Microsoft Purview · Data Map Collections

Policy Author

Create, view, update, and delete data access policies through Microsoft Purview Data Policy feature for Azure data sources.

Scope: Data access policies for registered data sources with policy enforcement enabled

Permissions

  • Create data owner policies for Azure SQL, Storage, and other supported sources
  • View and update existing data access policies
  • Delete policies that are no longer needed
  • Configure policy subjects (users, groups, service principals)
  • Define policy access permissions (Read, Modify)
  • Manage policy scope (resource group, subscription, specific assets)
  • Publish policies (requires Data Source Administrator role)

Common use cases

  • Implementing centralized access management for Azure data sources
  • Creating self-service data access policies for governed data products
  • Managing permissions for Azure SQL, ADLS Gen2, Azure Storage accounts
  • Delegating access provisioning from resource owners to data governance team
  • Implementing data mesh access patterns with federated policy authoring
  • Temporarily granting access for projects without changing Azure RBAC

Best practices

  • Combine with Data Source Administrator role for full policy lifecycle management
  • Document business justification for each policy creation
  • Use groups rather than individual users in policy subjects
  • Regular audit of active policies and remove unnecessary ones
  • Coordinate with Azure RBAC owners before enabling policy enforcement
  • Test policies in non-production before applying to production sources
  • Monitor policy enforcement logs for access patterns and issues
  • Establish approval workflows for sensitive data access policies

Security considerations

  • Can grant data access permissions that bypass traditional Azure RBAC
  • Policy enforcement can affect existing access patterns and workflows
  • Must coordinate with resource owners and security teams
  • Policies take precedence over traditional Azure role assignments
  • Monitor policy changes through audit logs for compliance
  • Ensure data owners understand policy impact before enablement
  • Deletion of Microsoft Purview account can affect policy enforcement
  • Use Azure Resource Manager locks to prevent accidental account deletion

Common questions

When should I assign the Policy Author role?

Assign Policy Author when you need to: Implementing centralized access management for Azure data sources; Creating self-service data access policies for governed data products; Managing permissions for Azure SQL, ADLS Gen2, Azure Storage accounts; Delegating access provisioning from resource owners to data governance team; and Implementing data mesh access patterns with federated policy authoring. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Policy Author role do?

The Policy Author role grants permissions including: Create data owner policies for Azure SQL, Storage, and other supported sources; View and update existing data access policies; Delete policies that are no longer needed; Configure policy subjects (users, groups, service principals); Define policy access permissions (Read, Modify); and Manage policy scope (resource group, subscription, specific assets). See the Permissions section above for the full list.

What are the security risks of the Policy Author role?

Key considerations when assigning Policy Author: Can grant data access permissions that bypass traditional Azure RBAC; Policy enforcement can affect existing access patterns and workflows; Must coordinate with resource owners and security teams; and Policies take precedence over traditional Azure role assignments. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →