Scenario 2: Restrict access with data policies

In this scenario, you'll create a policy to deny access to a specific Watson Studio user if the data asset is manually classified as containing Sensitive Personal Information.

To restrict access to assets in your catalog using policies:

When an asset is added to a catalog with data policies enforced, it is automatically profiled and classified as part of the policy framework. The profiling process samples the data asset and leverages different algorithms to determine the type of content in the data asset. For example, profiling can determine if a column contains a name, address, email, phone, SSN, date of birth, or credit card number. With this insight, the platform can classify an asset as containing sensitive data.

Now, you can manually classify this data asset:

  • For Classification, choose Sensitive Personal Information (SPI) from the list of available classifiers. This classification can later be used when defining policies and rules to evaluate if a user can access this data asset.
  • For Tags, type in SPI, for example, then click the plus sign icon. Over time, a catalog can contain many assets. Tags allow members to easily search for assets.

The next step is to create a policy to deny access to a specific Watson Studio user if the data asset is manually classified as containing Sensitive Personal Information.

Policies are containers to organize rules. To create a policy:

  1. Click Catalog > Policy Manager.
  2. If there is no category, click Add to create a category.
  3. Click Add to create a new policy.
  4. Enter the required information:--
    • Enter a name (for example, SPI data access policy) and a description.
    • For Type, Access is preselected because it is the only policy type currently supported. It indicates that the purpose of the policy is to control the users' access to data.
    • For Category, click Select Category, then pick the one you created, for example: Sensitive Data Policy.
  5. Click create a new rule:
  6. Enter the required information:
    • Enter a name (for example, Rule 1 - Deny access to SPI) and a description.
    • For Type, Access is preselected.
    • For business description provide a simple description of what this rule does in plain language that is easy to understand.
  7. Define the conditions in the rule builder:

    IF **Asset Manual Classification**
    CONTAINS ANY
    Sensitive Personal Information
    AND
    IF **User name**
    CONTAINS
    user3@example.com, user4@example.com
    THEN **Deny**
    

    To finish the rule, click Create to return to the Policy page.

  8. Click Publish to make this policy available for your environment.

Whenever one of the Watson Studio users (user3@example.com or user4@example.com) attempts to access a data asset that is manually classified as Sensitive Personal Information in a catalog with data policies enforced, this user is denied access by the system.

Open Catalog > Data Dashboard to view and monitor data policy activities.

Learn more