Microsoft Purview · Unified Catalog Governance
Local Catalog Reader
Read published concepts only in assigned governance domain. Limits federated access for regulatory requirements.
Scope: Published content in assigned governance domain only
Permissions
- View published data products in assigned domain only
- Access published glossary terms within domain
- Search and discover data within domain boundaries
- Request access to data products in assigned domain
- Blocked from viewing other domains unless explicitly granted access
Common use cases
- Regulatory isolation for HIPAA, GDPR, or other compliance domains
- Highly confidential domains requiring access restrictions
- Geographic data residency requirements
- Third-party contractors with limited scope access
- Vendor access to specific domain only
- Legal or compliance domains with confidentiality requirements
Best practices
- Use sparingly - hinders federated governance approach
- Document regulatory or legal justification for restriction
- Prefer Global Catalog Reader for most users
- Use for HIPAA, GDPR, or other regulated data domains
- Combine with Data Map collection permissions for access control
- Regular review of necessity - remove restriction when no longer needed
- Consider if technical controls (Azure RBAC) are more appropriate
Security considerations
- Breaks federated governance model by creating silos
- Use only when legally or regulatorily required
- Overuse creates data silos and reduces collaboration
- May need for contractors or third parties
- Does not restrict access to underlying data (needs Data Map controls)
- Published-only access - more restrictive than Governance Domain Reader
Common questions
When should I assign the Local Catalog Reader role?
Assign Local Catalog Reader when you need to: Regulatory isolation for HIPAA, GDPR, or other compliance domains; Highly confidential domains requiring access restrictions; Geographic data residency requirements; Third-party contractors with limited scope access; and Vendor access to specific domain only. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Local Catalog Reader role do?
The Local Catalog Reader role grants permissions including: View published data products in assigned domain only; Access published glossary terms within domain; Search and discover data within domain boundaries; Request access to data products in assigned domain; and Blocked from viewing other domains unless explicitly granted access. See the Permissions section above for the full list.
What are the security risks of the Local Catalog Reader role?
Key considerations when assigning Local Catalog Reader: Breaks federated governance model by creating silos; Use only when legally or regulatorily required; Overuse creates data silos and reduces collaboration; and May need for contractors or third parties. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.