Blog Post

Security, Compliance, and Identity Blog
2 MIN READ

Data Policy features: Accessing data when folder level permission is granted

Blesson_John's avatar
Blesson_John
Icon for Microsoft rankMicrosoft
Feb 05, 2022

In the Data Policy features: Accessing data when file level permission is granted - Microsoft Tech Community blog, we looked at how users can work with files when file level access is granted. This blog explains how to access data when permission is granted at the folder level using Azure Purview’s Data Policy features.

 

After a data source is registered for Data use governancepolicy author role within Azure Purview will be able to create policies in the policy management interface. Here the user, Alice, is granted read access to the Customer folder in ADLS Gen 2 storage.

 

Alice will not be able to browse to the asset using Azure Portal or Storage explorer if the only permission granted is read/modify access at the folder level of a storage account.

This allows organizations to not only secure data perimeters but also grant users minimum access required to work with datasets.

 

When file or folder level access is granted, the user can open the file in the Azure Synapse Analytics workspace. The approach is similar to the one mentioned in the Data Policy features: Accessing data when file level permission is granted - Microsoft Tech Community blog. 

However, folder level access allows users to leverage PowerBI Desktop to explore the data.

 

The user must login to the Azure Purview account and search for the customer folder.

 

Click open the correct folder and copy the Fully qualified name

 

 

Open PowerBI desktop and select the Get data icon. Make the selections shown below and click connect.

 

 

Paste the fully qualified path of the folder, which was copied from Azure Purview, and click ok.

 

 

Select the correct folder from the drop down menu and then click sign in. Enter your PBI credentials.

 

 

Finally, click connect

 

 

Alice can now either transform or load the data within the folder.

 

 

Get Started

  • Learn more about creating and publishing policies using this doc 
  • Watch the demo video here.
Updated Sep 21, 2022
Version 11.0
microsoft purview
  • sumani's avatar
    sumani
    Icon for Microsoft rankMicrosoft
    Oct 13, 2022

    Scenario : User want to load file "example.csv" in PowerBI. Ex :

     

    Self service polices :

     

     

     

    If the user have only Policy "2":

    When he try to load the file in PowerBI Desktop, it will fail with (403) Forbiden. This happens because policy do not provide "Execute" permission for full path up to this asset.

    In this scenario, if he try the "Open in PowerBI Desktop" button from Purview (See first screenshot), it will work !

     

    If user have policy "1" + "2" :

    This time user can read the full container. Now, connecting PowerBI to example.csv works fine:

     

    Suggestion: When a user ask for READ access for an asset, "Execute" permission should be automatically assigned for the full path + "Read" on asset.

    Otherwise, in the scenario presented above, user will be able to read everything from container "policy", not only the example.csv.

     

    The issue is not self-service related. It is to do with granting execute permission on the path.
    We deal with Blob Store + ADLS Gen 2 for the same file in storage. Execute comes into picture for ADLS Gen2.
    'Execute' is not a valid action so far in our roles. 

    'Execute' permission to be managed from Posix ACLs. It is not governed by RBAC or Purview ABAC and there is no corresponding data action for it. 

    https://datasavvy.me/2021/02/04/granting-adls-gen2-access-for-power-bi-users-via-acls/
    EXECUTE permision can be set via Posix ACLs only.

     

    The datalake file has the right permissions but is important to note that we have another component here which is pureview. This is not a problem that is not working with Power Bi, it does but not by connecting from scratch using the datalake connector. Below the working scenarios:

    • If we download the pbix from the pureview file site, the pbix is downloaded with the M query already set. This is working, if we also try to copy this M query in another pbix by creating a connection using a blank query, it works. Below the M query

    let
        Source = AzureStorage.DataLakeContents("https://purviewpolicy.dfs.core.windows.net/policy/example.csv"),
        #"Imported CSV" = Csv.Document(Source,[Delimiter=",", Columns=3, Encoding=1252, QuoteStyle=QuoteStyle.None]),
        #"Changed Type" = Table.TransformColumnTypes(#"Imported CSV",{{"Column1", type text}, {"Column2", type text}, {"Column3", type text}})
    in
        #"Changed Type"

    • If we try a simpler M query and create a connection from blank query, it works. Below the M

    let
        Source = AzureStorage.DataLakeContents("https://purviewpolicy.dfs.core.windows.net/policy/example.csv")
    in
        Source

    • If we attempt to connect using Get Data > Datalake Gen 2 connector, it fails with forbidden error .

     

    As of now this is as per design please refer :-  https://learn.microsoft.com/en-us/power-query/connectors/datalakestorage