教程:使用 REST API 管理 Microsoft Purview 集合上的基于角色的访问控制
2021 年 8 月,Microsoft Purview 中的访问控制从 Azure 标识 & 访问管理 (IAM) (控制平面) 迁移到 Microsoft Purview 集合 (数据平面) 。 此更改使企业数据策展人和管理员能够更精确、更精细地控制由 Microsoft Purview 扫描的数据源。 此更改还使组织能够审核其数据的正确访问和正确使用。
本教程将指导你逐步使用 Microsoft Purview 元数据策略 API,以帮助你将用户、组或服务主体添加到集合,并在该集合中管理或删除其角色。 REST API 是使用 Azure 门户 或 Microsoft Purview 治理门户实现相同精细的基于角色的访问控制的替代方法。
有关 Microsoft Purview 中的内置角色的详细信息,请参阅 Microsoft Purview 权限指南。 本指南将角色映射到授予用户的访问权限级别。
元数据策略 API 参考摘要
下表概述了 Microsoft Purview 元数据策略 API 参考。
注意
在运行这些 API 之前,请将 {pv-acc-name} 替换为 Microsoft Purview 帐户的名称。 例如,如果 Microsoft Purview 帐户名称为 FabrikamPurviewAccount,则 API 终结点将 变为 FabrikamPurviewAccount.purview.azure.com。 “api-version”参数可能会更改。 有关最新的“api-version”和 API 签名,请参阅 Microsoft Purview 元数据策略 REST API 文档 。
| API 函数 | REST 方法 | API 终结点 | 说明 |
|---|---|---|---|
| 读取所有元数据角色 | GET | https://{pv-acc-name}.purview.azure.com /policystore/metadataroles?&api-version=2021-07-01 | 从 Microsoft Purview 帐户读取所有元数据角色。 |
| 按集合名称读取元数据策略 | GET | https://{pv-acc-name}.purview.azure.com /policystore/collections/{collectionName}/metadataPolicy?&api-version=2021-07-01 | 使用指定的集合名称 (Microsoft Purview 在创建策略) 时生成的六个字符随机名称来读取元数据策略。 |
| 按 PolicyID 读取元数据策略 | GET | https://{pv-acc-name}.purview.azure.com /policystore/metadataPolicies/{policyId}?&api-version=2021-07-01 | 使用指定的策略 ID 读取元数据策略。 策略 ID 采用 GUID 格式。 |
| 读取所有元数据策略 | GET | https://{pv-acc-name}.purview.azure.com /policystore/metadataPolicies?&api-version=2021-07-01 | 从 Microsoft Purview 帐户读取所有元数据策略。 可以从此 API 生成的 JSON 输出列表中选取要使用的特定策略。 |
| 更新/PUT 元数据策略 | PUT | https://{pv-acc-name}.purview.azure.com /policystore/metadataPolicies/{policyId}?&api-version=2021-07-01 | 使用指定的策略 ID 汇报元数据策略。 策略 ID 采用 GUID 格式。 |
Microsoft Purview 目录集合 API 参考摘要
下表概述了 Microsoft Purview 集合 API。 有关每个 API 的完整文档,请选择左侧列中的 API 操作。
| 操作 | 说明 |
|---|---|
| 创建或更新集合 | 创建或更新集合实体。 |
| 删除集合 | 删除集合实体。 |
| 获取集合 | 获取集合。 |
| 获取集合路径 | 获取表示集合路径的父名称和显示名称链。 |
| 列出子集合名称 | Lists集合中的子集合名称。 |
| 列出集合 | Lists帐户中的集合。 |
如果使用 API,则执行 API 的服务主体、用户或组应在 Microsoft Purview 中分配集合管理员角色才能成功执行此 API。
对于需要 {collectionName} 的所有Microsoft Purview API,需要使用 “name” (而不是 “friendlyName”) 。 将 {collectionName} 替换为实际的六个字符的字母数字集合名称字符串。
注意
此名称不同于创建集合时提供的友好显示名称。 如果没有 {collectionName} 方便,请使用 列表集合 API 从 JSON 输出中选择六个字符的集合名称。
下面是一个示例 JSON 文件:
{
"name": "74dhe7",
"friendlyName": "Friendly Name",
"parentCollection": {
"type": "CollectionReference",
"referenceName": "{your_purview_account_name}"
},
"systemData": {
"createdBy": "{guid}",
"createdByType": "Application",
"createdAt": "2021-08-26T21:21:51.2646627Z",
"lastModifiedBy": "7f8d47e2-330c-42f0-8744-fcfb1ecb3ea0",
"lastModifiedByType": "Application",
"lastModifiedAt": "2021-08-26T21:21:51.2646628Z"
},
"collectionProvisioningState": "Succeeded"
}
策略 JSON 说明
下面是从集合 API 接收的 JSON 输出中的一些重要标识符:
名称:策略的名称。
ID:策略的唯一标识符。
版本:策略的最新版本号。
重要
每次调用 Update-Metadata-Policy API 时,版本号都会递增。 请务必通过调用 Get-Policy-by-Policy-ID API 来提取策略的最新副本。 每次调用更新策略 (PUT) API 之前执行此刷新,以便始终具有最新版本的 JSON 文件。
DecisionRules:列出此策略的规则和效果。 对于元数据策略,效果始终为“允许”。
在集合或角色中添加或删除用户
使用 Microsoft Purview REST API 在集合或角色中添加或删除用户、组或服务主体。 提供了详细的 API 使用情况以及示例 JSON 输出。 强烈建议按顺序按照后续部分中的说明操作,以更好地了解Microsoft Purview 元数据策略 API。
获取所有元数据角色
若要列出所有可用的元数据访问权限角色,请运行以下命令之一,具体取决于所使用的门户:
GET https://{your_purview_account_name}.purview.azure.com/policystore/metadataroles?api-version=2021-07-01
新Microsoft Purview 门户:
GET https://api.purview-service.microsoft.com/policystore/metadataroles?api-version=2021-07-01
输出 JSON 将使用此格式描述角色及其关联权限。
下表中列出了默认元数据角色:
| 角色 ID | 权限 | 角色说明 |
|---|---|---|
| purviewmetadatarole_builtin_data-source-administrator | Microsoft.Purview/accounts/scan/read Microsoft.Purview/accounts/scan/write Microsoft.Purview/accounts/collection/read | 向其他人授予读取、写入收集、注册数据源和触发扫描的权限。 |
| purviewmetadatarole_builtin_collection管理员 | Microsoft.Purview/accounts/collection/read Microsoft.Purview/accounts/collection/write | 对整个集合的管理员级完全访问权限,包括从集合) 添加或删除用户和服务主体名称 (SPN、管理权限以及授予或撤销访问权限。 在某些情况下,集合管理员可能与集合的创建者不同。 |
| purviewmetadatarole_builtin_purview阅读器 | Microsoft.Purview/accounts/data/read Microsoft.Purview/accounts/collection/read | 仅授予对数据处理和所有元数据(包括分类、敏感度标签、见解和读取集合中的资产)的读取访问权限,扫描绑定除外。 |
| purviewmetadatarole_builtin_data策展人 | Microsoft.Purview/accounts/data/read Microsoft.Purview/accounts/data/write Microsoft.Purview/accounts/collection/read | 授予对数据处理和所有元数据(包括分类、敏感度标签、见解和读取集合中的资产(扫描绑定除外)的完全访问权限。 |
| purviewmetadatarole_builtin_data-share-参与者 | Microsoft.Purview/accounts/share/read Microsoft.Purview/accounts/share/write | 以参与者的形式授予对数据共享的访问权限。 |
{
"values": [
{
"id": "purviewmetadatarole_builtin_data-curator",
"name": "data-curator",
"type": "Microsoft.Purview/role",
"properties": {
"provisioningState": "Provisioned",
"roleType": "BuiltIn",
"friendlyName": "Data Curator",
"cnfCondition": [
[
{
"attributeName": "request.azure.dataAction",
"attributeValueIncludedIn": [
"Microsoft.Purview/accounts/data/read",
"Microsoft.Purview/accounts/data/write",
"Microsoft.Purview/accounts/collection/read"
]
}
]
],
"version": 1
}
},
{
"id": "purviewmetadatarole_builtin_data-source-administrator",
"name": "data-source-administrator",
"type": "Microsoft.Purview/role",
"properties": {
"provisioningState": "Provisioned",
"roleType": "BuiltIn",
"friendlyName": "Data Source Administrator",
"cnfCondition": [
[
{
"attributeName": "request.azure.dataAction",
"attributeValueIncludedIn": [
"Microsoft.Purview/accounts/scan/read",
"Microsoft.Purview/accounts/scan/write",
"Microsoft.Purview/accounts/collection/read"
]
}
]
],
"version": 1
}
},
{
"id": "purviewmetadatarole_builtin_collection-administrator",
"name": "collection-administrator",
"type": "Microsoft.Purview/role",
"properties": {
"provisioningState": "Provisioned",
"roleType": "BuiltIn",
"friendlyName": "Collection Administrator",
"cnfCondition": [
[
{
"attributeName": "request.azure.dataAction",
"attributeValueIncludedIn": [
"Microsoft.Purview/accounts/collection/read",
"Microsoft.Purview/accounts/collection/write"
]
}
]
],
"version": 1
}
},
{
"id": "purviewmetadatarole_builtin_purview-reader",
"name": "purview-reader",
"type": "Microsoft.Purview/role",
"properties": {
"provisioningState": "Provisioned",
"roleType": "BuiltIn",
"friendlyName": "Microsoft Purview Reader",
"cnfCondition": [
[
{
"attributeName": "request.azure.dataAction",
"attributeValueIncludedIn": [
"Microsoft.Purview/accounts/data/read",
"Microsoft.Purview/accounts/collection/read"
]
}
]
],
"version": 1
}
},
{
"id": "purviewmetadatarole_builtin_data-share-contributor",
"name": "data-share-contributor",
"type": "Microsoft.Purview/role",
"properties": {
"provisioningState": "Provisioned",
"roleType": "BuiltIn",
"friendlyName": "Data share contributor",
"cnfCondition": [
[
{
"attributeName": "request.azure.dataAction",
"attributeValueIncludedIn": [
"Microsoft.Purview/accounts/share/read",
"Microsoft.Purview/accounts/share/write"
]
}
]
],
"version": 1
}
}
]
}
获取所有元数据策略
GET https://{your_purview_account_name}.purview.azure.com/policystore/metadataPolicies?api-version=2021-07-01
新Microsoft Purview 门户:
GET https://api.purview-service.microsoft.com/policystore/metadataPolicies?api-version=2021-07-01
上述命令以树格式列出整个集合层次结构中的所有可用元数据策略,从顶部的根集合到其所有子策略。 每个子集合都包含其每个下一级子级。
示例:
{
"values": [
{
"name": "policy_FabrikamPurview",
"id": "9b2f1cb9-584c-4a16-811e-9232884b5cac",
"version": 30,
"properties": {
"description": "",
"decisionRules": [
{
"kind": "decisionrule",
"effect": "Permit",
"dnfCondition": [
[
{
"attributeName": "resource.purview.collection",
"attributeValueIncludes": "fabrikampurview"
},
{
"fromRule": "permission:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:fabrikampurview"
}
]
]
}
],
"attributeRules": [
{
"kind": "attributerule",
"id": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview",
"name": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview",
"dnfCondition": [
[
{
"attributeName": "principal.microsoft.id",
"attributeValueIncludedIn": [
"2f656762-e440-4b62-9eb6-a991d17d64b0",
"04314867-60a4-4e5a-ae16-8e5856f415d9",
"8988fe5c-5736-4179-9435-0a64c273b90b",
"6d563253-1d5b-48f2-baaa-5489f22ddce9",
"26f98046-5b02-4fa9-b709-e0519c658891",
"73fc02dc-becd-468b-a2a3-82238e722dae"
]
},
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator"
},
{
"attributeName": "principal.microsoft.groups",
"attributeValueIncludedIn": [
"ffd851fa-86ec-431b-95ea-8b84d5012383",
"cf84b126-4384-4952-91f1-7f705b25e569",
"5046aba1-5b81-411c-8fec-b84600f3f08b",
"b055a5c6-a04e-4d1a-8524-001ad81bfb28",
"cc194892-92fa-4ce3-96ae-1f98bef8211c"
]
}
]
]
},
{
"kind": "attributerule",
"id": "purviewmetadatarole_builtin_data-curator:fabrikampurview",
"name": "purviewmetadatarole_builtin_data-curator:fabrikampurview",
"dnfCondition": [
[
{
"attributeName": "principal.microsoft.id",
"attributeValueIncludedIn": [
"2f656762-e440-4b62-9eb6-a991d17d64b0",
"649f56ab-2dd2-40de-a731-3d3f28e7af92",
"c29a5809-f9ec-49fd-b762-2d4d64abb93e",
"04314867-60a4-4e5a-ae16-8e5856f415d9",
"73fc02dc-becd-468b-a2a3-82238e722dae",
"517a27d2-39ba-4c91-a032-dd9ecf8ad6f1",
"6d563253-1d5b-48f2-baaa-5489f22ddce9"
]
},
{
"fromRule": "purviewmetadatarole_builtin_data-curator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_data-curator"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_data-curator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_data-curator"
},
{
"attributeName": "principal.microsoft.groups",
"attributeValueIncludedIn": [
"b055a5c6-a04e-4d1a-8524-001ad81bfb28",
"cc194892-92fa-4ce3-96ae-1f98bef8211c",
"5046aba1-5b81-411c-8fec-b84600f3f08b"
]
}
]
]
},
{
"kind": "attributerule",
"id": "purviewmetadatarole_builtin_data-source-administrator:fabrikampurview",
"name": "purviewmetadatarole_builtin_data-source-administrator:fabrikampurview",
"dnfCondition": [
[
{
"attributeName": "principal.microsoft.id",
"attributeValueIncludedIn": [
"2f656762-e440-4b62-9eb6-a991d17d64b0",
"04314867-60a4-4e5a-ae16-8e5856f415d9",
"517a27d2-39ba-4c91-a032-dd9ecf8ad6f1",
"6d563253-1d5b-48f2-baaa-5489f22ddce9"
]
},
{
"fromRule": "purviewmetadatarole_builtin_data-source-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_data-source-administrator"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_data-source-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_data-source-administrator"
},
{
"attributeName": "principal.microsoft.groups",
"attributeValueIncludedIn": [
"b055a5c6-a04e-4d1a-8524-001ad81bfb28",
"cc194892-92fa-4ce3-96ae-1f98bef8211c",
"d34eb741-be5e-4098-90d7-eca8d4a5153f",
"664ec992-9af0-4773-88f2-dc39edc46f6f",
"5046aba1-5b81-411c-8fec-b84600f3f08b"
]
}
]
]
},
{
"kind": "attributerule",
"id": "permission:fabrikampurview",
"name": "permission:fabrikampurview",
"dnfCondition": [
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_purview-reader:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_purview-reader:fabrikampurview"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_data-curator:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_data-curator:fabrikampurview"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_data-source-administrator:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_data-source-administrator:fabrikampurview"
}
]
]
}
],
"collection": {
"type": "CollectionReference",
"referenceName": "fabrikampurview"
}
}
},
{
"name": "policy_b2zpf1",
"id": "12b0bb28-2acc-413e-8fe1-179ff9cc54c3",
"version": 0,
"properties": {
"description": "",
"decisionRules": [
{
"kind": "decisionrule",
"effect": "Permit",
"dnfCondition": [
[
{
"attributeName": "resource.purview.collection",
"attributeValueIncludes": "b2zpf1"
},
{
"fromRule": "permission:b2zpf1",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:b2zpf1"
}
]
]
}
],
"attributeRules": [
{
"kind": "attributerule",
"id": "purviewmetadatarole_builtin_collection-administrator:b2zpf1",
"name": "purviewmetadatarole_builtin_collection-administrator:b2zpf1",
"dnfCondition": [
[
{
"attributeName": "principal.microsoft.id",
"attributeValueIncludedIn": [
"2f656762-e440-4b62-9eb6-a991d17d64b0"
]
},
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:ukx7pq",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:ukx7pq"
}
]
]
},
{
"kind": "attributerule",
"id": "permission:b2zpf1",
"name": "permission:b2zpf1",
"dnfCondition": [
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:b2zpf1",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:b2zpf1"
}
],
[
{
"fromRule": "permission:ukx7pq",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:ukx7pq"
}
]
]
}
],
"collection": {
"type": "CollectionReference",
"referenceName": "b2zpf1"
},
"parentCollectionName": "ukx7pq"
}
},
{
"name": "policy_7wte2n",
"id": "a72084e4-ccab-4aec-a364-08ab001e4999",
"version": 0,
"properties": {
"description": "",
"decisionRules": [
{
"kind": "decisionrule",
"effect": "Permit",
"dnfCondition": [
[
{
"attributeName": "resource.purview.collection",
"attributeValueIncludes": "7wte2n"
},
{
"fromRule": "permission:7wte2n",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:7wte2n"
}
]
]
}
],
"attributeRules": [
{
"kind": "attributerule",
"id": "purviewmetadatarole_builtin_collection-administrator:7wte2n",
"name": "purviewmetadatarole_builtin_collection-administrator:7wte2n",
"dnfCondition": [
[
{
"attributeName": "principal.microsoft.id",
"attributeValueIncludedIn": [
"2f656762-e440-4b62-9eb6-a991d17d64b0"
]
},
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:ukx7pq",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:ukx7pq"
}
]
]
},
{
"kind": "attributerule",
"id": "permission:7wte2n",
"name": "permission:7wte2n",
"dnfCondition": [
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:7wte2n",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:7wte2n"
}
],
[
{
"fromRule": "permission:ukx7pq",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:ukx7pq"
}
]
]
}
],
"collection": {
"type": "CollectionReference",
"referenceName": "7wte2n"
},
"parentCollectionName": "ukx7pq"
}
}
]
}
获取所选元数据策略
可以通过提供 {collectionName} 或 {PolicyID},使用两个 API 之一来提取特定集合的元数据策略 JSON 结构。
如以下两部分所述,这两个 API 的用途相同,并且两者的 JSON 输出完全相同。
使用集合名称获取集合的元数据策略
GET https://{your_purview_account_name}.purview.azure.com/policystore/collections/{collectionName}/metadataPolicy?api-version=2021-07-01
新Microsoft Purview 门户:
GET https://api.purview-service.microsoft.com/policystore/collections/{collectionName}/metadataPolicy?api-version=2021-07-01
Microsoft Purview 帐户名称为 {your_purview_account_name}。 将其替换为Microsoft Purview 帐户名称。
在上一 API 的 JSON 输出“获取所有元数据策略”中,查找以下部分:
{ “type”: “CollectionReference”, “referenceName”: “7xkdg2”}
将 API URL 中的“{collectionName}”替换为值“referenceName”:“{6-char-collection-name}”。 例如,如果六个字符的集合名称为“7xkdg2”,则 API URL 的格式将为:
https://{your_purview_account_name}.purview.azure.com/policystore/collections/7xkdg2/metadataPolicy?api-version=2021-07-01执行以下 API:
{ "name": "policy_qu45fs", "id": "c6639bb2-9c41-4be0-912b-775750e725de", "version": 0, "properties": { "description": "", "decisionRules": [ { "kind": "decisionrule", "effect": "Permit", "dnfCondition": [ [ { "attributeName": "resource.purview.collection", "attributeValueIncludes": "qu45fs" }, { "fromRule": "permission:qu45fs", "attributeName": "derived.purview.permission", "attributeValueIncludes": "permission:qu45fs" } ] ] } ], "attributeRules": [ { "kind": "attributerule", "id": "purviewmetadatarole_builtin_collection-administrator:qu45fs", "name": "purviewmetadatarole_builtin_collection-administrator:qu45fs", "dnfCondition": [ [ { "attributeName": "principal.microsoft.id", "attributeValueIncludedIn": [ "2f656762-e440-4b62-9eb6-a991d17d64b0" ] }, { "fromRule": "purviewmetadatarole_builtin_collection-administrator", "attributeName": "derived.purview.role", "attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator" } ], [ { "fromRule": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview", "attributeName": "derived.purview.permission", "attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview" } ] ] }, { "kind": "attributerule", "id": "permission:qu45fs", "name": "permission:qu45fs", "dnfCondition": [ [ { "fromRule": "purviewmetadatarole_builtin_collection-administrator:qu45fs", "attributeName": "derived.purview.permission", "attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:qu45fs" } ], [ { "fromRule": "permission:fabrikampurview", "attributeName": "derived.purview.permission", "attributeValueIncludes": "permission:fabrikampurview" } ] ] } ], "collection": { "type": "CollectionReference", "referenceName": "qu45fs" }, "parentCollectionName": "fabrikampurview" } }
使用策略 ID 获取集合的元数据策略
GET https://{your_purview_account_name}.purview.azure.com/policystore/metadataPolicies/{policyId}?api-version=2021-07-01
新Microsoft Purview 门户:
GET https://api.purview-service.microsoft.com/policystore/metadataPolicies/{policyId}?api-version=2021-07-01
Microsoft Purview 帐户名称为 {your_purview_account_name}。 将其替换为Microsoft Purview 帐户名称。
在上一 API 的 JSON 输出“获取所有元数据策略”中,查找以下部分:
{....“name”: “policy_qu45fs”, “id”: “{policy-guid}”, “version”: N ....}
将 API URL 中的“{policyId}”替换为值“id”。 例如,如果“{policy-guid}”为“c6639bb2-9c41-4be0-912b-775750e725de”,API URL 的格式将为:
https://{your_purview_account_name}.purview.azure.com/policystore/metadataPolicies/c6639bb2-9c41-4be0-912b-775750e725de?api-version=2021-07-01
现在执行以下 API:
注意
此 API 调用的输出与上一个 API 调用相同。 如前所述,可以选择其中一个。
{
"name": "policy_qu45fs",
"id": "c6639bb2-9c41-4be0-912b-775750e725de",
"version": 0,
"properties": {
"description": "",
"decisionRules": [
{
"kind": "decisionrule",
"effect": "Permit",
"dnfCondition": [
[
{
"attributeName": "resource.purview.collection",
"attributeValueIncludes": "qu45fs"
},
{
"fromRule": "permission:qu45fs",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:qu45fs"
}
]
]
}
],
"attributeRules": [
{
"kind": "attributerule",
"id": "purviewmetadatarole_builtin_collection-administrator:qu45fs",
"name": "purviewmetadatarole_builtin_collection-administrator:qu45fs",
"dnfCondition": [
[
{
"attributeName": "principal.microsoft.id",
"attributeValueIncludedIn": [
"2f656762-e440-4b62-9eb6-a991d17d64b0"
]
},
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview"
}
]
]
},
{
"kind": "attributerule",
"id": "permission:qu45fs",
"name": "permission:qu45fs",
"dnfCondition": [
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:qu45fs",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:qu45fs"
}
],
[
{
"fromRule": "permission:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:fabrikampurview"
}
]
]
}
],
"collection": {
"type": "CollectionReference",
"referenceName": "qu45fs"
},
"parentCollectionName": "fabrikampurview"
}
}
更新收集策略
PUT https://{your_purview_account_name}.purview.azure.com/policystore/metadataPolicies/{policyId}?api-version=2021-07-01
在本部分中,将通过在集合中添加或删除用户、组或服务主体来更新在上一步中获取的策略 JSON。 然后,使用 PUT REST 方法将其推送到 Microsoft Purview 服务。
无论是添加或删除用户、组或服务主体,你都会遵循相同的 API 过程。
在 JSON 的“attributeValueIncludedIn”数组中提供用户、组或服务主体对象 ID {guid}。
在上一步中搜索“attributeValueIncludedIn”数组的 Get-Policy-by-ID API 的 JSON 输出,并在数组中添加或删除用户、组或服务主体对象 ID。 如果不确定如何提取用户、组或服务主体对象 ID,请参阅 Get-MgUser。
JSON 映射中针对这四个角色中的每一个都有多个部分。 对于集合管理员权限角色,请使用 ID 为“purviewmetadatarole_builtin_collection-administrator”的部分。 同样,对其他角色使用相应的部分。
若要更好地了解添加/删除操作,请仔细检查上一个 API 中的 JSON 输出与以下输出之间的差异。 在以下输出的 JSON 中,我们已将用户 ID“3a3a3a3a-2c2c-4b4b-1c1c-2a3b4c5d6e7f”添加为集合管理员。
{
"name": "policy_qu45fs",
"id": "c6639bb2-9c41-4be0-912b-775750e725de",
"version": 0,
"properties": {
"description": "",
"decisionRules": [
{
"kind": "decisionrule",
"effect": "Permit",
"dnfCondition": [
[
{
"attributeName": "resource.purview.collection",
"attributeValueIncludes": "qu45fs"
},
{
"fromRule": "permission:qu45fs",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:qu45fs"
}
]
]
}
],
"attributeRules": [
{
"kind": "attributerule",
"id": "purviewmetadatarole_builtin_collection-administrator:qu45fs",
"name": "purviewmetadatarole_builtin_collection-administrator:qu45fs",
"dnfCondition": [
[
{
"attributeName": "principal.microsoft.id",
"attributeValueIncludedIn": [
"2f656762-e440-4b62-9eb6-a991d17d64b0",
"3a3a3a3a-2c2c-4b4b-1c1c-2a3b4c5d6e7f"
]
},
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator",
"attributeName": "derived.purview.role",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator"
}
],
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:fabrikampurview"
}
]
]
},
{
"kind": "attributerule",
"id": "permission:qu45fs",
"name": "permission:qu45fs",
"dnfCondition": [
[
{
"fromRule": "purviewmetadatarole_builtin_collection-administrator:qu45fs",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "purviewmetadatarole_builtin_collection-administrator:qu45fs"
}
],
[
{
"fromRule": "permission:fabrikampurview",
"attributeName": "derived.purview.permission",
"attributeValueIncludes": "permission:fabrikampurview"
}
]
]
}
],
"collection": {
"type": "CollectionReference",
"referenceName": "qu45fs"
},
"parentCollectionName": "fabrikampurview"
}
}
添加根集合管理员角色
默认情况下,创建 Microsoft Purview 帐户的用户是根集合管理员 (即集合层次结构最顶层) 的管理员。 但是,在某些情况下,组织可能需要使用 API 更改根集合管理员。
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Purview/accounts/{accountName}/addRootCollectionAdmin?api-version=2021-07-01
若要运行上述命令,只需传递新的根集合管理员的对象 ID。 如前所述,对象 ID 可以是任何用户、组或服务主体的对象 ID。
{"objectId": "{guid}"}
注意
调用此 API 的用户必须具有所有者或用户帐户和身份验证 (UAA) Microsoft Purview 帐户的权限,才能对该帐户执行写入操作。
更多资源
可以选择使用 PowerShell 实用工具执行 Microsoft Purview REST API。 可以从 PowerShell 库 轻松安装它。 使用此实用工具,可以执行所有相同的命令,但从Windows PowerShell。