Data protection policy evaluation
Data protection policies evaluate requests to access assets based on these elements:
- User context, for example, you can write rules that always deny access to a specific user, or always anonymize a column for a specific user.
- All the existing rules in published data protection policies in the system at the time of policy enforcement.
- Information about the asset:
- A subset of the asset properties, such as classification, owner, and tags.
- The data classes that are assigned to describe columns in relational or structured data assets during the profiling process. Assets that do not contain structured data or have a format that cannot be profiled are not affected by rules that specify data classes, such as rules that anonymize data.
- You can create rules using business terms, which you can assign to an asset or to an asset column.
Access requests for an asset in a catalog with data protection policies enforced are processed as follows:
- If the user who is trying to access the asset is the owner of the asset (by default, the user who created the asset), then access is always granted.
- If the asset is being classified and at the time of being evaluated for data protection there are published rules that depend on profiling, then only a user who has the Admin role can access the asset. If profiling and evaluation fail to complete within 24 hours, the asset is blocked to all users except the owner of the asset.
- Rules are processed in the order of their creation.
- The first rule whose conditions result in a deny action blocks access to the asset and stops further rule processing.
- If all rules are processed and none of the rule conditions result in a deny action, access to the asset is allowed.