Policies control access to data based on the content of the data. A policy consists of one or more rules.
You can add data protection rules to create policies that specify types of data to restrict. Then, the data protection rules in policies are automatically enforced when a catalog member attempts to view or act on a data asset in a catalog to prevent unauthorized users from accessing sensitive data.
For example, you can create a policy with data protection rules to deny access to data assets that contain confidential information. Without data protection rules, access to a data asset in a catalog is only restricted by privacy setting of the data asset, which specifies the users who can view and use the asset. You can also decide to mask data in asset columns depending on their contents. In this case users can view an asset but not all data is revealed to them.
A shield icon next to the column name indicates that the data in the column is masked by a data protection rule.
A policy consists of one or more rules that control access to data and a description to explain to catalog users why they can’t access data in a particular data set. You can use the same rule in multiple policies. Policies are organized in categories.
Policies have this scope:
- Catalogs that are governed and in the same IBM Cloud account. When you create a catalog, you choose whether to enforce policies for that catalog. Sensitive data in catalogs that do not have governance enabled are not protected by policies.
- Data in relational data sets. Data assets with unstructured data and other types of assets are not protected by policies.
- All members of governed catalogs, regardless of their roles. The only user who is not subject to policies is the owner of the data asset. The owner of a data asset always sees the original values of that asset.
The status of a policy determines whether you can edit the policy and whether the policy is enforced.
- If a published policy is active, it can be enforced and can be edited.
- Draft policies are not yet enforced and can be edited.
You must have the Admin role for the Watson Knowledge Catalog service to create categories, policies, and rules. Other users can only view categories, policies, and rules.
Some Watson Knowledge Catalog plans do not allow you to create or enforce policies.