You create data access rules to specify what data to control and how to control it. A rule is enforced only when you include it in a published data protection policy.

A data access rule consists of criteria that specify that data to control and an action that specifies how to prevent access to that data. This diagram shows the components of rules.

This image shows the components of data access rules that are described in the surrounding text.

The criteria consists of one or more conditions. A condition consists of two or more terms or classifications that describe the contents of data or identify users and that are combined by operators:

  • Asset classifications: The type of sensitive information in the asset, for example, sensitive personal information, personally identifiable information, confidential, or none.

  • Data classes: The classification of a column that categorizes the content of the data, for example, customer number, date of birth, or city.
  • Classifier groups: Sets of similar data classes, for example, the Contact Details group contains all classifiers that describe addresses.

  • System terms: Categories of types of terms, for example, asset classification, , asset owner, asset tags, or user name.

  • Business terms: Terms in your business glossary that replace the predefined names of asset classifications, data classes, or system terms.

  • Tags: Metadata associated with assets.

  • User identifiers: The name or email address of a user in the account.

  • Operators: The operations that are appropriate for the type of term and the position in the condition, for example, contains any, does not contain, And, and Or.

An action prevents catalog members from accessing the data specified by the conditions:

  • Deny access to the entire asset. Affected users can see the entry for the asset in the catalog but cannot preview the contents of the asset or perform any actions on the asset.
  • Anonymize the data in columns of relational data sets based on the type of content in the column. Affected users can see anonymized columns but the values are replaced, an icon indicates that the column is anonymized, and a tooltip lists the name of the policy.

You can create data access rules while you create a data protection policy, or separately, and later add them to one or more data protection policies. Rules are used only when they are included in published data protection policies.

You must have the Admin role for the Watson Knowledge Catalog app to create rules. Other users can only view rules.

Some Watson Knowledge Catalog plans have limits on the number of rules that you can create.

Learn more