You create data access rules to specify what data to control and how to control it. A rule is enforced only when you include it in a published policy.
A data access rule consists of criteria that specify that data to control and an action that specifies how to prevent access to that data. This diagram shows the components of rules.
The criteria consists of one or more conditions. A condition consists of two or more terms or classifications that describe the contents of data or identify users and that are combined by operators:
- Asset classifications: The type of sensitive information in the asset, for example, sensitive personal information, personally identifiable information, confidential, or none.
- Attribute classifiers: The classification of a column that categorizes the content of the data, for example, customer number, date of birth, or city.
- Classifier groups: Sets of similar attribute classifiers, for example, the Contact Details group contains all classifiers that describe addresses.
- System terms: Categories of types of terms, for example, asset classification, attribute classifier, asset owner, asset tags, or user name.
- Business terms: Terms in your business glossary that replace the predefined names of asset classifications, attribute classifiers, or system terms.
- Tags: Metadata associated with assets.
- User identifiers: The name or email address of a user in the account.
- Operators: The operations that are appropriate for the type of term and the position in the condition, for example, contains any, does not contain, And, and Or.
An action prevents catalog members from accessing the data specified by the conditions:
- Deny access to the entire asset. Affected users can see the entry for the asset in the catalog but cannot preview the contents of the asset or perform any actions on the asset.
- Anonymize the data in columns of relational data sets based on the type of content in the column. Affected users can see anonymized columns but the values are replaced, an icon indicates that the column is anonymized, and a tooltip lists the name of the policy.
You can create rules while you create a policy, or separately, and later add them to one or more policies. Rules are used only when they are included in published policies.
You must have the Admin role for the Watson Knowledge Catalog app to create rules. Other users can only view rules.
Some Watson Knowledge Catalog plans have limits on the number of rules that you can create.