Data protection policy evaluation

Data protection policies evaluate requests to access assets based on these elements:

  • All the existing rules in published data protection policies in the system at the time of policy enforcement.
  • Information about the asset:
    • A subset of the asset properties, such as classification, owner, and tags.
    • The attribute classifiers that are assigned to describe columns in relational or structured data assets during the profiling process. Assets that do not contain structured data or have a format that cannot be profiled are not affected by rules that specify attribute classifiers, such as rules that anonymize data.

Access requests for an asset in a catalog with data protection policies enforced are processed as follows:

  • If the user who is trying to access the asset is the owner of the asset (by default, the user who created the asset), then access is always granted.

  • If the asset is being classified and evaluated for data protection policy enforcement after it was created, only a user who has the Admin role can access the asset. If classification and evaluation fail to complete within 24 hours, the asset is blocked to all users except the owner of the asset.

  • Rules are processed in the order of their creation.

  • The first rule whose conditions result in a deny action blocks access to the asset and stops further rule processing.

  • If all rules are processed and none of the rule conditions result in a deny action, access to the asset is allowed.

Learn more