Microsoft Purview Data Policy for SQL DevOps access provisioning now in public preview

Published Tuesday, May 24, 2022

Discovering the right data and getting timely and compliant access to data are huge problems for modern enterprises. The Microsoft Purview Data Catalog already addresses the data discovery problem. Microsoft Purview Data Policy is the next leap in this journey. It brings a business user friendly policy authoring experience and ambient enforcement for data sources.

Microsoft Purview Data Policy covers three different scenarios – first, a business data owner can provision access to data through an intuitive authoring experience. We further extended this technology to greatly enhance self-service data access by automatically provisioning access for specific supported data sources. Now, we have enabled devops policy to manage system data at scale for Azure SQL DB and SQL Server 2022.

Data owner policies

Microsoft Purview Data Policy enables data engineers and owners to provision access to data assets using a simple, intuitive authoring experience. In the current public preview, Microsoft Purview Data Policy can be authored and enforced on Azure Blobs and Azure Data Lake (Gen2).

The enforcement is embedded in the data source and always applied to the data, regardless of the client tools or APIs used. For example, a policy that allows read access to a data set containing inventory data to all finance analysts in a group. This policy will enable a member of that finance analyst group to generate a PowerBI report from the inventory dataset, and another user to run an Azure Synapse Spark workload against that dataset.

Self-service data access with automated provisioning

The Microsoft Purview Data Catalog enables data consumers to discover assets. From there, it’s often a long and manual process to obtain business approvals and provision access to data. It’s not uncommon to have to wait for days, if not weeks, before one can use the data. The self-service request workflow with auto provisioning helps to significantly reduce the complexity and delays in getting access to data.

When a data consumer discovers an interesting dataset, they can request access to that data. For the data sources where Microsoft Purview Data Policy is supported (currently Azure Storage), Microsoft Purview will provision, upon business approval, the access by automatically generating the relevant data policy. Check out more about the self service access for hybrid data estate.

SQL DevOps access provisioning

Today, we are excited to announce that an administrator can grant access to DBA or devops users on system metadata in one or more Azure SQL DB instances and in SQL Server 2022. The devops users can access the various system metadata views that are commonly used for performance monitoring or security auditing tasks. Instead of creating separate grant statements for each system view on every Azure SQL DB instance and in SQL Server 2022, this capability will allow the admins to create only one policy rule and make it effective for all current and future Azure SQL DB instances and in SQL Server 2022 in the given Azure subscription or resource group, as seen below: