Data policies evaluate requests to access assets based on these elements:
- Information about the user who is attempting to access the asset. This consists, for example, of the user identification, the account identification, the user role, the time stamp, and so on.
- All the existing rules in published policies in the system at the time of policy enforcement.
- Information about the asset:
- A subset of the asset properties, such as classification, owner, and tags, which are accessible through the system terms.
- The attribute classifiers that are assigned to describe columns in relational or structured data assets during the profiling process. Assets that do not contain structured data or have a format that cannot be profiled are not affected by rules that specify attribute classifiers, such as rules that anonymize data.
Access requests for an asset in a catalog with data policies enforced are processed as follows:
- If the user who is trying to access the asset is the owner of the asset (by default, the user who created the asset), then access is always granted.
- If the asset is being classified and evaluated for policy enforcement after it was created, only a user who has the Admin role can access the asset. If classification and evaluation fail to complete within 24 hours, the asset is blocked to all users except the owner of the asset.
- Rules are processed in the order of their creation.
- The first rule whose conditions result in a deny action blocks access to the asset and stops further rule processing.
- If all rules are processed and none of the rule conditions result in a deny action, access to the asset is allowed.