Jump to content

Microsoft Purview data owner policy for storage


Recommended Posts

Guest Amber-Data
Posted

Microsoft Purview Data owner policies enable users to manage access to different data systems via a central data governance platform Microsoft Purview. In this blog, we will introduce how to use Microsoft Purview to manage storage access.

 

 

 

Prerequisites

 

  • Check Azure storage regions are available.
  • Configure the Azure subscription with AllowPurviewPolicyEnforcement.
  • Registered storage account for Data Use Management in Microsoft Purview.
  • Assign the Policy author role to create, update, and delete Data Owner policies; the Data source admin role can publish a policy.

 

 

Steps to create a data owner policy for Blob storage

 

  1. The first step is to check the region is in the current region support list from the following document. Region support
  2. Then go to configure the subscription where the Azure storage account be hosted; refer to How to configure the subscription
    # Install the Az module
    Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
     
    # Login into the subscription
     
    Connect-AzAccount -Subscription <SubscriptionID>
     
    # Register the feature
     
    Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage
     
     
     
     
    After running the above PowerShell script, you will see the following state show as “registered”.
     
    Register-AzProviderFeature -FeatureName AllowPurviewPolicyEnforcement -ProviderNamespace Microsoft.Storage
     
    FeatureName ProviderName RegistrationState
    ----------- ------------ -----------------
    AllowPurviewPolicyEnforcement Microsoft.Storage Registered
  3. Registered Blob storage account for Data Use Management in Microsoft Purview. mediumvv2px400.png.b536aa530fbed0fc079586a57b227635.png
  4. Create a data owner policy, I granted read permission to my principal in the sub-container “permissiontest” folder in this policy. mediumvv2px400.png.6346b5d6b6564cf70bebf7f632150297.png
  5. Test my principal has permission to access the “permissiontest” folder using PowerShell script.
    az storage blob list --account-name stftapurviewdemo --container permissiontest --auth-mode login
    [
    {
    "container": "permissiontest",
    "content": "",
    "deleted": null,
    "encryptedMetadata": null,
    "encryptionKeySha256": null,
    "encryptionScope": null,
    "hasLegalHold": null,
    "hasVersionsOnly": null,
    "immutabilityPolicy": {
    "expiryTime": null,
    "policyMode": null
    ...
    When you remove the access, it will show as the following the permission is required as we expected.
    You do not have the required permissions needed to perform this operation.
    Depending on your operation, you may need to be assigned one of the following roles:
    "Storage Blob Data Contributor"
    "Storage Blob Data Reader"
    "Storage Queue Data Contributor"
    "Storage Queue Data Reader"
    "Storage Table Data Contributor"
    "Storage Table Data Reader"

 

Enjoy!

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...