Microsoft Purview · Tenant-Level Governance

Data Governance (role group)

Tenant-level role group that grants access to data governance roles and delegates permissions for Governance Domain Creators in Unified Catalog.

Scope: Tenant-level role group enabling catalog-level role assignments

Permissions

  • Grants access to assign data governance roles within Microsoft Purview
  • Enables delegation of Governance Domain Creator role in Unified Catalog
  • Provides foundation for catalog-level permission management
  • Required prerequisite for assigning catalog-level roles
  • Access to Unified Catalog role and permission management
  • Ability to configure governance domain structures and hierarchies

Common use cases

  • Enabling data governance administrators to assign Unified Catalog roles
  • Delegating Governance Domain Creator permissions to business units
  • Setting up federated data governance model across organization
  • Managing Unified Catalog role assignments for data stewards
  • Implementing data governance hierarchy and domain structure
  • Coordinating between IT governance and business domain ownership

Best practices

  • Assign to Data Governance Officers or Chief Data Officers
  • Limit to 3-5 people responsible for governance program oversight
  • Use to delegate Governance Domain Creator role to business domain owners
  • Coordinate with Purview Administrators on overall governance strategy
  • Document governance domain structure before assigning role
  • Regular review of who has catalog-level role assignment authority
  • Establish clear policies for governance domain creation and management

Security considerations

  • Required to assign powerful catalog-level roles like Governance Domain Creator
  • Controls who can delegate data governance responsibilities
  • Should be limited to data governance program leaders
  • Does not grant direct access to data - only permission management
  • Coordinate with IT Security on role assignment policies

Common questions

When should I assign the Data Governance (role group) role?

Assign Data Governance (role group) when you need to: Enabling data governance administrators to assign Unified Catalog roles; Delegating Governance Domain Creator permissions to business units; Setting up federated data governance model across organization; Managing Unified Catalog role assignments for data stewards; and Implementing data governance hierarchy and domain structure. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Data Governance (role group) role do?

The Data Governance (role group) role grants permissions including: Grants access to assign data governance roles within Microsoft Purview; Enables delegation of Governance Domain Creator role in Unified Catalog; Provides foundation for catalog-level permission management; Required prerequisite for assigning catalog-level roles; Access to Unified Catalog role and permission management; and Ability to configure governance domain structures and hierarchies. See the Permissions section above for the full list.

What are the security risks of the Data Governance (role group) role?

Key considerations when assigning Data Governance (role group): Required to assign powerful catalog-level roles like Governance Domain Creator; Controls who can delegate data governance responsibilities; Should be limited to data governance program leaders; and Does not grant direct access to data - only permission management. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →