Microsoft Purview Data Map – Proposed Domain & Collection Structure

This proposed Microsoft Purview Data Map domain and collection structure ensures that users responsible for specific data assets can be granted precisely scoped permissions—particularly for updating metadata—by mapping Business Units, Departments, Teams, and environments in a clear hierarchy that allows RBAC inheritance to assign the right level of access to the right people.

Domain Name

Data Catalogue
(Short, clear, governance-aligned name to avoid UI truncation and scripting issues.)

Collection Path

Data Catalogue → Business Units → Departments → Teams → [Prod | Non-Prod]

• Level 1: Business Units
  Level 2: Departments (within each Business Unit)
  Level 3: Teams (within each Department)
  Optional: Environment segregation under Teams (Prod / Non-Prod)

Reasons & Requirements

1. Domain Naming

• Short, clear name avoids UI truncation and scripting issues. Detailed descriptions stored in metadata; name remains simple for automation and future-proofing.

2. Structure Alignment

Alignment with organisational charts and unified governance hierarchy:

• Business Units → Departments → Teams

Provides intuitive navigation and meaningful context for users.

3. Hierarchy Depth

Limited to 4–5 levels for usability and RBAC inheritance. Avoids unnecessary complexity while maintaining clarity.

4. Environment Handling

Prod / Non-Prod split under Teams for simplicity. Additional environments only if governance differs significantly.

5. RBAC & Ownership

• Permissions align with organisational roles.
• Supports the principle of least privilege.

6. Scanning & Policy

• Scans assigned at Team level for precise governance.
• Policies inherit from higher levels for consistency.
• Selective scanning preferred for cost efficiency.

7. Best Practice Compliance

Matches Microsoft guidance: short names, shallow hierarchy, environment segregation. Clear distinction between governance path and technical hierarchy.

Role Assignment in Collections

Data Curator Role

Designed for users who:

• Edit and update metadata.
• Manage business context for assets within the collection.

Assign to:

• Data Owners (Directorate level).
• Data Stewards (Team level).
• Data Product Owners / Asset Managers (for their own assets).

Why at Collection Level?

RBAC in Purview inherits down the collection hierarchy:

• Assign at Team collection → edit metadata for all assets in that Team.
• Assign at Group or Directorate level → edit metadata for all child collections.
• Ensures least privilege and ownership-based editing.

Best Practice

• Read-only roles (Data Reader) applied broadly for transparency.
• Data Curator scoped to the lowest level where the user has responsibility (usually Team).
• Avoid assigning Data Curator at the root unless absolutely necessary.