Microsoft Purview · Data Map Collections

Data Source Administrator

Manage data sources and scans within assigned collections, including registration, scanning, and credential management.

Scope: Data sources and scans within assigned collections

Permissions

  • Register data sources in assigned collections
  • Create and manage scans for registered data sources
  • Run scans using existing scan rules
  • Configure scan schedules and triggers
  • Manage scan credentials and authentication methods
  • Monitor scan status and history
  • Create new scan rules (requires Data Reader or Data Curator role)
  • Manage self-hosted integration runtime connections
  • Publish data access policies (when combined with Policy Author role)

Common use cases

  • Registering departmental data sources for metadata discovery
  • Configuring automated scan schedules for data freshness
  • Managing credentials for data source connectivity
  • Troubleshooting scan failures and connectivity issues
  • Implementing scanning for new data sources as they are deployed
  • Coordinating with IT on network access and firewall rules
  • Managing service principal or managed identity authentication

Best practices

  • Use Managed Identity (MSI) for Azure data sources when possible
  • Store credentials in Azure Key Vault, not inline in scans
  • Test scans with limited scope before full production rollout
  • Schedule scans during off-peak hours to minimize impact
  • Monitor scan history and address failures promptly
  • Document data source registration rationale and ownership
  • Coordinate with Data Curators on scan rule customization needs
  • Use incremental scans when available to reduce processing time
  • Implement tagging strategy to organize registered sources

Security considerations

  • Access to data source connection information and credentials
  • Scanning can impact source system performance if misconfigured
  • Service accounts for scanning should have read-only permissions
  • Credential security is critical - use Key Vault and least privilege
  • Coordinate with network security on private endpoint usage
  • Monitor for unauthorized data source registrations
  • Combined with Policy Author, can create data access policies

Common questions

When should I assign the Data Source Administrator role?

Assign Data Source Administrator when you need to: Registering departmental data sources for metadata discovery; Configuring automated scan schedules for data freshness; Managing credentials for data source connectivity; Troubleshooting scan failures and connectivity issues; and Implementing scanning for new data sources as they are deployed. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Data Source Administrator role do?

The Data Source Administrator role grants permissions including: Register data sources in assigned collections; Create and manage scans for registered data sources; Run scans using existing scan rules; Configure scan schedules and triggers; Manage scan credentials and authentication methods; and Monitor scan status and history. See the Permissions section above for the full list.

What are the security risks of the Data Source Administrator role?

Key considerations when assigning Data Source Administrator: Access to data source connection information and credentials; Scanning can impact source system performance if misconfigured; Service accounts for scanning should have read-only permissions; and Credential security is critical - use Key Vault and least privilege. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →