Set Up Roles and Permissions in Microsoft Purview

Imagine this: a new data analyst joins your team. They need access to explore data assets but shouldn’t be able to change sensitive classifications. Without proper roles and permissions, they could either be blocked from doing their work—or worse, accidentally gain access to things they shouldn’t see.

That’s where roles and permissions in Microsoft Purview come in. Setting them up correctly is one of the most important steps in building secure, scalable data governance. Let’s walk through how to do it right.

Why Roles and Permissions Matter

  • Security: Protect sensitive data by limiting access.
  • Governance: Ensure users only perform actions tied to their responsibilities.
  • Scalability: Manage access efficiently across large teams and datasets.

Think of roles in Purview as guardrails—they don’t slow users down, but they keep everyone safe on the road.

Step 1: Understand the Key Roles in Purview

Microsoft Purview combines Azure role-based access control (RBAC) with Purview-specific roles. Here are the most common ones:

Role Description
Purview Administrator Full access to manage the Purview account.
Data Curator Can create and manage collections, glossary terms, and classifications.
Data Reader Can browse and search the catalog but cannot make changes.
Collection Administrator Manages access and assets within a specific collection.

💡 Tip: Use Azure RBAC for broad account-level permissions, and Purview-specific roles for finer control inside the catalog.

Step 2: Assign Roles Using Azure Portal

To assign roles:

  1. Go to the Azure Portal.
  2. Navigate to your Purview account.
  3. Select Access Control (IAM).
  4. Click + Add > Add role assignment.
  5. Choose the appropriate role (e.g., Purview Administrator).
  6. Select the user or group and click Save.

⚠️ Common mistake: Assigning roles directly to individuals. Instead, use Azure AD groups—it makes managing permissions much easier as teams grow.

Step 3: Use Collections for Granular Access Control

Collections let you organize data assets and assign roles more precisely.

  • Navigate to Purview Studio.
  • Go to Management > Collections.
  • Create a new collection or select an existing one.
  • Assign Collection Admins or Data Readers for targeted access.

💡 Example: Your Finance team can be assigned access only to the “Finance Collection,” while HR has access to their own collection—no crossover risk.

Step 4: Verify Access and Test Permissions

After setting roles:

  • Log in as the user (or use test accounts) to confirm their view.
  • Check whether they can browse, edit, or manage assets according to their role.
  • Review Activity Logs in Azure for an audit trail of changes.

Best Practices

  • Apply the principle of least privilege—give the minimum access necessary.
  • Use Azure AD groups for role assignments instead of individuals.
  • Set up a quarterly audit to review who has access to what.
  • Document your access control strategy as part of your governance framework.
  • Remove access quickly during off-boarding to avoid security gaps.

Troubleshooting Tips

  • User can’t see Purview at all? → Check if they have an Azure RBAC role at the account level.
  • User can log in but can’t browse assets? → Verify their Purview-specific role (e.g., Data Reader).
  • User has too much access? → Confirm they’re not part of a group with higher-level roles.

Conclusion

Setting up roles and permissions in Microsoft Purview is more than a checkbox—it’s the backbone of secure, scalable data governance. By combining Azure RBAC with Purview-specific roles, you can balance security with usability.

Your next step: Review who currently has access in your Purview account. Are the right people in the right roles?

middle belt blog

Related Post