Microsoft Purview · Unified Catalog Governance

Governance Domain Reader

Read governance domain metadata for published domains they are added to.

Scope: Read access to assigned governance domain including drafts

Permissions

  • View published and draft metadata within assigned domain
  • Access unpublished data products and concepts
  • View domain configuration and settings (read-only)
  • See all domain content including work-in-progress
  • Required base role for data quality and profile sub-roles

Common use cases

  • Domain team members who need visibility into work-in-progress
  • Quality assurance reviewers validating domain content
  • Base role for data profile and quality reader roles
  • Contributors who need domain visibility without edit permissions
  • External consultants reviewing domain structure
  • Auditors assessing domain governance implementation

Best practices

  • Assign to domain team members who need full visibility
  • Required base role for data quality and profiling sub-roles
  • Use as stepping stone before granting Data Product Owner role
  • Assign to external consultants or auditors as needed
  • Time-limit assignments for temporary team members
  • Combine with Global or Local Catalog Reader for broader access

Security considerations

  • Can see unpublished and draft content within domain
  • More visibility than Global Catalog Reader in assigned domain
  • Read-only role with minimal security concerns
  • May reveal work-in-progress and domain strategy

Common questions

When should I assign the Governance Domain Reader role?

Assign Governance Domain Reader when you need to: Domain team members who need visibility into work-in-progress; Quality assurance reviewers validating domain content; Base role for data profile and quality reader roles; Contributors who need domain visibility without edit permissions; and External consultants reviewing domain structure. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Governance Domain Reader role do?

The Governance Domain Reader role grants permissions including: View published and draft metadata within assigned domain; Access unpublished data products and concepts; View domain configuration and settings (read-only); See all domain content including work-in-progress; and Required base role for data quality and profile sub-roles. See the Permissions section above for the full list.

What are the security risks of the Governance Domain Reader role?

Key considerations when assigning Governance Domain Reader: Can see unpublished and draft content within domain; More visibility than Global Catalog Reader in assigned domain; Read-only role with minimal security concerns; and May reveal work-in-progress and domain strategy. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →