Merge pull request #217065 from bjspeaks/main

Self-service policy updates

Author: ShannonLeavitt

articles/purview/concept-self-service-data-access-policy.md

@@ -6,7 +6,7 @@ ms.author: blessonj
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: conceptual
-ms.date: 03/10/2022
+ms.date: 11/11/2022
 ---
 
 # Microsoft Purview Self-service data discovery and access (Preview)
@@ -34,19 +34,19 @@ A **workflow admin** will need to map a self-service data access workflow to a c
 
 * **Self-service data access workflow** is the workflow that is initiated when a data consumer requests access to data.
 
-* **Approver** is either security group or Azure Active Directory (Azure AD) users that can approve self-service access requests.
+* **Approver** is either security group or Azure Active Directory (Azure AD) users or Azure AD Groups that can approve self-service access requests.
 
 ## How to use Microsoft Purview self-service data access policy
 
 Microsoft Purview allows organizations to catalog metadata about all registered data assets. It allows data consumers to search for or browse to the required data asset.  
 
 With self-service data access workflow, data consumers can not only find data assets but also request access to the data assets. When the data consumer requests access to a data asset, the associated self-service data access workflow is triggered.
 
-A default self-service data access workflow template is provided with every Microsoft Purview account. The default template can be amended to add more approvers and/or set the approver's email address. For more details refer [Create and enable self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md).
+A default self-service data access workflow template is provided with every Microsoft Purview account. The default template can be amended to add more approvers and/or set the approver's email address. For more details, refer [Create and enable self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md).
 
-Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Microsoft Purview portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective data source. Self-service data access policy gets auto-generated only if the data source is registered for **Data Use Management**. The pre-requisites mentioned within the [Data Use Management](./how-to-enable-data-use-management.md#prerequisites) have to be satisfied.
+Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Microsoft Purview governance portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective data source. Self-service data access policy gets auto-generated only if the data source is registered for **Data Use Management**. The pre-requisites mentioned within the [Data Use Management](./how-to-enable-data-use-management.md#prerequisites) have to be satisfied.
 
-Data consumer can access the requested dataset using tools such as PowerBI or Azure Synapse Analytics workspace.
+Data consumer can access the requested dataset using tools such as Power BI or Azure Synapse Analytics workspace.
 
 >[!NOTE]
 > Users will not be able to browse to the asset using the Azure Portal or Storage explorer if the only permission granted is read/modify access at the file or folder level of the storage account.
@@ -62,3 +62,4 @@ If you would like to preview these features in your environment, follow the link
 -  [create self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md)
 -  [working with policies at file level](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)
 -  [working with policies at folder level](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)
+-  [self-service policies for Azure SQL Database tables and views](./how-to-policies-self-service-azure-sql-db.md)

articles/purview/how-to-policies-self-service-azure-sql-db.md

@@ -0,0 +1,113 @@
+---
+title: Self-service policies for Azure SQL Database (preview)
+description: Step-by-step guide on how self-service policy is created for Azure SQL Database through Microsoft Purview access policies.
+author: bjspeaks
+ms.author: blessonj
+ms.service: purview
+ms.subservice: purview-data-policies
+ms.topic: how-to
+ms.date: 11/11/2022
+ms.custom: references_regions, event-tier1-build-2022
+---
+# Self-service policies for Azure SQL Database (preview)
+
+[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
+
+[Self-service policies](concept-self-service-data-access-policy.md) allow you to manage access from Microsoft Purview to data sources that have been registered for **Data Use Management**.
+
+This how-to guide describes how self-service policies get created in Microsoft Purview to enable access to Azure SQL Database. The following actions are currently enabled: *Read Tables*, and *Read Views*. 
+
+> [!CAUTION]
+> *Ownership chaining* must exist for *select* to work on Azure SQL Database *views*. 
+
+## Prerequisites
+[!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)]
+[!INCLUDE [Access policies Azure SQL DB pre-requisites](./includes/access-policies-prerequisites-azure-sql-db.md)]
+
+## Microsoft Purview Configuration
+[!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
+
+### Register the data sources in Microsoft Purview
+The Azure SQL Database resources need to be registered first with Microsoft Purview to later define access policies. You can follow these guides:
+
+[Register and scan Azure SQL DB](./register-scan-azure-sql-database.md)
+
+After you've registered your resources, you'll need to enable data use management. Data use management can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to data use management in this guide**:
+
+[How to enable data use management](./how-to-enable-data-use-management.md)
+
+Once your data source has the **Data use management** toggle *Enabled*, it will look like this picture. This will enable the access policies to be used with the given SQL server and all its contained databases.
+![Screenshot shows how to register a data source for policy.](./media/how-to-policies-data-owner-sql/register-data-source-for-policy-azure-sql-db.png)
+
+
+## Create a self-service data access request
+
+[!INCLUDE [request access to datasets](includes/how-to-self-service-request-access.md)]
+
+
+>[!Important]
+> - Publish is a background operation. It can take up to **5 minutes** for the changes to be reflected in this data source.
+> - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.
+
+
+## View a self-service Policy
+
+To view the policies you've created, follow the article to [view the self-service policies](how-to-view-self-service-data-access-policy.md).
+
+
+### Test the policy
+
+The Azure Active Directory Account, group, MSI, or SPN for which the self-service policies were created, should now be able to connect to the database on the server and execute a select query against the requested table or view.
+
+#### Force policy download
+It's possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it's membership in ##MS_ServerStateManager##-server role.
+
+```sql
+-- Force immediate download of latest published policies
+exec sp_external_policy_refresh reload
+```  
+
+#### Analyze downloaded policy state from SQL
+The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
+
+```sql
+
+-- Lists generally supported actions
+SELECT * FROM sys.dm_server_external_policy_actions
+
+-- Lists the roles that are part of a policy published to this server
+SELECT * FROM sys.dm_server_external_policy_roles
+
+-- Lists the links between the roles and actions, could be used to join the two
+SELECT * FROM sys.dm_server_external_policy_role_actions
+
+-- Lists all Azure AD principals that were given connect permissions  
+SELECT * FROM sys.dm_server_external_policy_principals
+
+-- Lists Azure AD principals assigned to a given role on a given resource scope
+SELECT * FROM sys.dm_server_external_policy_role_members
+
+-- Lists Azure AD principals, joined with roles, joined with their data actions
+SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions
+```
+
+## Additional information
+
+### Policy action mapping
+
+This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure SQL Database.
+
+| **Microsoft Purview policy action** | **Data source specific actions**     |
+|-------------------------------------|--------------------------------------|
+|||
+| *Read* |Microsoft.Sql/sqlservers/Connect |
+||Microsoft.Sql/sqlservers/databases/Connect |
+||Microsoft.Sql/Sqlservers/Databases/Schemas/Tables/Rows|
+||Microsoft.Sql/Sqlservers/Databases/Schemas/Views/Rows |
+|||
+
+## Next steps
+Check blog, demo and related how-to guides
+- [self-service policies](concept-self-service-data-access-policy.md) 
+- [What are Microsoft Purview workflows](concept-workflow.md)
+- [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)

articles/purview/how-to-policies-self-service-storage.md

@@ -0,0 +1,82 @@
+---
+title: Self-service policies for Azure Storage (preview)
+description: Step-by-step guide on how self-service policy is created for storage through Microsoft Purview access policies.
+author: bjspeaks
+ms.author: blessonj
+ms.service: purview
+ms.subservice: purview-data-policies
+ms.topic: how-to
+ms.date: 10/24/2022
+ms.custom: references_regions, event-tier1-build-2022
+---
+
+# Self-service access provisioning for Azure Storage datasets (Preview)
+
+[!INCLUDE [feature-in-preview](includes/feature-in-preview.md)]
+
+[Access policies](concept-policies-data-owner.md) allow you to manage access from Microsoft Purview to data sources that have been registered for *Data Use Management*.
+
+This how-to guide describes how self-service policies get created in Microsoft Purview to enable access to Azure storage datasets. Currently, these two Azure Storage sources are supported:
+
+- Blob storage
+- Azure Data Lake Storage (ADLS) Gen2
+
+## Prerequisites
+[!INCLUDE [Access policies generic pre-requisites](./includes/access-policies-prerequisites-generic.md)]
+
+[!INCLUDE [Azure Storage specific pre-requisites](./includes/access-policies-prerequisites-storage.md)]
+
+## Configuration
+[!INCLUDE [Access policies generic configuration](./includes/access-policies-configuration-generic.md)]
+
+### Register the data sources in Microsoft Purview for Data Use Management
+The Azure Storage resources need to be registered first with Microsoft Purview to later define access policies.
+
+To register your resources, follow the **Prerequisites** and **Register** sections of these guides:
+
+-   [Register and scan Azure Storage Blob - Microsoft Purview](register-scan-azure-blob-storage-source.md#prerequisites)
+
+-   [Register and scan Azure Data Lake Storage (ADLS) Gen2 - Microsoft Purview](register-scan-adls-gen2.md#prerequisites)
+
+After you've registered your resources, you'll need to enable data use management. Data use management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable data use management](./how-to-enable-data-use-management.md) 
+
+Once your data source has the  **Data Use Management** toggle **Enabled**, it will look like this picture:
+
+:::image type="content" source="./media/how-to-policies-self-service-storage/register-data-source-for-policy-storage.png" alt-text="Screenshot that shows how to register a data source for policy by toggling the enable tab in the resource editor.":::
+
+## Create a self-service data access request
+
+[!INCLUDE [request access to datasets](includes/how-to-self-service-request-access.md)]
+
+>[!Important]
+> - Publish is a background operation. Azure Storage accounts can take up to **2 hours** to reflect the changes.
+
+## View a self-service policy
+
+To view the policies you've created, follow the article to [view the self-service policies](how-to-view-self-service-data-access-policy.md).
+
+## Data consumption
+
+- Data consumer can access the requested dataset using tools such as Power BI or Azure Synapse Analytics workspace.
+
+>[!NOTE]
+> Users will not be able to browse to the asset using the Azure Portal or Storage explorer if the only permission granted is read/modify access at the file or folder level of the storage account.
+
+> [!CAUTION]
+> Folder level permission is required to access data in ADLS Gen 2 using PowerBI.
+> Additionally, resource sets are not supported by self-service policies. Hence, folder level permission needs to be granted to access resource set files such as CSV or parquet. 
+
+
+### Known issues
+
+**Known issues** related to Policy creation
+- self-service policies aren't supported for Microsoft Purview resource sets. Even if displayed in Microsoft Purview, it isn't yet enforced. Learn more about [resource sets](concept-resource-sets.md).
+
+
+## Next steps
+Check blog, demo and related tutorials:
+
+* [self-service policies concept](./concept-self-service-data-access-policy.md)
+* [Demo of self-service policies for storage](https://www.youtube.com/watch?v=AYKZ6_imorE)
+* [Blog: Accessing data when folder level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)
+* [Blog: Accessing data when file level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)

articles/purview/how-to-request-access.md

@@ -24,36 +24,11 @@ This article outlines how to make an access request.
 
 ## Request access
 
-1. To find a data asset, use Microsoft Purview's [search](how-to-search-catalog.md) or [browse](how-to-browse-catalog.md) functionality.
-
-    :::image type="content" source="./media/how-to-request-access/search-or-browse.png" alt-text="Screenshot of the Microsoft Purview governance portal, with the search bar and browse buttons highlighted.":::
-
-1. Select the asset to go to asset details.
-
-1. Select **Request access**.
-    
-    :::image type="content" source="./media/how-to-request-access/request-access.png" alt-text="Screenshot of a data asset's overview page, with the Request button highlighted in the mid-page menu.":::
-
-    > [!NOTE]
-    > If this option isn't available, a [self-service access workflow](how-to-workflow-self-service-data-access-hybrid.md) either hasn't been created, or hasn't been assigned to the collection where the resource is registered. Contact the collection administrator, data source administrator, or workflow administrator of your collection for more information.
-    > Or, for information on how to create a self-service access workflow, see our [self-service access workflow documentation](how-to-workflow-self-service-data-access-hybrid.md).
-
-1. The **Request access** window will open. You can provide comments on why data access is requested.
-1. Select **Send** to trigger the self-service data access workflow.
-
-    > [!NOTE]
-    > If you want to request access on behalf of another user, select the checkbox **Request for someone else** and populate the email id of that user.
-
-    :::image type="content" source="./media/how-to-request-access/send.png" alt-text="Screenshot of a data asset's overview page, with the Request access window overlaid. The Send button is highlighted at the bottom of the Request access window.":::
-
-    > [!NOTE]
-    > A request access to resource set will actually submit the data access request for the folder one level up which contains all these resource set files.
-
-1. Data owners will be notified of your request and will either approve or reject the request.
-
+[!INCLUDE [request access to datasets](includes/how-to-self-service-request-access.md)]
 
 ## Next steps
 
 - [What are Microsoft Purview workflows](concept-workflow.md)
 - [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)
 - [Self-service data access workflow for hybrid data estates](how-to-workflow-self-service-data-access-hybrid.md)
+- [Self-service policies](concept-self-service-data-access-policy.md) 

articles/purview/how-to-workflow-self-service-data-access-hybrid.md

@@ -140,4 +140,4 @@ For more information about workflows, see these articles:
 - [Workflows in Microsoft Purview](concept-workflow.md)
 - [Approval workflow for business terms](how-to-workflow-business-terms-approval.md)
 - [Manage workflow requests and approvals](how-to-workflow-manage-requests-approvals.md)
-
+- [Self-service access policies](concept-self-service-data-access-policy.md)

articles/purview/includes/how-to-self-service-request-access.md

@@ -0,0 +1,34 @@
+---
+author: nayenama
+ms.author: nayenama
+ms.service: purview
+ms.topic: include
+ms.date: 11/04/2022
+---
+
+1. To find a data asset, use Microsoft Purview's [search](../how-to-search-catalog.md) or [browse](../how-to-browse-catalog.md) functionality.
+
+    :::image type="content" source="./media/how-to-self-service-request-access/search-or-browse.png" alt-text="Screenshot of the Microsoft Purview governance portal, with the search bar and browse buttons highlighted.":::
+
+1. Select the asset to go to asset details.
+
+1. Select **Request access**.
+    
+    :::image type="content" source="./media/how-to-self-service-request-access/request-access.png" alt-text="Screenshot of a data asset's overview page, with the Request button highlighted in the mid-page menu.":::
+
+    > [!NOTE]
+    > If this option isn't available, a [self-service access workflow](../how-to-workflow-self-service-data-access-hybrid.md) either hasn't been created, or hasn't been assigned to the collection where the resource is registered. Contact the collection administrator, data source administrator, or workflow administrator of your collection for more information.
+    > Or, for information on how to create a self-service access workflow, see our [self-service access workflow documentation](../how-to-workflow-self-service-data-access-hybrid.md).
+
+1. The **Request access** window will open. You can provide comments on why data access is requested.
+1. Select **Send** to trigger the self-service data access workflow.
+
+    > [!NOTE]
+    > If you want to request access on behalf of another user, select the checkbox **Request for someone else** and populate the email id of that user.
+
+    :::image type="content" source="./media/how-to-self-service-request-access/send.png" alt-text="Screenshot of a data asset's overview page, with the Request access window overlaid. The Send button is highlighted at the bottom of the Request access window.":::
+
+    > [!NOTE]
+    > A request access to resource set will actually submit the data access request for the folder one level up which contains all these resource set files.
+
+1. Data owners will be notified of your request and will either approve or reject the request.