Forum Discussion
Microsoft Purview Roles for Data Consumers in a Data Mesh & Data Democratisation Environment
Reformatted Discussion for Community Feedback
Recommended Microsoft Purview Roles for Data Consumers in a Data Mesh & Data Democratisation Environment
I’m seeking guidance on whether the following set of Microsoft Purview roles is appropriate for typical data consumers within a Data Mesh-aligned organisation. The approach aims to support data democratisation while maintaining least-privilege access.
Data consumers (All users) would be placed into a dedicated security group assigned to these roles, ensuring they have the best possible search experience across the Microsoft Purview Unified Catalogue, Data Map, and Data Health features.
Unified Catalog Settings
Global Catalog Reader
Provides read-only visibility of all catalogued assets across the organisation. This role supports governance, compliance, and data discovery without granting modification rights.
Using Global Catalog Reader simplifies onboarding and improves usability by giving users a consistent view of published business concepts and data products across all governance domains. Without it, visibility must be managed domain by domain through roles such as Governance Domain Reader or Local Catalog Reader, which increases administrative effort and limits discoverability. Sensitive domains can still apply additional scoped roles where required.
Data Health Reader
Allows users to view data health metrics such as completeness, freshness, and anomaly indicators. This supports data stewards, quality teams, and analysts in monitoring reliability without the ability to change data or rules.
Unified Catalog Governance Domain Roles
Data Quality Reader
Provides insight into data quality rules and results within a governance domain. Useful for users who need to understand quality issues or compliance status without editing capabilities.
Data Profile Reader (Conditional)
Enables access to profiling information such as distributions, null counts, and detected patterns.
However, profiling data may reveal sensitive information, so this role is best reserved for trusted analysts or stewards rather than being broadly granted to all data consumers.
Data Map Role Assignments
Data Reader
Grants read-only access to metadata and lineage across the data map. This transparency is important for impact assessments, understanding dependencies, and supporting governance processes.
Insights Reader
Provides access to Purview Insights dashboards, including usage statistics, scanning activity, and classification trends. This role is typically valuable for managers or governance leads monitoring adoption and compliance.
Summary
Together, these roles aim to give data consumers the access they need for discovery, quality awareness, and understanding lineage; without exposing sensitive data or granting any capability to modify assets. The intention is to follow least-privilege practice while enabling meaningful self-service analytics.