Microsoft Purview · Data Map Collections

Policy Author

Create, view, update, and delete data access policies through Microsoft Purview Data Policy feature for Azure data sources.

Scope: Data access policies for registered data sources with policy enforcement enabled

Permissions

  • Create data owner policies for Azure SQL, Storage, and other supported sources
  • View and update existing data access policies
  • Delete policies that are no longer needed
  • Configure policy subjects (users, groups, service principals)
  • Define policy access permissions (Read, Modify)
  • Manage policy scope (resource group, subscription, specific assets)
  • Publish policies (requires Data Source Administrator role)

Common use cases

  • Implementing centralized access management for Azure data sources
  • Creating self-service data access policies for governed data products
  • Managing permissions for Azure SQL, ADLS Gen2, Azure Storage accounts
  • Delegating access provisioning from resource owners to data governance team
  • Implementing data mesh access patterns with federated policy authoring
  • Temporarily granting access for projects without changing Azure RBAC

Best practices

  • Combine with Data Source Administrator role for full policy lifecycle management
  • Document business justification for each policy creation
  • Use groups rather than individual users in policy subjects
  • Regular audit of active policies and remove unnecessary ones
  • Coordinate with Azure RBAC owners before enabling policy enforcement
  • Test policies in non-production before applying to production sources
  • Monitor policy enforcement logs for access patterns and issues
  • Establish approval workflows for sensitive data access policies

Security considerations

  • Can grant data access permissions that bypass traditional Azure RBAC
  • Policy enforcement can affect existing access patterns and workflows
  • Must coordinate with resource owners and security teams
  • Policies take precedence over traditional Azure role assignments
  • Monitor policy changes through audit logs for compliance
  • Ensure data owners understand policy impact before enablement
  • Deletion of Microsoft Purview account can affect policy enforcement
  • Use Azure Resource Manager locks to prevent accidental account deletion

Official Microsoft Learn documentation →

Open the interactive RBACMap →