Skip to content

Commit 97a48e3

Browse files
Merge pull request #217065 from bjspeaks/main
Self-service policy updates
2 parents 2027b73 + f6aa201 commit 97a48e3

13 files changed

+248
-38
lines changed

articles/purview/concept-self-service-data-access-policy.md

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ ms.author: blessonj
66
ms.service: purview
77
ms.subservice: purview-data-policies
88
ms.topic: conceptual
9-
ms.date: 03/10/2022
9+
ms.date: 11/11/2022
1010
---
1111

1212
# Microsoft Purview Self-service data discovery and access (Preview)
@@ -34,19 +34,19 @@ A **workflow admin** will need to map a self-service data access workflow to a c
3434

3535
* **Self-service data access workflow** is the workflow that is initiated when a data consumer requests access to data.
3636

37-
* **Approver** is either security group or Azure Active Directory (Azure AD) users that can approve self-service access requests.
37+
* **Approver** is either security group or Azure Active Directory (Azure AD) users or Azure AD Groups that can approve self-service access requests.
3838

3939
## How to use Microsoft Purview self-service data access policy
4040

4141
Microsoft Purview allows organizations to catalog metadata about all registered data assets. It allows data consumers to search for or browse to the required data asset.
4242

4343
With self-service data access workflow, data consumers can not only find data assets but also request access to the data assets. When the data consumer requests access to a data asset, the associated self-service data access workflow is triggered.
4444

45-
A default self-service data access workflow template is provided with every Microsoft Purview account. The default template can be amended to add more approvers and/or set the approver's email address. For more details refer [Create and enable self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md).
45+
A default self-service data access workflow template is provided with every Microsoft Purview account. The default template can be amended to add more approvers and/or set the approver's email address. For more details, refer [Create and enable self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md).
4646

47-
Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Microsoft Purview portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective data source. Self-service data access policy gets auto-generated only if the data source is registered for **Data Use Management**. The pre-requisites mentioned within the [Data Use Management](./how-to-enable-data-use-management.md#prerequisites) have to be satisfied.
47+
Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Microsoft Purview governance portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective data source. Self-service data access policy gets auto-generated only if the data source is registered for **Data Use Management**. The pre-requisites mentioned within the [Data Use Management](./how-to-enable-data-use-management.md#prerequisites) have to be satisfied.
4848

49-
Data consumer can access the requested dataset using tools such as PowerBI or Azure Synapse Analytics workspace.
49+
Data consumer can access the requested dataset using tools such as Power BI or Azure Synapse Analytics workspace.
5050

5151
>[!NOTE]
5252
> Users will not be able to browse to the asset using the Azure Portal or Storage explorer if the only permission granted is read/modify access at the file or folder level of the storage account.
@@ -62,3 +62,4 @@ If you would like to preview these features in your environment, follow the link
6262
- [create self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md)
6363
- [working with policies at file level](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)
6464
- [working with policies at folder level](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)
65+
- [self-service policies for Azure SQL Database tables and views](./how-to-policies-self-service-azure-sql-db.md)
Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
---
2+
title: Self-service policies for Azure SQL Database (preview)
3+
description: Step-by-step guide on how self-service policy is created for Azure SQL Database through Microsoft Purview access policies.
4+
author: bjspeaks
5+
ms.author: blessonj
6+
ms.service: purview
7+
ms.subservice: purview-data-policies
8+
ms.topic: how-to
9+
ms.date: 11/11/2022
10+
ms.custom: references_regions, event-tier1-build-2022
11+
---
12+
# Self-service policies for Azure SQL Database (preview)
13+
14+
[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
15+
16+
[Self-service policies](concept-self-service-data-access-policy.md) allow you to manage access from Microsoft Purview to data sources that have been registered for **Data Use Management**.
17+
18+
This how-to guide describes how self-service policies get created in Microsoft Purview to enable access to Azure SQL Database. The following actions are currently enabled: *Read Tables*, and *Read Views*.
19+
20+
> [!CAUTION]
21+
> *Ownership chaining* must exist for *select* to work on Azure SQL Database *views*.
22+
23+
## Prerequisites
24+
[!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)]
25+
[!INCLUDE [Access policies Azure SQL DB pre-requisites](./includes/access-policies-prerequisites-azure-sql-db.md)]
26+
27+
## Microsoft Purview Configuration
28+
[!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
29+
30+
### Register the data sources in Microsoft Purview
31+
The Azure SQL Database resources need to be registered first with Microsoft Purview to later define access policies. You can follow these guides:
32+
33+
[Register and scan Azure SQL DB](./register-scan-azure-sql-database.md)
34+
35+
After you've registered your resources, you'll need to enable data use management. Data use management can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to data use management in this guide**:
36+
37+
[How to enable data use management](./how-to-enable-data-use-management.md)
38+
39+
Once your data source has the **Data use management** toggle *Enabled*, it will look like this picture. This will enable the access policies to be used with the given SQL server and all its contained databases.
40+
![Screenshot shows how to register a data source for policy.](./media/how-to-policies-data-owner-sql/register-data-source-for-policy-azure-sql-db.png)
41+
42+
43+
## Create a self-service data access request
44+
45+
[!INCLUDE [request access to datasets](includes/how-to-self-service-request-access.md)]
46+
47+
48+
>[!Important]
49+
> - Publish is a background operation. It can take up to **5 minutes** for the changes to be reflected in this data source.
50+
> - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.
51+
52+
53+
## View a self-service Policy
54+
55+
To view the policies you've created, follow the article to [view the self-service policies](how-to-view-self-service-data-access-policy.md).
56+
57+
58+
### Test the policy
59+
60+
The Azure Active Directory Account, group, MSI, or SPN for which the self-service policies were created, should now be able to connect to the database on the server and execute a select query against the requested table or view.
61+
62+
#### Force policy download
63+
It's possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it's membership in ##MS_ServerStateManager##-server role.
64+
65+
```sql
66+
-- Force immediate download of latest published policies
67+
exec sp_external_policy_refresh reload
68+
```
69+
70+
#### Analyze downloaded policy state from SQL
71+
The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
72+
73+
```sql
74+
75+
-- Lists generally supported actions
76+
SELECT * FROM sys.dm_server_external_policy_actions
77+
78+
-- Lists the roles that are part of a policy published to this server
79+
SELECT * FROM sys.dm_server_external_policy_roles
80+
81+
-- Lists the links between the roles and actions, could be used to join the two
82+
SELECT * FROM sys.dm_server_external_policy_role_actions
83+
84+
-- Lists all Azure AD principals that were given connect permissions
85+
SELECT * FROM sys.dm_server_external_policy_principals
86+
87+
-- Lists Azure AD principals assigned to a given role on a given resource scope
88+
SELECT * FROM sys.dm_server_external_policy_role_members
89+
90+
-- Lists Azure AD principals, joined with roles, joined with their data actions
91+
SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions
92+
```
93+
94+
## Additional information
95+
96+
### Policy action mapping
97+
98+
This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure SQL Database.
99+
100+
| **Microsoft Purview policy action** | **Data source specific actions** |
101+
|-------------------------------------|--------------------------------------|
102+
|||
103+
| *Read* |Microsoft.Sql/sqlservers/Connect |
104+
||Microsoft.Sql/sqlservers/databases/Connect |
105+
||Microsoft.Sql/Sqlservers/Databases/Schemas/Tables/Rows|
106+
||Microsoft.Sql/Sqlservers/Databases/Schemas/Views/Rows |
107+
|||
108+
109+
## Next steps
110+
Check blog, demo and related how-to guides
111+
- [self-service policies](concept-self-service-data-access-policy.md)
112+
- [What are Microsoft Purview workflows](concept-workflow.md)
113+
- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)
Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
---
2+
title: Self-service policies for Azure Storage (preview)
3+
description: Step-by-step guide on how self-service policy is created for storage through Microsoft Purview access policies.
4+
author: bjspeaks
5+
ms.author: blessonj
6+
ms.service: purview
7+
ms.subservice: purview-data-policies
8+
ms.topic: how-to
9+
ms.date: 10/24/2022
10+
ms.custom: references_regions, event-tier1-build-2022
11+
---
12+
13+
# Self-service access provisioning for Azure Storage datasets (Preview)
14+
15+
[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
16+
17+
[Access policies](concept-policies-data-owner.md) allow you to manage access from Microsoft Purview to data sources that have been registered for *Data Use Management*.
18+
19+
This how-to guide describes how self-service policies get created in Microsoft Purview to enable access to Azure storage datasets. Currently, these two Azure Storage sources are supported:
20+
21+
- Blob storage
22+
- Azure Data Lake Storage (ADLS) Gen2
23+
24+
## Prerequisites
25+
[!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)]
26+
27+
[!INCLUDE [Azure Storage specific pre-requisites](./includes/access-policies-prerequisites-storage.md)]
28+
29+
## Configuration
30+
[!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
31+
32+
### Register the data sources in Microsoft Purview for Data Use Management
33+
The Azure Storage resources need to be registered first with Microsoft Purview to later define access policies.
34+
35+
To register your resources, follow the **Prerequisites** and **Register** sections of these guides:
36+
37+
- [Register and scan Azure Storage Blob - Microsoft Purview](register-scan-azure-blob-storage-source.md#prerequisites)
38+
39+
- [Register and scan Azure Data Lake Storage (ADLS) Gen2 - Microsoft Purview](register-scan-adls-gen2.md#prerequisites)
40+
41+
After you've registered your resources, you'll need to enable data use management. Data use management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable data use management](./how-to-enable-data-use-management.md)
42+
43+
Once your data source has the **Data Use Management** toggle **Enabled**, it will look like this picture:
44+
45+
:::image type="content" source="./media/how-to-policies-self-service-storage/register-data-source-for-policy-storage.png" alt-text="Screenshot that shows how to register a data source for policy by toggling the enable tab in the resource editor.":::
46+
47+
## Create a self-service data access request
48+
49+
[!INCLUDE [request access to datasets](includes/how-to-self-service-request-access.md)]
50+
51+
>[!Important]
52+
> - Publish is a background operation. Azure Storage accounts can take up to **2 hours** to reflect the changes.
53+
54+
## View a self-service policy
55+
56+
To view the policies you've created, follow the article to [view the self-service policies](how-to-view-self-service-data-access-policy.md).
57+
58+
## Data consumption
59+
60+
- Data consumer can access the requested dataset using tools such as Power BI or Azure Synapse Analytics workspace.
61+
62+
>[!NOTE]
63+
> Users will not be able to browse to the asset using the Azure Portal or Storage explorer if the only permission granted is read/modify access at the file or folder level of the storage account.
64+
65+
> [!CAUTION]
66+
> Folder level permission is required to access data in ADLS Gen 2 using PowerBI.
67+
> Additionally, resource sets are not supported by self-service policies. Hence, folder level permission needs to be granted to access resource set files such as CSV or parquet.
68+
69+
70+
### Known issues
71+
72+
**Known issues** related to Policy creation
73+
- self-service policies aren't supported for Microsoft Purview resource sets. Even if displayed in Microsoft Purview, it isn't yet enforced. Learn more about [resource sets](concept-resource-sets.md).
74+
75+
76+
## Next steps
77+
Check blog, demo and related tutorials:
78+
79+
* [self-service policies concept](./concept-self-service-data-access-policy.md)
80+
* [Demo of self-service policies for storage](https://www.youtube.com/watch?v=AYKZ6_imorE)
81+
* [Blog: Accessing data when folder level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)
82+
* [Blog: Accessing data when file level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)

articles/purview/how-to-request-access.md

Lines changed: 2 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -24,36 +24,11 @@ This article outlines how to make an access request.
2424
2525
## Request access
2626

27-
1. To find a data asset, use Microsoft Purview's [search](how-to-search-catalog.md) or [browse](how-to-browse-catalog.md) functionality.
28-
29-
:::image type="content" source="./media/how-to-request-access/search-or-browse.png" alt-text="Screenshot of the Microsoft Purview governance portal, with the search bar and browse buttons highlighted.":::
30-
31-
1. Select the asset to go to asset details.
32-
33-
1. Select **Request access**.
34-
35-
:::image type="content" source="./media/how-to-request-access/request-access.png" alt-text="Screenshot of a data asset's overview page, with the Request button highlighted in the mid-page menu.":::
36-
37-
> [!NOTE]
38-
> If this option isn't available, a [self-service access workflow](how-to-workflow-self-service-data-access-hybrid.md) either hasn't been created, or hasn't been assigned to the collection where the resource is registered. Contact the collection administrator, data source administrator, or workflow administrator of your collection for more information.
39-
> Or, for information on how to create a self-service access workflow, see our [self-service access workflow documentation](how-to-workflow-self-service-data-access-hybrid.md).
40-
41-
1. The **Request access** window will open. You can provide comments on why data access is requested.
42-
1. Select **Send** to trigger the self-service data access workflow.
43-
44-
> [!NOTE]
45-
> If you want to request access on behalf of another user, select the checkbox **Request for someone else** and populate the email id of that user.
46-
47-
:::image type="content" source="./media/how-to-request-access/send.png" alt-text="Screenshot of a data asset's overview page, with the Request access window overlaid. The Send button is highlighted at the bottom of the Request access window.":::
48-
49-
> [!NOTE]
50-
> A request access to resource set will actually submit the data access request for the folder one level up which contains all these resource set files.
51-
52-
1. Data owners will be notified of your request and will either approve or reject the request.
53-
27+
[!INCLUDE [request access to datasets](includes/how-to-self-service-request-access.md)]
5428

5529
## Next steps
5630

5731
- [What are Microsoft Purview workflows](concept-workflow.md)
5832
- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)
5933
- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)
34+
- [Self-service policies](concept-self-service-data-access-policy.md)

articles/purview/how-to-workflow-self-service-data-access-hybrid.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -140,4 +140,4 @@ For more information about workflows, see these articles:
140140
- [Workflows in Microsoft Purview](concept-workflow.md)
141141
- [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)
142142
- [Manage workflow requests and approvals](how-to-workflow-manage-requests-approvals.md)
143-
143+
- [Self-service access policies](concept-self-service-data-access-policy.md)
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
author: nayenama
3+
ms.author: nayenama
4+
ms.service: purview
5+
ms.topic: include
6+
ms.date: 11/04/2022
7+
---
8+
9+
1. To find a data asset, use Microsoft Purview's [search](../how-to-search-catalog.md) or [browse](../how-to-browse-catalog.md) functionality.
10+
11+
:::image type="content" source="./media/how-to-self-service-request-access/search-or-browse.png" alt-text="Screenshot of the Microsoft Purview governance portal, with the search bar and browse buttons highlighted.":::
12+
13+
1. Select the asset to go to asset details.
14+
15+
1. Select **Request access**.
16+
17+
:::image type="content" source="./media/how-to-self-service-request-access/request-access.png" alt-text="Screenshot of a data asset's overview page, with the Request button highlighted in the mid-page menu.":::
18+
19+
> [!NOTE]
20+
> If this option isn't available, a [self-service access workflow](../how-to-workflow-self-service-data-access-hybrid.md) either hasn't been created, or hasn't been assigned to the collection where the resource is registered. Contact the collection administrator, data source administrator, or workflow administrator of your collection for more information.
21+
> Or, for information on how to create a self-service access workflow, see our [self-service access workflow documentation](../how-to-workflow-self-service-data-access-hybrid.md).
22+
23+
1. The **Request access** window will open. You can provide comments on why data access is requested.
24+
1. Select **Send** to trigger the self-service data access workflow.
25+
26+
> [!NOTE]
27+
> If you want to request access on behalf of another user, select the checkbox **Request for someone else** and populate the email id of that user.
28+
29+
:::image type="content" source="./media/how-to-self-service-request-access/send.png" alt-text="Screenshot of a data asset's overview page, with the Request access window overlaid. The Send button is highlighted at the bottom of the Request access window.":::
30+
31+
> [!NOTE]
32+
> A request access to resource set will actually submit the data access request for the folder one level up which contains all these resource set files.
33+
34+
1. Data owners will be notified of your request and will either approve or reject the request.
52 KB
Loading

0 commit comments

Comments
 (0)