0 / 0
Designing data protection rules
Last updated: Dec 13, 2024
Designing data protection rules

When you design a data protection rule, you must decide the criteria for enforcing the rule and the corresponding enforcement action. The criteria can include which users are affected, the classification of the data asset, or other metadata assigned to the data asset. The enforcement action can be either to deny access to all data within the asset, to mask parts of the data, or to filter rows from the data.

Required permissions

You must have these user permissions:

  • To create data protection rules, you must have the Manage data protection rules permission.
  • To include governance artifacts in your rules, you must have the Access governance artifacts permission and you must be a collaborator in the categories of the governance artifacts that you want to use in the rule.

If you are missing permissions, ask your platform administrator to give them to you.

Properties of data protection rules

The properties and behavior of data protection rules differ significantly from other governance artifacts.

Property or behavior Supports? Explanation
Must have unique names? Yes Each data protection rule must have a unique name.
Description? Yes Describe what the rule does in natural language so that it is easy to understand. Include standard words and terms to make it easy to search for this rule.
Add relationships to other rules? No Data protection rules don't have relationships with each other.
Add relationships to other governance artifacts? Yes You can add governance artifacts in the definitions of data protection rules. The data protection rule then appears on the Related content tab of the governance artifacts that are included in its definition. You can also add data protection rules to policies. However, data protection rules are enforced regardless of whether they are included in any published policies.
Add relationship to asset? Yes See Asset relationships in catalogs.
Add custom properties? No Data protection rules don't support custom properties.
Add custom relationships? No Data protection rules don't support custom relationships.
Organize in categories? No Data protection rules are not controlled by categories. They are enforced across all governed catalogs on the platform and visible to all users.
Import from a file? No You must create each data protection rule individually.
Export to a file? No You can't export a data protection rule.
Managed by workflows? No Data protection rules are published and active after creation.
Specify start and end dates? No Data protection rules are active after creation and until they are deleted.
Assign a Steward? No Data protection rules don't have stewards.
Add tags? Yes Although you can't add tags as properties to data protection rules, you can include tags in the definitions of data protection rules.
Assign to an asset? Yes Although you can't manually assign data protection rules to assets, rules are enforced for assets when the assets match the criteria of the rule.
Assign to a column in a data asset? Yes Although you can't manually assign a data protection rule to a column in an asset, data protection rules can mask the values of a column when the column matches the criteria and action block directives of the rule.
Automated assignment during profiling or enrichment? No Data protection rules are enforced when a user attempts to access a data asset.
Predefined artifacts in the [uncategorized] category? No You must create all data protection rules.

Data protection rules are composed of two components:

Criteria

The criteria identifies conditions for enforcing the data protection rule. A criteria consists of one or more conditions. Each condition consists of a predicate, a comparison operator, and one or more input values.

The process of configuring a criteria involves selecting the type of predicate to define the asset or user attribute, the comparison operator, and the specific values of the predicate to compare with. You can then join predicates and conditions with the AND or OR Boolean operators to create nested logical structures with precise criteria.

Predicate types

Predicate Description Input values
Asset The globally unique identifier (GUID) of the asset, for example, 4899251b-6073-4f25-9601-fc70fca1f9a9. Enter one or more asset IDs, separated by commas using the Data and AI Common Core API.
Asset name The name of the asset, for example, SALES_LEADS. Enter one or more asset names, separated by commas.
Asset owner The email address of the user who owns the asset in the catalog, for example, [email protected]. Search for and then select one or more email addresses.
Asset schema The schema of the connected asset, for example, db2_conn1. Enter one or more asset schemas, separated by commas.
Business term A business term that is assigned to the asset or to a column, for example work phone number. Search for and then select a published business term.
Catalog The globally unique identifier (GUID) of the catalog containing the asset, for example 46a19524-bfbf-4810-a1f0-b131f12bc773. Enter one or more catalog IDs, separated by commas using the Data and AI Common Core API.
Classification The type of sensitive information in the asset, for example Confidential or Personally Indentifiable Information. Search for and then select one or more classifications.
Column name The name of a column in an asset, for example FNAME, LNAME, CLAIM_ID. Enter one or more column names separated by commas.
Data class The data class that is assigned to a column that classifies the content of the data, for example, Customer Number, Date of Birth, or City. Search for and then select a published data class.
Tag A tag that is assigned to the asset or to a column, for example Marketing, Client Information, or Claim. Enter one or more tags, separated by commas.
User name The name or email address of a user, for example, [email protected]. Search for and then select one or more email addresses.
User group The name of a user group that is a catalog collaborator, for example people managers or finance group. Search for and then select one or more user groups.
Custom predicates A user-defined predicate that maps to a custom user attribute or a custom data asset attribute. Create user-defined predicates using the IBM Knowledge Catalog API.

Comparison operators

Operator Description Input values
equals An exact match comparison, usually used for IDs of attributes like catalog IDs, or asset IDs. For example, "Loan approvals" and "Financing". Search for and then enter the IDs of one or more values separated by commas using the Data and AI Common Core API for asset IDs or catalog IDs.
contains any Filters the predicate type for assets that contain any of the listed values for that attribute. For example, assets that contain any tag of "confidential", "sensitive", or "financial". Search for and then enter one or more values separated by commas.
does not contain any Filters the predicate type for assets that does not contain any of the listed values for that attribute. For example, assets that does not contain any tag of "confidential", "sensitive", or "financial". Search for and then enter one or more values separated by commas.
like Filters the predicate value for a pattern specified as a regular expression, for example "FINANCE.*" or "(USER|CUSTOMER).+" Enter regular expressions separated by commas.
Tip: For the predicate types `Asset name` and `Column name`, you can use the `like` operator for substring or more precise matches.

For example, nesting in different ways in the criteria can produce different results with the same predicates.

The following criteria creates a rule that masks data that has a specific classification plus either a specific data class or a specific business term.

Data protection rule nesting example

The following criteria creates a rule that masks data that has a specific classification plus a specific data class or that has a specific business term:

Data protection rule nesting example

Actions

The action of the data protection rule defines the effect of enforcing the rule. The action prevents affected catalog members from accessing or viewing the original data, as specified by the conditions. The asset owner is not affected by data protection rules.

You choose from the following types of actions.

Action Scope Result
Deny access All data values in all columns of the data asset Affected users can see asset metadata, but can't preview any data values, use the data, or perform actions on the asset. Users are also unable to download the assets or add them to a project.
Redact columns The values in column that match the masking criteria Affected users see values replaced with a string of one repeated character. See Mask data with data protection rules.
Masking can extend to projects. See Masking in projects.
Obfuscate columns The values in column that match the masking criteria Affected users see data replaced with similar values and in the same format. See Mask data with data protection rules.
Masking can extend to projects. See Masking in projects.
Substitute columns The values in column that match the masking criteria Affected users see data replaced with a hashed value. See Mask data with data protection rules.
Masking can extend to projects. See Masking in projects.
Filter rows All the rows that match a specific criteria Affected users can either view, or are blocked from viewing, all values in specific rows according to their catalog roles and the type of filtering chosen. Row filtering is either an include or an exclude depending on the requirements of the data asset. See Filtering rows.

Column name guidelines within masking or filtering action

Column names must match exactly the name in the data asset schema or the rule is not applied. In addition, column names are case-sensitive. For example, if you create a rule to filter rows based on the column name of COLUMN9, the rule does not filter rows specified in columns with the name column9 and only filter rows based on column names that match exactly to COLUMN9.

Custom predicates

You can use customize predicates when the standard predicates, such as properties of data assets or identifying users, are insufficient or do not meet your business needs.

The predicates you create are mapped to the properties of data assets.

To create or delete custom predicates, you must use the IBM Knowledge Catalog API . If you decide later to update a custom predicate, you must first delete all of the existing rules using the custom predicate, and then re-create the new rules using the updated custom predicate.

Learn more

Parent topic: Data protection rules