Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This article covers Microsoft Purview data governance permissions in the new Microsoft Purview portal using Microsoft Purview Unified Catalog.
- If using the classic Data Catalog, see governance permissions for the classic Data Catalog.
- For data governance permissions in the classic Microsoft Purview portal, see permissions in the classic Microsoft Purview governance portal.
Microsoft Purview data governance has two solutions in the Microsoft Purview Portal: Data Map and Unified Catalog. These solutions use tenant/organizational-level permissions, existing data access permissions, and ___domain/collection permissions to provide users access to governance tools and data assets.
The kind of permissions available to use depends on your Microsoft Purview account type.
Check your account type
Check to see whether your organization has the free or enterprise type of account. To check your account type, go to the Microsoft Purview portal, select the Settings card. Under Account, view your Account type.
Important
For users newly created in Microsoft Entra ID, it might take some time for permissions to propagate even after correct permissions have been applied.
Permissions in the enterprise version
All users can view data assets for available sources where they have at least Read permissions already. Users who are owners can manage the metadata for assets where they have at least Owner/Write permissions already. Learn more about Azure roles.
Permissions types
- Tenant/organization permissions: Assigned at the organizational level, they provide general and administrative permissions.
- Unified Catalog permissions: Allow users to browse Unified Catalog and build out their data governance solutions.
- Data Map ___domain and collection level permissions: Permissions in Data Map that grant access to data assets in Microsoft Purview.
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
Tenant level role groups
Assigned at the organizational level, tenant level role groups provide general and administrative permissions for both Microsoft Purview Data Map and Unified Catalog. If you're managing your Microsoft Purview account or your organization's data governance strategy, you probably need to belong to one or more of these role groups:
- Purview Administrators
- Data Source Administrators
- Data Governance
View descriptions of these roles.
For a full list of all available roles and role groups, not just for data governance, see roles, and role groups in the Microsoft Defender XDR and Microsoft Purview portals.
How to assign and manage role groups
A user must hold the Role management role in order to add users or groups to a Microsoft Purview role group. For instructions on assigning and managing roles in Microsoft Purview, see permissions in Microsoft Purview.
Unified Catalog permissions
There are three levels of permissions to allow users to access information in Unified Catalog:
Data governance tenant level: A tenant/organizational-level role group that has the Data Governance Admin role. That role delegates the first level of access for Governance Domain Creators. (This role isn't surfaced in Unified Catalog, but affects your ability to assign permissions in Unified Catalog.)
Catalog level permissions: Permissions to grant ownership to governance domains and access to health management.
Governance ___domain level permissions: Permissions to access and manage resources inside specific governance domains.
Permissions to search the full Unified Catalog
No specific permissions are needed in Unified Catalog to be able to search the Unified Catalog. However, searching Unified Catalog will only return relevant data assets that you have permissions to view in Data Map. Users can find a data asset in Unified Catalog when:
- The user searches data products in a governance ___domain where they have catalog reader permissions.
- The user has data reader permissions on a ___domain or collection in Data Map where the asset is stored.
- The user has at least Read permissions on an available Azure or Microsoft Fabric resource.
Important
Users who already have Read permissions in Azure might have access to assets in Unified Catalog that you didn't intend for them to have. If you don't want them to have such access, you need to remove their permissions.
Permissions to these assets are managed at the resource level and at the Data Map level, respectively.
If your catalog is well-curated, day-to-day business users shouldn't need to search the full catalog. They should be able to find data they need in data products. For more information about setting up the Unified Catalog, see get started with data governance, and plan for Unified Catalog.
Catalog level permissions
Catalog level permissions provide only high-level access within Unified Catalog and comprise these roles:
- Governance Domain Creator
- Global Catalog Reader
- Data Health Owner
- Data Health Reader
View descriptions of these roles.
How to assign catalog level roles
- Sign in to the Microsoft Purview portal using credentials for an admin account that is assigned the Data Governance role.
- Go to Settings and select Unified Catalog.
- Select Roles and permissions.
- Select Governance Domain Creators or another role, then select the add user icon.
- Search for the user you want to add, then select the user.
- Select Save.
Governance ___domain level permissions
Governance ___domain permissions provide access within a specific governance ___domain. These permissions should be granted to data experts and business users to read and manage objects within the governance ___domain. Governance ___domain permissions can only be granted by a user holding the Governance ___domain owner role.
View the list of these roles and descriptions.
Tip
It's important for the Governance ___domain owner role to be held by a user in your organization who runs data governance or Unified Catalog. This role is an essential one for building entities such as governance domains, data products, and glossary terms. We recommend that you have at least two people assigned as governance ___domain owners.
How to assign governance ___domain roles
A user needs to be a Governance Domain Owner in the governance ___domain in order to assign governance ___domain roles. This role is assigned by Data Governance Administrators, or Governance Domain Creators.
Governance ___domain roles are assigned under the Roles tab in a governance ___domain. For instructions on assigning roles, see how to manage governance domains.
Important
Be sure you understand the difference between the two Catalog Reader roles:
- Global Catalog Reader allows the user to access any governance ___domain, and all published concepts contained within domains.
- Local Catalog Reader greatly reduces access to governance domains. When you assign a user to this role within a governance ___domain, no other user in your organization can access that ___domain. This role is helpful when, for example, you need to limit access to a governance ___domain to meet regulatory or legal requirements. However, overuse of this role hinders a federated approach to data governance. A user with this role can also hold roles that grant them other permissions to view or manage assets in Unified Catalog.
Unified Catalog roles
Note
Data observability uses the same roles as the rest of the Unified Catalog. Catalog Readers won't be able to access the broader Data Observability explorer view in data estate health and they'll only be able to view published concepts. The Data Steward, Data Product Owners, Governance Domain Owners, and Governance Domain Creators have access to data observability views in both the concepts that they can view and the data health management view that enables broader exploration and view across the full data estate.
| Permission level | Role | Description |
|---|---|---|
| Tenant | Data Governance role group | Grants access to data governance roles within Microsoft Purview. |
| Data Source Administrators role group | Manage data sources and data scans in the Microsoft Purview Data Map. | |
| Purview Administrators role group | Create, edit, and delete domains and perform role assignments. | |
| Catalog | Data Governance Administrator | Delegates the first level of access for Governance Domain Creators and other catalog level permissions. |
| Data Health Owner | Can create, update, and read artifacts in the Health management area of Unified Catalog. | |
| Data Health Reader | Can read artifacts in the Health management area of Unified Catalog. | |
| Global Catalog Reader | Can read published artifacts across governance domains that don't have a Local Catalog Reader specified. | |
| Governance Domain Creator | Can create domains and delegate governance ___domain owner (or remains governance ___domain owner by default). | |
| Governance ___domain | Data Product Owner* | Can create, update, and read data products only within their governance ___domain. Can read and build relationships with concepts in governance domains. |
| Data Profile Reader | Has access to browse data profile insights and can drill down the profiling results to browse the statistics in column level. This is a sub-role that requires the user to also hold the Governance Domain Reader and either the Global Catalog Reader or Local Catalog Reader roles. | |
| Data Profile Steward | Can run data profiling jobs and access profiling insight details. This role can also browse through all data quality insights and can monitor profiling jobs. This role can’t create rules and can’t run data quality scanning. This is a sub-role that requires the user to also hold the Governance Domain Reader and Data Product Owner roles. | |
| Data Quality Metadata Reader | Can browse data quality insights (except profiling results column level insight), data quality rule definition, and rule level scores. This role can't access error records and can't run profiling and data quality scanning jobs. This is a sub-role that requires the user to also hold the Governance Domain Reader and either the Global Catalog Reader or Local Catalog Reader roles. | |
| Data Quality Reader | Can browse all data quality insights and data quality rules definitions. This role can’t run data quality scanning and data profiling jobs, and can't access data profiling column level insight as column level insight. This is a sub-role that requires the user to also hold the Governance Domain Reader and either the Global Catalog Reader or Local Catalog Reader roles. | |
| Data Quality Steward | Can use data quality features like data quality rule management, data quality scanning, browsing data quality insights, data quality scheduling, job monitoring, and configuring thresholds and alerts. This is a sub-role that requires the user to also hold the Governance Domain Reader and Data Product Owner roles. | |
| Data Steward* | Can create, update, and read artifacts and policies within their governance ___domain. Can also read artifacts from other governance domains. | |
| Governance Domain Owner | Can delegate all other governance ___domain permissions, configure ___domain level data quality scan alerts, set up ___domain level schedule for data quality scanning job, and set ___domain level access policies. | |
| Governance Domain Reader | Can read governance ___domain metadata for published domains they are added to. | |
| Local Catalog Reader | Can read published concepts only in the governance ___domain they're granted access to. Because this role greatly limits the scope of who can access and manage data, it's recommended to limit use of this role so that you can better utilize a federated approach to data governance. |
*To be able to add data assets to a data product, Data Product Owners and Data Stewards also need Data Map permissions to read those data assets in Data Map.
Data Map permissions
Data Map uses a set of predefined roles to control who can access what within the account. Domains and collections are tools used by Data Map to group assets, sources, and other artifacts into a hierarchy for discoverability, and to manage access control within Data Map.
Find a description of each role and learn how to add roles and restrict access through collections.
For more detailed information about the roles available in collections, see who should be assigned what roles or the collections example.
Tip
If you're a data steward or data product owner for Unified Catalog, it's a good idea to have Data Map permissions as well.
Data asset lifecycle example
To understand how permissions work between Data Map and Unified Catalog, review the table below on the full lifecycle of an Azure SQL table in the environment:
| Step | Role | Permission level |
|---|---|---|
| 1. The Azure SQL Database is registered in Data Map | Data Source Administrator | Data Map |
| 2. The Azure SQL Database is scanned in Data Map | Data Curator or Data Source Administrator | Data Map |
| 3. The Azure SQL table is curated and certified | Data Curator | Data Map |
| 4. A governance ___domain is created in the Microsoft Purview Account | Governance Domain Creator | Catalog |
| 5. A data product is created in the governance ___domain | Governance Domain Owner and/or Data Product Owner | Governance ___domain |
| 6. The Azure SQL table is added as an asset to the data product | Data Product Owner and/or Steward | Governance ___domain |
| 7. An access policy is added to the data product | Data Product Owner and/or Steward | Governance ___domain |
| 8. A user searches Unified Catalog, looking for data assets that match their needs | Asset permissions or data reader permission | Asset permissions or Data Map permissions |
| 9. A user searches data products, looking for a product that matches their needs | Global Catalog Reader | Catalog |
| 10. A user requests access to the resources in the data product | Global Catalog Reader | Catalog |
| 11. A user views Data Health Insights to track the health of their Data Catalog | Data Health Reader | Catalog |
| 12. A user wants to develop a new report to track data health progress in their catalog | Data Health Owner | Catalog |