Permissions Reference

Principle

Grant the minimum permissions required for the selected connector scope. Start with a pilot Purview collection and Databricks catalog/schema before expanding production coverage.

Microsoft Entra ID

Lineage Advisor uses Microsoft Entra ID for administrator sign-in and application authorization.

Typical identity information:

Tenant ID.
User object ID.
User principal name or email.
Display name.
Application/client ID.

Microsoft Purview

The connector needs permission to write metadata and lineage into the target Purview collection.

Recommended scope:

Dedicated Purview collection for pilot.
Data Map permissions limited to that collection.
Permission to create or update connector-specific type definitions where enabled.

Databricks

The connector needs metadata read access for selected Databricks scopes.

Recommended scope:

Dedicated service principal.
Selected workspaces.
Selected catalogs and schemas.
Metadata and lineage read access.

The connector does not require table row data for metadata and lineage sync.

Secret Handling

Store secrets only in approved secret storage.
Rotate secrets according to enterprise policy.
Remove unused credentials immediately.
Do not share personal access tokens in support tickets.

Permission Review Checklist

Dedicated application identity created.
Pilot scope is limited.
Production scope approved by data owners.
Secret rotation owner assigned.
Purview collection owner approved target collection.
Databricks administrator approved catalogs and schemas.

Principle​

Microsoft Entra ID​

Microsoft Purview​

Databricks​

Secret Handling​

Permission Review Checklist​