connect |
-||Microsoft.Sql/sqlservers/databases/Connect |
-||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityState/rows/select |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityState/rows/select |
-||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityMetadata/rows/select |
-||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityMetadata/rows/select |
-|||
+## Role definition detail
+See the [mapping of DevOps role to data source actions](./how-to-policies-devops-authoring-generic.md#role-definition-detail)
 
 ## Next steps
-Check the blogs, videos and related docs
-* Blog: [Microsoft Purview DevOps policies enter General Availability](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-purview-devops-policies-enter-ga-simplify-access/ba-p/3674057)
-* Blog: [Microsoft Purview DevOps policies enable at scale access provisioning for IT operations](https://techcommunity.microsoft.com/t5/microsoft-purview-blog/microsoft-purview-devops-policies-enable-at-scale-access/ba-p/3604725)
-* Video: [DevOps policies quick overview](https://aka.ms/Microsoft-Purview-DevOps-Policies-Video)
-* Video: [DevOps policies deep dive](https://youtu.be/UvClpdIb-6g)
-* Video: [Pre-requisite for policies: The "Data use management" option](https://youtu.be/v_lOzevLW-Q)
-* Doc: [Microsoft Purview DevOps policies on Azure Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md)
-* Doc: [Microsoft Purview DevOps policies on resource groups and subscriptions](./how-to-policies-devops-resource-group.md)
+See [related videos, blogs and documents](./how-to-policies-devops-authoring-generic.md#next-steps)
 
 
diff --git a/articles/purview/how-to-policies-devops-resource-group.md b/articles/purview/how-to-policies-devops-resource-group.md
@@ -54,16 +54,11 @@ Follow this link for the steps to [update a DevOps policies in Microsoft Purview
 ## Delete a DevOps policy
 Follow this link for the steps to [delete a DevOps policies in Microsoft Purview](how-to-policies-devops-authoring-generic.md#delete-a-devops-policy).
 
+## Test the DevOps policy
+See how to [test the policy you created](./how-to-policies-devops-authoring-generic.md#test-the-devops-policy)
 
-### Test the policy
-To test the policy see the DevOps policy guides for the underlying data sources listed in the [next steps section](#next-steps) of this document.
+## Role definition detail
+See the [mapping of DevOps role to data source actions](./how-to-policies-devops-authoring-generic.md#role-definition-detail)
 
 ## Next steps
-Check the blogs, videos and related docs
-* Blog: [Microsoft Purview DevOps policies enter General Availability](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-purview-devops-policies-enter-ga-simplify-access/ba-p/3674057)
-* Blog: [Microsoft Purview DevOps policies enable at scale access provisioning for IT operations](https://techcommunity.microsoft.com/t5/microsoft-purview-blog/microsoft-purview-devops-policies-enable-at-scale-access/ba-p/3604725)
-* Video: [DevOps policies quick overview](https://aka.ms/Microsoft-Purview-DevOps-Policies-Video)
-* Video: [DevOps policies deep dive](https://youtu.be/UvClpdIb-6g)
-* Video: [Pre-requisite for policies: The "Data use management" option](https://youtu.be/v_lOzevLW-Q)
-* Doc: [Microsoft Purview DevOps policies on Azure Arc-enabled SQL Server](./how-to-policies-devops-arc-sql-server.md)
-* Doc: [Microsoft Purview DevOps policies on Azure SQL DB](./how-to-policies-devops-azure-sql-db.md)
+See [related videos, blogs and documents](./how-to-policies-devops-authoring-generic.md#next-steps)
diff --git a/articles/purview/troubleshoot-policy-sql.md b/articles/purview/troubleshoot-policy-sql.md
@@ -0,0 +1,64 @@
+---
+title: Troubleshoot Microsoft Purview policies for SQL data sources
+description: Check how to see if SQL data sources are receiving policies from Microsoft Purview.
+author: inward-eye
+ms.author: vlrodrig
+ms.service: purview
+ms.subservice: purview-data-policies
+ms.topic: tutorial
+ms.date: 03/10/2023
+---
+
+# Tutorial: Troubleshoot Microsoft Purview policies for SQL data sources
+
+In this tutorial, you learn how issue SQL commands to inspect the Microsoft Purview policies that have been communicated to the SQL instance, where they will be enforced. You will also learn how to force a download of the policies to the SQL instance. These commands are only used for troubleshooting and are not required during the normal operation of Microsoft Purview policies. These commands require a higher level of privileges in the SQL instance.
+
+For more information about Microsoft Purview policies, see the concept guides listed in the [Next steps](#next-steps) section.
+
+## Prerequisites
+
+* An Azure subscription. If you don't already have one, [create a free subscription](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
+* A Microsoft Purview account. If you don't have one, see the [quickstart for creating a Microsoft Purview account](create-catalog-portal.md).
+* Register a data source, enable *Data use management*, and create a policy. To do so, use one of the Microsoft Purview policy guides. To follow along with the examples in this tutorial, you can [create a DevOps policy for Azure SQL Database](how-to-policies-devops-azure-sql-db.md).
+
+## Test the policy
+Once you create a policy, the Azure AD principals referenced in the Subject of the policy should be able to connect to any database in the server to which the policies are published.
+
+### Force policy download
+It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
+
+```sql
+-- Force immediate download of latest published policies
+exec sp_external_policy_refresh reload
+```  
+
+### Analyze downloaded policy state from SQL
+The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD principals. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
+
+```sql
+
+-- Lists generally supported actions
+SELECT * FROM sys.dm_server_external_policy_actions
+
+-- Lists the roles that are part of a policy published to this server
+SELECT * FROM sys.dm_server_external_policy_roles
+
+-- Lists the links between the roles and actions, could be used to join the two
+SELECT * FROM sys.dm_server_external_policy_role_actions
+
+-- Lists all Azure AD principals that were given connect permissions  
+SELECT * FROM sys.dm_server_external_policy_principals
+
+-- Lists Azure AD principals assigned to a given role on a given resource scope
+SELECT * FROM sys.dm_server_external_policy_role_members
+
+-- Lists Azure AD principals, joined with roles, joined with their data actions
+SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions
+```
+
+## Next steps
+
+Concept guides for Microsoft Purview access policies:
+- [DevOps policies](concept-policies-devops.md)
+- [Self-service access policies](concept-self-service-data-access-policy.md)
+- [Data owner policies](concept-policies-data-owner.md)
