Data Policy precedence compared with RBAC

In Azure, Role-Based Access Control (RBAC) and Azure Purview data policies work together to manage access to data. Here's how they interact and determine precedence:

RBAC Configuration: RBAC controls access at a broad level. For example, assigning the "Storage Blob Data Contributor" role to a user at the Azure Data Lake Storage Gen2 account level provides them full access to blobs and containers within that storage account.

Purview Data Policy: Purview data policies can enforce more granular controls. These policies can either allow or deny access to specific data assets, such as individual containers within the Data Lake Storage Gen2.

Precedence: When there’s a conflict between RBAC permissions and Purview data policies, the most restrictive policy takes precedence. Therefore, even if a user has the "Storage Blob Data Contributor" role, a Purview data policy denying access to a specific container will override the RBAC permissions, effectively restricting access as intended.

Azure’s security model is designed to ensure data protection by applying the principle of least privilege. This means the most restrictive access controls are prioritized when there’s a conflict between different access policies.

Additionally, Azure’s security and access management is designed to be layered and comprehensive, ensuring that data is protected at all levels. This layered approach provides robust security, offering multiple lines of defense to safeguard your data.

To summarize, in your scenario, the Purview data policy denying access to a specific container should take precedence over the broader RBAC permissions, thus restricting access to that container as intended.

I hope this clarifies the interaction between RBAC and Purview data policies.

Here are the links to the official Azure documentation on RBAC and Purview data policies:

• Role-Based Access Control (RBAC) Overview
• Azure Purview Data Access Policies