Policies control access to data based on the content of the data. For each column in relational data sets, the type of content is automatically profiled and classified. You create policies that specify types of data classifications to restrict. Then, the policies are automatically enforced when a catalog member attempts to view or act on a data asset in a catalog to prevent unauthorized users from accessing sensitive data.
For example, you can create a policy to deny access to data assets that contain confidential information. Without policies, access to a data asset in a catalog is only restricted by privacy setting of the data asset, which specifies the users who can view and use the asset. You can also decide to anonymize data in asset columns depending on their contents. In this case users can view an asset but not all data is revealed to them. A shield icon next to the column name indicates that the data in the column is anonymized by a policy.
This diagram shows the hierarchy of categories, policies, and rules.
A policy consists of one or more rules that control access to data and a description to explain to catalog users why they can’t access data in a particular data set. You can use the same rule in multiple policies. Policies are organized in categories in the Policy Manager. Choose Catalog > Policy Manager to view, create, or manage categories, policies, and rules.
Policies have this scope:
- Catalogs that are governed and in the same IBM Cloud account. When you create a catalog, you choose whether to enforce policies for that catalog. Sensitive data in catalogs that do not have governance enabled are not protected by policies.
- Data in relational data sets. Data assets with unstructured data and other types of assets are not protected by policies.
- All members of governed catalogs, regardless of their roles. The only user who is not subject to policies is the owner of the data asset. The owner of a data asset always sees the original values of that asset.
The status of a policy determines whether you can edit the policy and whether the policy is enforced.
- Published policies are enforced and can be edited.
- Draft policies are not yet enforced and can be edited.
- Archived policies are no longer used and cannot be edited.
You must have the Admin role for the Watson Knowledge Catalog app to create categories, policies, and rules. Other users can only view categories, policies, and rules.
Some Watson Knowledge Catalog plans do not allow you to create or enforce policies.