Merge pull request #191697 from inward-eye/master

denrea · web-flow · commit d24614000b34 · 2022-03-15T09:24:55.000-07:00
restructured to leverage how-to-enable-data-use-governance file
diff --git a/articles/purview/how-to-enable-data-use-governance.md b/articles/purview/how-to-enable-data-use-governance.md
@@ -56,7 +56,28 @@ To disable data use governance for a source, resource group, or subscription, a
 
 1. Set the **Data use governance** toggle to **Disabled**.
 
-[!INCLUDE [Access policies generic registration](./includes/access-policies-registration-generic.md)]
+
+### Important considerations related to Data use governance
+- Make sure you write down the **Name** you use when registering in Azure Purview. You will need it when you publish a policy. The recommended practice is to make the registered name exactly the same as the endpoint name.
+- To disable a source for *Data use governance*, remove it first from being bound (i.e. published) in any policy.
+- While user needs to have both data source *Owner* and Azure Purview *Data source admin* to enable a source for *Data use governance*, either of those roles can independently disable it.
+- Disabling *Data use governance* for a subscription will disable it also for all assets registered in that subscription.
+
+> [!WARNING]
+> **Known issues** related to source registration
+> - Moving data sources to a different resource group or subscription is not yet supported. If want to do that, de-register the data source in Azure Purview before moving it and then register it again after that happens.
+> - Once a subscription gets disabled for *Data use governance* any underlying assets that are enabled for *Data use governance* will be disabled, which is the right behavior. However, policy statements based on those assets will still be allowed after that.
+
+### Data use governance best practices
+- We highly encourage registering data sources for *Data use governance* and managing all associated access policies in a single Azure Purview account.
+- Should you have multiple Azure Purview accounts, be aware that **all** data sources belonging to a subscription must be registered for *Data use governance* in a single Azure Purview account. That Azure Purview account can be in any subscription in the tenant. The *Data use governance* toggle will become greyed out when there are invalid configurations. Some examples of valid and invalid configurations follow in the diagram below:
+    - **Case 1** shows a valid configuration where a Storage account is registered in an Azure Purview account in the same subscription.
+    - **Case 2** shows a valid configuration where a Storage account is registered in an Azure Purview account in a different subscription. 
+    - **Case 3** shows an invalid configuration arising because Storage accounts S3SA1 and S3SA2 both belong to Subscription 3, but are registered to different Azure Purview accounts. In that case, the *Data use governance* toggle will only enable in the Azure Purview account that wins and registers a data source in that subscription first. The toggle will then be greyed out for the other data source.
+- If the *Data use governance* toggle is greyed out and cannot be enabled, hover over it to know the name of the Azure Purview account that has registered the data resource first.
+
+![Diagram shows valid and invalid configurations when using multiple Azure Purview accounts to manage policies.](./media/access-policies-common/valid-and-invalid-configurations.png)
+
 
 ## Next steps
 
diff --git a/articles/purview/includes/access-policies-prerequisites-storage.md b/articles/purview/includes/access-policies-prerequisites-storage.md
@@ -4,8 +4,8 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: include
-ms.date: 01/24/2022
-ms.custom: references_regions
+ms.date: 03/14/2022
+ms.custom: 
 ---
 
 ### Enable access policy enforcement for the Azure Storage account
@@ -32,8 +32,11 @@ If the output is *Registering*, wait at least 10 minutes, and then retry the com
 > - Created in the subscription **after** the feature *AllowPurviewPolicyEnforcement* is *Registered*
 
 ### Create a new Azure Storage account
-After you’ve enabled the access policy above, create new Azure Storage account(s) in one of the regions listed below:
-
-[!INCLUDE [Azure Storage specific pre-requisites](access-policies-storage-regions.md)]
-
-You can [follow this guide to create one](../../storage/common/storage-account-create.md).
+After you’ve enabled the access policy above, create new Azure Storage account(s) in one of the regions listed below. You can [follow this guide to create one](../../storage/common/storage-account-create.md).
+
+Currently, Azure Purview access policies can only be enforced in the following Azure Storage regions:
+-   France Central
+-   Canada Central
+-   East US
+-   East US2
+-   West Europe
diff --git a/articles/purview/includes/access-policies-registration-generic.md b/articles/purview/includes/access-policies-registration-generic.md
diff --git a/articles/purview/includes/access-policies-storage-regions.md b/articles/purview/includes/access-policies-storage-regions.md
diff --git a/articles/purview/index.yml b/articles/purview/index.yml
@@ -165,6 +165,12 @@ landingContent:
       links:
         - text: Self-service data access policy
           url: concept-self-service-data-access-policy.md
+    - linkListType: how-to-guide
+      links:
+        - text: Registering data sources for Data use governance
+          url: how-to-enable-data-use-governance.md
+        - text: Authoring and publishing data owner access policies
+          url: how-to-data-owner-policy-authoring-generic.md
     - linkListType: tutorial
       links:
         - text: Data owner policies for Azure Storage
diff --git a/articles/purview/toc.yml b/articles/purview/toc.yml
@@ -293,10 +293,10 @@ items:
       href: catalog-conditional-access.md
   - name: Data policies
     items:
-    - name: Authoring and publishing data owner access policies
-      href: how-to-data-owner-policy-authoring-generic.md
     - name: Registering data sources for Data use governance
       href: how-to-enable-data-use-governance.md
+    - name: Authoring and publishing data owner access policies
+      href: how-to-data-owner-policy-authoring-generic.md
     - name: Self-service data access policy
       href: concept-self-service-data-access-policy.md
     - name: View Self-service data access policy
diff --git a/articles/purview/tutorial-data-owner-policies-resource-group.md b/articles/purview/tutorial-data-owner-policies-resource-group.md
@@ -6,7 +6,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: tutorial
-ms.date: 2/3/2022
+ms.date: 3/14/2022
 ms.custom:
 ---
 
@@ -41,9 +41,7 @@ Enable the resource group or the subscription for access policies in Azure Purvi
 
 ![Image shows how to register a resource group or subscription for policy.](./media/tutorial-data-owner-policies-resource-group/register-resource-group-for-policy.png)
 
-[!INCLUDE [Access policies generic registration](./includes/access-policies-registration-generic.md)]
-
-More here on [registering a data source for Data use governance](./how-to-enable-data-use-governance.md)
+Follow this link for more information and best practices related to [registering a data resource for Data use governance](./how-to-enable-data-use-governance.md)
 
 ## Create and publish a data owner policy
 Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish a policy similar to the example shown in the image: a policy that provides security group *sg-Finance* *modify* access to resource group *finance-rg*:
diff --git a/articles/purview/tutorial-data-owner-policies-storage.md b/articles/purview/tutorial-data-owner-policies-storage.md
@@ -6,7 +6,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: tutorial
-ms.date: 03/08/2022
+ms.date: 03/14/2022
 ms.custom:
 ---
 
@@ -44,9 +44,7 @@ Enable the data source for access policies in Azure Purview by setting the **Dat
 
 ![Image shows how to register a data source for policy.](./media/tutorial-data-owner-policies-storage/register-data-source-for-policy-storage.png)
 
-[!INCLUDE [Access policies generic registration](./includes/access-policies-registration-generic.md)]
-
-More here on [registering a data source for Data use governance](./how-to-enable-data-use-governance.md)
+Follow this link for more information and best practices related to [registering a data resource for Data use governance](./how-to-enable-data-use-governance.md)
 
 ## Create and publish a data owner policy
 Execute the steps in the [data-owner policy authoring tutorial](how-to-data-owner-policy-authoring-generic.md) to create and publish a policy similar to the example shown in the image: a policy that provides group *Contoso Team* *read* access to Storage account *marketinglake1*:
