What role does the data curator play

Role-based access control on the data plane of Azure Purview

  • 4 minutes to read

This article describes how to implement role-based access control (RBAC) at the data plane of Azure Purview.

Important

The principal who created a Purview account automatically receives all data-level permissions. This applies regardless of which data-level roles may already exist for the principal. In order for other users to be able to take steps in Azure Purview, they must have at least one of the predefined data-plane roles.

Azure Purview predefined data tier roles

Azure Purview defines a set of predefined data tier roles that can be used to control what users can access in Azure Purview. The following roles are available:

  • Role "data reader for Purview" : Has access to the Purview portal and can read all content in Azure Purview, with the exception of scan connections.
  • "Azure Purview Data Curator" role : Has access to the Purview portal and can read all content in Azure Purview (with the exception of scan connections), edit information on resources as well as classification definitions and glossary terms, and apply classifications and glossary terms to resources.
  • "Data source administrator for Purview" role : Does not have access to the Purview portal (the user must also have the role of “data reader” or “data curator”) and can manage all aspects of data review in Azure Purview, but has no read or write access to the content in Azure Purview that goes beyond verifying.

Understanding how to use the Azure Purview data tier roles

When creating an Azure Purview account, the creator is treated as having both the role of “Data Curator for Purview” and the role of “Data Source Administrator for Purview”. However, the account creator is not assigned to these roles in the role store. Azure Purview recognizes that the principal is the creator of the account and exposes these capabilities based on their identity.

All other users can only use the Azure Purview account if they are assigned at least one of these roles. This means that once an Azure Purview account has been created, only the creator can access the account and use its APIs until the users have been assigned at least one of the predefined roles.

Note that the Purview Data Source Administrator role has two supported scenarios. The first scenario is intended for users who are already a data reader or data curator for Purview and who also need authorization to create reviews. These users must have two roles, namely at least one of the two roles “Data reader for Purview” and “Data curator for Purview” as well as the role of “Data source administrator for Purview”.

The other scenario for "Data Source Administrator for Purview" is for programmatic processes; B. Service principals who should be able to set up and monitor reviews but not have access to the catalog data.

This scenario can be implemented by assigning the Data Source Administrator for Purview role to the service principal without having either of the other two roles. The principal does not have access to the Purview portal. This is not a problem because it is a programmatic principal that only communicates through APIs.

Assigning roles to users

The first thing to do after creating an Azure Purview account is to assign users the roles.

Role assignment is managed through Azure's role-based access control (RBAC).

Roles for users can only be assigned through two built-in control plane roles in Azure: either Owner or User Access Administrator. So in order for users to have these roles for Azure Purview, they must either contact an owner, user access administrator, or hold one of these roles themselves.

Example of assigning a user to a role

  1. Navigate to https://portal.azure.com and then your Azure Purview account.
  2. On the left, click Access Control (IAM).
  3. Then follow these general instructions.

Role Definitions and Actions

A role is defined as a collection of actions. For more information on defining roles, see here. The role definitions for the Azure Purview roles can be found here.

Achieving addition to a data tier role in an Azure Purview account

If you want access to an Azure Purview account so that you can use the Studio feature or call its APIs, you must be added to an Azure Purview data-tier role. This can only be done by someone who is an owner or user access administrator of the Azure Purview account. For most users, the next step is then to contact a local administrator who can name the right people to grant access.

Users who have access to the company's Azure portal can find the Azure Purview account they want to join, click the associated Access Control (IAM) tab, and identify the owner or user access administrator. However, please note the following: In some cases, Azure Active Directory groups or service principals may be used as owners or user access administrators, who may not be able to be contacted directly. Instead, you need to contact an administrator.

Who should be assigned which role?

User scenarioSuitable roles
I just need to be able to find resources and don't want to do any editsRole "data reader for Purview"
I have to edit information about resources, insert appropriate classifications, assign glossary entries for them, etc.Role "data curator for Purview"
I need to edit the glossary or set up new classification definitionsRole "data curator for Purview"
The service principal of my application needs to push data to Azure PurviewRole "data curator for Purview"
I need to set up reviews through Purview's studio featureRole "data source administrator for Purview" and at least the role of "data reader for Purview" or "data curator for Purview"
I need to enable a service principal or other programmatic identity to set up and monitor reviews in Azure Purview without the programmatic identity having access to the catalog information"Data source administrator for Purview" role
I need to assign roles to users in Azure Purview"Owner" or "User Access Administrator"

For more information on adding a security principal to a role, see the Quickstart: Create an Azure Purview Account.

Next Steps