Microsoft Purview · Unified Catalog Governance
Governance Domain Reader
Read governance domain metadata for published domains they are added to.
Scope: Read access to assigned governance domain including drafts
Permissions
- View published and draft metadata within assigned domain
- Access unpublished data products and concepts
- View domain configuration and settings (read-only)
- See all domain content including work-in-progress
- Required base role for data quality and profile sub-roles
Common use cases
- Domain team members who need visibility into work-in-progress
- Quality assurance reviewers validating domain content
- Base role for data profile and quality reader roles
- Contributors who need domain visibility without edit permissions
- External consultants reviewing domain structure
- Auditors assessing domain governance implementation
Best practices
- Assign to domain team members who need full visibility
- Required base role for data quality and profiling sub-roles
- Use as stepping stone before granting Data Product Owner role
- Assign to external consultants or auditors as needed
- Time-limit assignments for temporary team members
- Combine with Global or Local Catalog Reader for broader access
Security considerations
- Can see unpublished and draft content within domain
- More visibility than Global Catalog Reader in assigned domain
- Read-only role with minimal security concerns
- May reveal work-in-progress and domain strategy
Common questions
When should I assign the Governance Domain Reader role?
Assign Governance Domain Reader when you need to: Domain team members who need visibility into work-in-progress; Quality assurance reviewers validating domain content; Base role for data profile and quality reader roles; Contributors who need domain visibility without edit permissions; and External consultants reviewing domain structure. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Governance Domain Reader role do?
The Governance Domain Reader role grants permissions including: View published and draft metadata within assigned domain; Access unpublished data products and concepts; View domain configuration and settings (read-only); See all domain content including work-in-progress; and Required base role for data quality and profile sub-roles. See the Permissions section above for the full list.
What are the security risks of the Governance Domain Reader role?
Key considerations when assigning Governance Domain Reader: Can see unpublished and draft content within domain; More visibility than Global Catalog Reader in assigned domain; Read-only role with minimal security concerns; and May reveal work-in-progress and domain strategy. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.