Nuta
Dostęp do tej strony wymaga autoryzacji. Możesz spróbować się zalogować lub zmienić katalog.
Dostęp do tej strony wymaga autoryzacji. Możesz spróbować zmienić katalogi.
Note
This documentation is for the preview version of Data Security Posture Management that's now rolling out. We invite you to try this preview that introduces guided workflows for proactive risk management and streamlines data security operations so you can more confidently adopt AI across your digital estate.
Most new features will be added to this version only but you can still access the previous versions and their documentation:
Members of your security and compliance teams who are responsible for managing AI apps in Microsoft Purview Data Security Posture Management need appropriate permissions when they sign in to the Microsoft Purview portal.
Roles and role groups that can view, create, and edit in Data Security Posture Management:
- Microsoft Entra Compliance Administrator role
- Microsoft Entra Global Administrator role
- Microsoft Purview Compliance Administrator role group
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
Roles and role groups that can view-only in Data Security Posture Management:
- Microsoft Purview Security Reader role group
- Purview Data Security AI Viewer role
- AI Administrator role from Entra
- Purview Data Security AI Content Viewer role for AI interactions only
- Purview Data Security Content Explorer Content Viewer role for AI interactions and file details for data risk assessments only
To help you assign the right permissions to users, use the following guidance, depending on the portal you're using:
- Permissions in the Microsoft Purview portal
- Assign Microsoft Entra roles to users
- Permissions in Exchange Online
Use the following table to understand the detailed permissions for different activities in Data Security Posture Management.
Permissions by activities
✓: Supported. The role or role group have permissions to do the specified activities.
✕: Not supported. The role or role group don't have permissions to do the specified activities.
Use the Roles or role groups that are view-only for AI data column to identify the activities that display AI data security information, for view-only. For example, AI data from objectives such as exfiltration to AI apps and prevent oversharing, with their AI-related policies and metrics.
| Activities | Microsoft Entra Compliance Administrator role | Microsoft Entra Global Administrator role | Microsoft Purview Compliance Administrator role group | Roles or role groups that are view-only1 | Roles or role groups that are view-only for AI data2 | When not supported, additional role groups required |
|---|---|---|---|---|---|---|
| Complete one-click get started steps | ✓ | ✓ | ✓ | ✕ | ✕ | Not applicable |
| View all get started steps | ✓ | ✓ | ✓ | ✓ | ✕ | Not applicable |
| View key posture metrics, data snapshot, and posture trends chart on the Posture page | ✓ | ✓ | ✓ | ✓ | ✕ | Not applicable |
| View Security Copilot insights and run prompts | ✕ | ✕ | ✕ | ✕ | ✕ | Data Security Viewer |
| Complete action on getting started steps | ✓ | ✓ | ✓ Excludes Activate Audit |
✕ | ✕ | Microsoft Exchange Compliance Management Microsoft Exchange Records Management Microsoft Exchange Organization Management |
| View completion status of getting started steps | ✓ | ✓ | ✓ Excludes status of Activate Audit |
✓ Excludes: Status of Activate Audit Status of Extend Your Insights |
✓ Excludes: Status of Activate Audit Status of Extend Your Insights |
For Activate Audit: Microsoft Exchange View-Only Organization Management Microsoft Exchange Hygiene Management Microsoft Exchange Compliance Management Microsoft Exchange Records Management Microsoft Exchange Organization Management For Extend Your Insights: Microsoft Purview Insider Risk Management Administrator Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| Create data security investigation | ✕ | ✕ | ✕ | ✕ | ✕ | Data Security Management Insider Risk Management Admin Data Security Investigations Admin Data Security Investigations Investigator |
| View all recommendations | ✓ | ✓ | ✓ | ✓ | ✓ | Not applicable |
| Complete actions on recommendation cards | ✓ | ✓ | ✓ | ✕ | ✕ | Not applicable |
| View completion status of recommendation cards | ✓ | ✓ | ✓ | ✕ Excludes Unethical Behavior card |
✓ Excludes Unethical Behavior card |
Communication Compliance Administrator |
| View all graphs from the Reports page | ✓ | ✓ | ✓ | ✓ | ✓ | Not applicable |
| View all policies in the policy list, Reports page | ✓ | ✓ | ✓ | ✓ Excludes: Insider risk management policies Communication compliance policies |
For insider risk management polices: Microsoft Purview Insider Risk Management Administrator Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator For communication compliance policies: Communication Compliance Administrator |
|
| View all events in activity explorer, AI activities tab | ✓ Excludes browse to URL (AI Visit) from insider risk management |
✓ Excludes browse to URL (AI Visit) from insider risk management |
✓ Excludes browse to URL (AI Visit) from insider risk management |
✓ Excludes browse to URL (AI Visit) from insider risk management |
✓ Excludes browse to URL (AI Visit) from insider risk management |
Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| View all events in activity explorer, All activity types tab | ✓ Excludes insider risk management events |
✓ Excludes insider risk management events |
✓ Excludes insider risk management events |
✓ Excludes insider risk management events |
✕ | Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| View user risk level of an individual user in all events from activity explorer | ✕ | ✕ | ✕ | ✕ | ✕ | Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| View user risk level of an individual user in all events from activity explorer, both tabs | ✕ | ✕ | ✕ | ✕ | ✕ | Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| View the prompts and responses within AI Interaction events from activity explorer | ✕ | ✕ | ✕ | ✕ | ✕ | Content Explorer Content Viewer Microsoft Purview Data Security AI Content Viewer |
| Create data risk assessments | ✓ | ✓ | ✓ | ✕ | ✕ | Not applicable |
| View data risk assessments | ✓ | ✓ | ✓ | ✓ | ✓ | Not applicable |
| View file details for data risk assessments | ✕ | ✕ | ✕ | ✕ | ✕ | Content Explorer Content Viewer Content Explorer List Viewer |
| View Apps and agents page | ✓ | ✓ | ✓ | ✓ | ✓ | Not applicable |
| View objectives | ✓ | ✓ | ✓ | ✓ | ✓ | Not applicable |
| View remediation plan for objectives | ✓ | ✓ | ✓ | ✓ | ✕ | Not applicable |
| View remediation plan completion status | ✓ | ✓ | ✓ | ✓ | ✕ | Not applicable |
| View risk patterns | ✓ | ✓ | ✓ | ✓ | ✓ | Not applicable |
1 Includes Microsoft Purview Security Reader role group, Microsoft Purview Data Security AI Viewer role, and the AI Administrator role from Entra
2 Includes Microsoft Purview Data Security AI Viewer role and the AI Administrator role from Entra
Custom role groups
Instead of granting access to Data Security Posture Management by using the built-in role groups, you can grant access by including the Microsoft Purview Compliance Administrator role in a custom role group. For read-only permissions, include the the Microsoft Purview Security Reader role, the Purview Data Security AI Viewer role, or the AI Administrator role from Entra.
If a custom role group includes the Microsoft Purview Compliance Administrator role, the user has the same access to Data Security Posture Management as the Microsoft Purview Compliance Administrator role group, except for the following:
- Create, view, update, and delete policies for insider risk management and communication compliance
If a custom role group includes the Microsoft Purview Security Reader role, the Purview Data Security AI Viewer role, or the AI Administrator role, the user has the same access to Data Security Posture Management the Microsoft Purview Security Reader role group, except for the following:
- View information protection policies