Forum Discussion

JoostvdLinden's avatar
JoostvdLinden
Brass Contributor
Mar 12, 2024

Least permissive role to access Content Explorer in Microsoft Purview

Hi all,

 

I have a relatively simple question about Microsoft Purview permissions. Tried to find info on the web. I have raised this as a support request with Microsoft Support. But it seems to be quite a tough one. Weeks later, no solution. So, trying my luck here.

 

I want some users (non-admin) to access the Content Explorer and allow them to drill into specific Sensitive info types, find out where they reside and take action on them to eliminate the confidential data.

 

I have assigned the permission role 'Data Classification List Viewer' (role group name = Content Explorer List Viewer) to the users. However, after a couple of weeks they can still not access the Content Explorer.

 

Once they try to access the Content Explorer, they receive the following error message:

Client error

It seems that you do not have the correct permissions to access this page...

 

I assume that the role group is not sufficient for the users to gain access to the Content Explorer. 

What would be the least permissive role for users to gain access to the Content Explorer and see where sensitive data resides? (without them seeing the file contents)

 

Thanks in advance for all help provided.

    • JoostvdLinden's avatar
      JoostvdLinden
      Brass Contributor

      a-James_Bell thank you for your reply.

      This role 'Insider Risk Management Investigators' didn't allow the user to access the Content Explorer in Microsoft Purview.

       

      I ended up with assigning them the Purview role 'Information Protection Analysts'.

  • Surajpallagatti's avatar
    Surajpallagatti
    Copper Contributor

    Hi JoostvdLinden 

    There are two roles that grant access to content explorer and it is granted using the Microsoft Purview compliance portal:

    • Content Explorer List viewer: Membership in this role group allows you to see each item and its location in list view. The data classification list viewer role has been pre-assigned to this role group.

    • Content Explorer Content viewer: Membership in this role group allows you to view the contents of each item in the list. The data classification content viewer role has been pre-assigned to this role group.

    You can also assign either or both of the roles to a custom role group to tailor access to content explorer.

    A Global admin, can assign the necessary Content Explorer List Viewer, and Content Explorer Content Viewer role group membership.

    • LiliO915's avatar
      LiliO915
      Copper Contributor

      Surajpallagatti  content explorer content viewer would give too much permission. So, its not "least privilege"

Resources