Designing data protection rules
When you design a data protection rule, you must decide the criteria for enforcing the rule and the corresponding enforcement action. The criteria can include which users are affected, the classification of the data asset, or other metadata assigned to the data asset. The enforcement action can be either to deny access to all data within the asset, to mask parts of the data, or to filter rows from the data.
You must have these user permissions:
- To create data protection rules, you must have the Manage data protection rules permission.
- To include governance artifacts in your rules, you must have the Access governance artifacts permission and you must be a collaborator in the categories of the governance artifacts that you want to use in the rule.
If you are missing permissions, ask your platform administrator to give them to you.
Properties of data protection rules
The properties and behavior of data protection rules differ significantly from other governance artifacts.
|Property or behavior||Supports?||Explanation|
|Must have unique names?||Yes||Each data protection rule must have a unique name.|
|Description?||Yes||Describe what the rule does in natural language so that it is easy to understand. Include standard words and terms to make it easy to search for this rule.|
|Add relationships to other rules?||No||Data protection rules don't have relationships with each other.|
|Add relationships to other governance artifacts?||Yes||You can add governance artifacts in the definitions of data protection rules. The data protection rule then appears on the Related content tab of the governance artifacts that are included in its definition. You can also add data protection rules to policies. However, data protection rules are enforced regardless of whether they are included in any published policies.|
|Add relationship to asset?||Yes||See Asset relationships in catalogs.|
|Add custom properties?||No||Data protection rules don't support custom properties.|
|Add custom relationships?||No||Data protection rules don't support custom relationships.|
|Organize in categories?||No||Data protection rules are not controlled by categories. They are enforced across all governed catalogs on the platform and visible to all users.|
|Import from a file?||No||You must create each data protection rule individually.|
|Export to a file?||No||You can't export a data protection rule.|
|Managed by workflows?||No||Data protection rules are published and active after creation.|
|Specify start and end dates?||No||Data protection rules are active after creation and until they are deleted.|
|Assign a Steward?||No||Data protection rules don't have stewards.|
|Add tags?||Yes||Although you can't add tags as properties to data protection rules, you can include tags in the definitions of data protection rules.|
|Assign to an asset?||Yes||Although you can't manually assign data protection rules to assets, rules are enforced for assets when the assets match the criteria of the rule.|
|Assign to a column in a data asset?||Yes||Although you can't manually assign a data protection rule to a column in an asset, data protection rules can mask the values of a column when the column matches the criteria and action block directives of the rule.|
|Automated assignment during profiling or enrichment?||No||Data protection rules are enforced when a user attempts to access a data asset.|
|Predefined artifacts in the [uncategorized] category?||No||You must create all data protection rules.|
Data protection rules are composed of two components:
The criteria identifies conditions for enforcing the data protection rule. A criteria consists of one or more conditions. Each condition consists of a predicate, a comparison operator, and one or more input values.
The process of configuring a criteria involves selecting the type of predicate to define the asset or user attribute, the comparison operator, and the specific values of the predicate to compare with. You can then join predicates and conditions with the AND or OR Boolean operators to create nested logical structures with precise criteria.
|Asset||The globally unique identifier (GUID) of the asset, for example,
||Enter one or more asset IDs, separated by commas.|
|Asset name||The name of the asset, for example,
||Enter one or more asset names, separated by commas.|
|Asset owner||The email address of the user who owns the asset in the catalog, for example,
||Search for and then select one or more email addresses.|
|Asset schema||The schema of the connected asset, for example,
||Enter one or more asset schemas, separated by commas.|
|Business term||A business term that is assigned to the asset or to a column, for example
||Search for and then select a published business term.|
|Catalog||The globally unique identifier (GUID) of the catalog containing the asset, for example
||Enter one or more catalog IDs, separated by commas.|
|Classification||The type of sensitive information in the asset, for example
||Search for and then select one or more classifications.|
|Data class||The data class that is assigned to a column that classifies the content of the data, for example,
||Search for and then select a published data class.|
|Tag||A tag that is assigned to the asset or to a column, for example
||Enter one or more tags, separated by commas.|
|User name||The name or email address of a user, for example,
||Search for and then select one or more email addresses.|
|User group||The name of a user group that is a catalog collaborator, for example
||Search for and then select one or more user groups.|
|Custom predicates||A user-defined predicate that maps to a custom user attribute or a custom data asset attribute.||Create user-defined predicates using the Watson Data API.|
|equals||An exact match comparison, usually used for IDs of attributes like catalog IDs, or asset IDs. For example, "Loan approvals" and "Financing."||Search for and then enter the IDs of one or more values separated by commas.|
|contains any||Filters the predicate type that contains any of the same string of characters, for example, @company.||Search for and then select one or more email addresses that has the domain "@company."|
|does not contain any||Filters the predicate type that does not contain any of the same string of characters, for example, @company.||Search for and then select one or more email addresses that does not have the domain "@company."|
|like||Filters the predicate value for a pattern specified as a regular expression, for example "FINANCE.*" or "(USER|CUSTOMER).+"||Enter regular expressions separated by commas.|
For example, nesting in different ways in the criteria can produce different results with the same predicates.
The following criteria creates a rule that masks data that has a specific classification plus either a specific data class or a specific business term.
The following criteria creates a rule that masks data that has a specific classification plus a specific data class or that has a specific business term:
The action of the data protection rule defines the effect of enforcing the rule. The action prevents affected catalog members from accessing or viewing the original data, as specified by the conditions. The asset owner is not affected by data protection rules.
You choose from the following types of actions.
|Deny access||All data values in all columns of the data asset||Affected users can see asset metadata, but can't preview any data values, use the data, or perform actions on the asset. Users are also unable to download the assets or add them to a project.|
|Mask||The values in column that match the masking criteria||Affected users can view all values in unmasked columns, view generated values in masked columns, can use the data, and can perform actions on the asset, according to their catalog roles. See Masking data.
Masking can extend to projects. See Masking in projects. Choose from three types of masking methods based on how much you want to disguise the original data.
|Filter rows||All the rows that match a specific criteria||Affected users can either view, or are blocked from viewing, all values in specific rows according to their catalog roles and the type of filtering chosen. Row filtering is either an include or an exclude depending on the requirements of the data asset. See Filtering rows.|
You can use customize predicates when the standard predicates, such as properties of data assets or identifying users, are insufficient or do not meet your business needs.
The predicates you create are mapped to the properties of data assets.
To create or delete custom predicates, you must use the Watson Data API . If you decide later to update a custom predicate, you must first delete all of the existing rules using the custom predicate, and then re-create the new rules using the updated custom predicate.
- Masking data
- Filtering rows
- Data protection rules evaluation
- Managing data protection rules
- Watson Data API
Parent topic: Data protection rules