Configure and manage Microsoft Purview Unified Catalog access policies

Important

This article explains how to set access policies on business concepts including governance domains, data products, critical data elements, and glossary terms, and to manage access requests. If you would like to request access to a data product, follow this article to request access.

This article describes how you can manage access to your data products and set up a system to provide access to users who request it.

What does access to a data product give you? Permissions to the data product and permissions to the data assets inside.

In this article you'll learn:

Permissions

  1. To view and manage policies at the governance domain level, governance domain owner permissions are needed.
  2. To view and manage policies at the data product level, data product owner permissions are needed.
  3. To view and manage policies in data products or glossary terms, data steward permissions are needed.
  4. Unified Catalog readers can view and request access to data products.
  5. Managers and privacy approvers of access requests also need to have a minimum of Unified Catalog reader to be able to use the Unified Catalog and approve requests as part of the tiered approval.

Considerations

In this experience, request approvers must provide access to the individual data assets manually as part of the approval process, or specify an access provider to do so.

The policies such as attestations (including the no copy attestation), aren't enforced in the product. The data consumer attests that they'll follow these policies while requesting access.

Set up data product access policies

To build access policies, in most situations you'll need data product owner or data steward permissions.

Tip

Your data product needs to be in an unpublished state to manage access policies.

  1. In the Microsoft Purview portal, open Unified Catalog.
  2. Select the Catalog management dropdown and select Data products.
  3. Select a data product.
  4. On the data product page, select Manage policies.
  5. From the policy configuration window, you're able to create and manage your data product's access policy.

Configure data product access policies

In the Manage policies window, you can view and edit the default values assigned to the default set of data product access policies. The selected values affect what the data consumers see on their access request form and actions they need to take.

  1. Under the Permitted access drop-down, add your usage purposes, which are the authorized purposes for accessing and using the data product. There are three values provided by default for which you can edit the description and add other purposes that the consumer will choose from in the request access form.
  2. Under the Approval requirements drop down, determine if manager approval or a privacy and compliance review is required.

    Note

    If selected, the access request form will show that a manager approver or a privacy and compliance review is required. The consumer’s manager in Microsoft Entra ID will be notified for the first tier of approval. The privacy reviewer named by the consumer in the request form will be notified for their approval. The request will first be reviewed by manager, followed by the privacy reviewer, and then by the access request approvers for approval and granting of access. The optional access provider tier will be last, if selected. The request status is final only when all configured levels of approval are complete.

  3. Under the Approval requirements drop down, in Access request approvers, select the users that will need to approve the access request. The first approver to take action will approve the request and proceed to grant access to the data assets manually, record the status of access provisioned at each asset, and specify data access instructions or comments to the data consumer. By default, data product owners are populated and more approvers can be added. You can also add Microsoft Entra ID groups or security groups as approvers and approvers can see detailed status in the request view.
  4. An optional tier called Access provider can be set explicitly to grant access to the data assets manually, record the status of access provisioned at each asset, and specify data access instructions or comments to the data consumer. This practice ensures the data consumer is aware of the next steps they can take to access and use the data.
  5. Under Attestations, determine if copies of the data are permitted. The attestations are reflected on the access request form for the consumer to attest to.
  6. If terms of use are present on a data product, those will also be reflected on the access request form for the consumer to attest to.
  7. Add any more attestations by selecting Add attestation and adding a display name and the file location. These are reflected on the request access form for the consumer to attest to.
  8. If there are policies inherited from the governance domain, critical data element, or glossary term, you can see in the Inherited policies tab. See the following section in this document for details: Policies on governance domains and glossary terms (inherited policies).
  9. Select Preview request form to see what users see when they request access.
  10. Select Save changes to save the access policy for the governance domain.

Policies on governance domains, glossary terms, and critical data elements (inherited policies)

Policies can be set on governance domains, glossary terms, and critical data elements. Data products in the governance domain, or data products that have glossary terms or critical data elements applied will inherit and aggregate the policies.

You can see the inherited policies in the data product manage policies view, in a separate tab called Inherited policies. You can see the aggregated view by selecting the Preview button. Your data consumers will see this aggregated view when they request access.

For example, if a manager approval policy is set on a glossary term applied to the data product, the manager approval is now also required for the data product. Any attestation set on a business concept (governance domain, data product, glossary term, or critical data element) are aggregated on the data product, and the data consumer will attest to all required attestations when requesting access.

To build access policies on governance domains, glossary terms, or critical data elements, you'll need governance domain owner or data steward permissions.

  1. In the Microsoft Purview portal, open Unified Catalog.
  2. Select the Catalog management dropdown and select Governance domains.
  3. Select a governance domain.
  4. On the governance domain page, select Manage policies.
  5. Alternately on a glossary term or critical data element page, select Manage policies.
  6. From the Policy configuration window, you're able to create and manage relevant access policies.

Configure inherited policies

In the Manage policies window, you can view and manage the default set of access policies on each business concept. The selected values affect what the data consumers see on their access request form and actions they need to take.

  1. Determine if manager approval is required. The data consumer’s manager, configured in Microsoft Entra ID, will be notified as first tier of approval. If the request is approved, the request will proceed to the next tier.
  2. Determine if copies of the data are permitted. This selection is reflected on the access request form for the consumer to attest to.
  3. Add any more attestations you would like by selecting Add attestation and adding a display name and the file location. These attestations are reflected on the request access form for the consumer to attest to.

Manage or respond to access requests

  1. In the Microsoft Purview portal, open Unified Catalog.
  2. Select the Catalog management dropdown and select Requests.
  3. In the status column of the governance domain table, you can sort by any domains that have open access requests.
  4. Select the governance domain that you want to manage access requests for.
  5. On the access requests tab, you can see a list of the most recent access requests.
  6. You can select the access request you want to respond to.
  7. View the details submitted by the consumer.
  8. Select Approve or Deny.
  9. If you're the last approver in the sequence of approvers (a data product access request approver or an explicit access provider), you should also record the status of access provisioned at each asset and specify data access instructions or comments to the data consumer. This practice ensures the data consumer is aware of the next steps they can take to access and use the data.
  10. The data consumer will be notified once the request is responded to.
  11. The requestor will be notified via email and can also view the status on the Microsoft Purview Unified Catalog Discovery drop-down, Data products page, in the My data access tab.

Respond to access requests through email notification

  1. In the email received as a request to approve an access request, select the Approval request link.
  2. You'll be brought to the request detail view in Requests page in the Catalog management dropdown in the Microsoft Purview Unified Catalog.
  3. View the details submitted by the consumer.
  4. Select Approve or Deny.
  5. If you're the last approver in the sequence of approvers; a data product access request approver or an explicit access provider, you should also record the status of access provisioned at each asset and specify data access instructions or comments to the data consumer. This ensures the data consumer is aware of the next steps they can take to access and use the data.
  6. The data consumer will be notified once the request is responded to.
  7. The requestor will be notified via email and can also view the status on the Microsoft Purview Unified Catalog Data product search page, in the My data access tab.

Sequential or tiered approvals and request statuses

As noted in the section to manage policies on data product, depending on the approver selections made, a sequential, or tiered approval is in effect. The following sequence is maintained for data product access request approvals.

  1. If manager approval is selected, the consumer’s manager in Microsoft Entra will be notified for the first tier of approval.
  2. Only after the manager approves the request, the privacy reviewer if selected will be notified for their approval or would be able to take action.
  3. Once approved by the privacy reviewer, the access request approver will be notified for approval and provisioning of access to the data assets in the data product. This tier will approve and complete the request if there's no access provider specified, else they'll only approve.
  4. If there's a last tier of access provider specified, then that is the tier who would provision access to the data assets and record the status and instructions for data consumer. They'll complete the request. Complete will be the final status.
  5. The workflow proceeds until the last approval and completion occurs or the first denial occurs.
  6. The data consumer is only notified after all theirs have taken their respective actions.
  7. At any point the data consumer can see the status of the request in the Microsoft Purview Unified Catalog Discovery drop-down, Data products page, in the My data access tab.
  8. A request status can go from pending to declined or pending to approved and then to completed.