Data location rules (experimental) (IBM Knowledge Catalog)
Data location rules provide attributes-based access control of data assets based on their location. The rules ensure that data privacy and location-aware regulations are enforced when you move data from one physical or sovereign location to another.
Experimental This is an experimental release and is not yet supported for use in production environments. To try out this experimental feature, respond to this post for an example tutorial and additional information about the API.
You can create data location rules to protect sensitive data based on the location or sovereignty of the data or of the users who access the data.
A data location rule consists of an optional direction of the data, the criteria, and an action block.
By default, a data location rule is applied to data both when the data is entering and when the data leaving its physical or sovereign location. You can limit the rule to a single data direction. When you specify the data direction of the rule as incoming, the data that is entering the location is restricted. When you specify the data direction of the rule as outgoing, the data that is leaving its location is restricted.
For example, Anya is a legal and compliance officer at a bank in Germany. Personal information in Germany is governed by the General Data Protection Regulation. Anya must ensure the customer names and addresses that she is managing is masked before it leaves Germany and is accessed in other countries. When Anya designs a data location rule, the data direction she selects is outgoing. The data is coming from Germany and customer names and addresses are masked when it is accessed in other countries.
Criteria identifies what data to control and can include who is requesting access to the data and the properties of the data asset. The criteria can consist of a number of predicates that are combined in a Boolean expression. The predicates can include user attributes and asset attributes, such as classifications, tags, and business terms.
The action block specifies how to control the data. The action block can consist of binary actions, such as either denying or allowing access to data, and data transformative actions, such as masking the data values in a column.
Data location rule example
You can create a data location rule that indicates the data direction is incoming. It masks the column names Name and Address by using obfuscation if data originated from Japan and is entering Germany. The definition of that rule consists of a data direction, criteria with two conditions and an action.
The following example displays the data direction and criteria with two conditions that are defined for the rule:
The following example displays the Obfuscation action that is defined for the rule:
Rewritten as a sentence, the rule definition is: If the data direction is incoming, the source sovereignty is Japan, and the target sovereignty is Germany, mask the Name and Address columns using obfuscation transformation.
Learn more
Parent topic: Governance artifacts