This article is contributed. See the original author and article here.
Last week, I shared a blog post about Azure Purview access management around common tasks your organization need to perform in Azure control plane. In this post I continue Access Management topic in Azure Purview and I will cover the following items:
- What Azure Purview roles are needed to manage Azure Purview. You will see these roles are used inside Azure Purview Studio.
- Overview of Azure Purview built-in roles.
As a reminder, Azure operations can be divided into two categories: control plane and data plane:
- You can use the control plane to manage resources in your subscription. For Azure Purview, you need to perform some operations at control plane such as deploying an Azure Purview Account or creating secrets in an Azure Key Vault resource. The common dashboard for control plane is Azure Portal. Review my previous post to learn what roles and tasks are needed in your Azure Subscription to implement an Azure Purview Account and setup access permissions.
- You can use the data plane to use capabilities exposed by your instance of a resource type, for example reading data inside an Azure Storage Account or managing data assets inside a Purview Account. The common tool to manage Azure Purview through data plane is Azure Purview Studio.
In this post we will take a look at Azure Purview roles in data plane and talk about common tasks each role can perform!
What are Azure Purview roles?
Azure Purview provides the following data plane roles:
- Purview Data Reader
- Purview Data Curator
- Purview Data Source Administrator + Data Reader
- Purview Data Source Administrator + Data Curator
Purview Data Reader
This Azure Purview role is targeted for roles such as Data officers, Data Stewards and Chief Security Officers who require read-only access to the data estate such as classifications, lineage through search options and reports that are available in Azure Purview.
Common tasks Purview Data Reader role can perform:
- View Insight Reports.
- Search and view data assets but cannot change anything.
- Access to Azure Purview Studio and read all content in Azure Purview except for scan bindings.
- Use Knowledge Center, Browse Assets, View glossary and View Insights.
What does Purview Data Reader role see in Azure Purview Studio home page?
Search capability inside Azure Purview Data Catalog:
Purview Data Readers can search through the Azure Purview data catalog and apply filter like glossary terms, classifications, sensitivity labels to narrow the results. Can view the data assets but cannot modify them.
Lineage capability in Azure Purview Studio:
Can view lineage.
Insights Reports in Azure Purview Studio:
Can view all Insights reports.
Purview Data Curator
This role can be suitable for Data Engineers and Data Architects who may need to manage assets, configure custom classifications, setup glossary terms and additionally use the search and Insights capabilities as Data Readers.
Key tasks Purview Data Curators can perform:
- Edit classification on data assets and manage classification rules.
- Manage glossary terms.
- Apply glossary terms to assets.
- Configure Azure Purview Collection. (should be combined with Purview Data Source Administrator)
What does Purview Data Curator role see in Azure Purview Studio home page?
Access to Management Center in Azure Purview to configure advanced settings such as Custom Classifications.
You may notice you cannot directly manage Azure Purview Roles from Management Center from Azure Purview Studio! You have to use Azure Portal or Azure Resource Manager supported methods to configure access management.
Data Curators can manage glossary terms, manage terms templates, import new terms and modify existing ones.
Purview Data Source Administrator
A member of Purview Data Source Administrator role alone, does not have any access in Azure Purview Studio, however, assigning this role along with either Purview Data Reader or Purview Data Curator makes the role very powerful:
- Purview Data Source Administrator + Purview Data Reader is suitable for Data Protection Officers, Data Owners.
- Purview Data Source Administrator + Purview Data Curator is suitable for Data Engineers and Data Scientists.
What does Purview Data Curator + Data Source Administrator see in Azure Purview Studio home page?
Manage Collection and register data sources:
You need these two roles to manage your collection and register new data sources in Azure Purview Studio.
Scan data sources:
View scan history and initiate new scans.
Data Source Administrators + Data Curator can manage Azure Purview through Management Center and then can manage classifications, setup scans rules and configure credentials
Data Source Administrators can view Insights Reports if they are also given either Data Reader or Dara Curator role.
Summary and next steps:
We discovered what roles and tasks needed to manage and use Azure Purview in data plane.
- Get started now and create your Azure Purview account!
- Define roles and responsibilities to manage and gain visibility across your data estate using Azure Purview. Learn more about Azure Purview Roles.
- We would love you hear your feedback and know how Azure Purview helped your organization Please provide us your feedback.
In my next post I will explain what roles and tasks are needed to extend your Microsoft 365 Sensitivity Labels to Azure Purview.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.