About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Last updated: Jun 19, 2024
The goal of this topic is to establish a guideline on designing data protection rules to maximize protection that uses data and user attributes. Explore the steps to create rules based on identified partitions used to form disjoint sets of assets that can then be effectively governed by using data protection rules.
Consider an example use case where data assets can contain business terms such as sensitive personal information (
), personally identifiable information (SPI
), and data classes such as social security number (PII
).
In addition, users can belong to user groups such as SSN
, ADMINISTRATORS
and DATA STEWARDS
. To simplify this example, user group membership is assumed to be disjoint and use data protection rules
without relying on precedence.DEVELOPERS
Remember:
The term partition means a logical division of a group of objects. For example, partitioning all assets or users to be in certain meaningful sets based on their assigned attributes.
Illustrating the partition of assets into logical sets by sets of assigned attributes:
Complete the following tasks to author data protection rules:
- Configuring rule settings.
- Identifying or partitioning the asset and user space.
- Choosing the outcome for each partition.
- Defining rules for each partition.
- Optional: Defining dynamic meta rules for decision exception processing.
Configuring rule settings
- Set the data access convention. You can choose from the following two convention options:
API setting | UI setting | Convention |
---|---|---|
AEAD (default) |
Unlocked | Default. Follows the allow everything author deny (AEAD) convention . Allows access to data unless a rule denies it. You write rules that deny access to data, mask data, and filter rows from data. |
DEAA | Locked | Follows the deny everything author allow (DEAA) convention. Denies access to data unless a rule allows it. You write rules that allow access to data, mask data, and filter rows from data. |
Tip:
If no transform rule can be evaluated, the result defaults to the following convention decisions:
for LockedDeny
for UnlockedAllow
If a user attempts to access an asset and if no rules are triggered, the convention determines either one of the following outcomes:
Deny
- When the data access convention is set in the user interface as Locked or configured in the API as
, the outcome isDEAA
.Deny
Allow
- When the data access convention is set in the user interface as Unlocked or configured in the API as
, the outcome isAEAD
.Allow
- Set the rule action precedence. Choose one of the following options to determine the course of action to take if multiple conflicting rules are triggered at the same time for a specific asset and a specific user:
- Most secure action wins (default setting)
-
- If the data access convention is set in the user interface as Locked or configured in the API as
, the precedence order is theDEAA
rule then theTransform
rule.Allow
- If the data access convention is set in the user interface as Locked or configured in the API as
-
- If the data access convention is set in the user interface as Unlocked or configured in the API as
, the precedence order is theAEAD
rule then theDeny
rule.Transform
- If the data access convention is set in the user interface as Unlocked or configured in the API as
- Most lenient action wins
-
- If the data access convention is set in the user interface as Locked or configured in the API as
, the precedence order is theDEAA
rule then theAllow
rule.Transform
- If the data access convention is set in the user interface as Locked or configured in the API as
-
- If the data access convention is set in the user interface as Unlocked or configured in the API as
, the precedence order is theAEAD
rule then theTransform
rule.Deny
- If the data access convention is set in the user interface as Unlocked or configured in the API as
In an example of the Locked (
) convention, if a user tries to access an asset and two rules are triggered such that one rule transforms one or more columns and the other rule allows full access to the asset,
and the Most lenient action wins is selected, the user can access the entire asset because the DEAA
rule overrides the Allow
rule.Transform
- Set the rule masking method precedence. Choose one of the following option:
- Method with most privacy wins (default setting)
- The transformation precedence order is
,Redact
, and thenSubstitute
.Obfuscate
- Method with most utility wins
- The transformation precedence order is
,Obfuscate
, and thenSubstitute
.Redact
For example, if a user attempts to access an asset and two rules are triggered such that one rule redacts a particular column and the other rule obfuscates the same column, and the Method with most privacy wins is selected,
that column is redacted because the
rule overrides the Redact
rule.Obfuscate
For more information about the rule settings, see the Managing rule settings topic. In addition, see the following screen capture of the Manage rule settings window where you can configure the user interface.
Identifying or partitioning the asset and user space
- Take note of the attributes in the asset space and the values of those attributes that you want to mask or protect to form the basis of data protection rules. Examples of attributes in the asset space are data classes, business terms, tags, and column names.
- Take note of the attributes in the user space and the values of those attributes that you want to mask or protect to form the basis of data protection rules. Examples of attributes in the user space are user roles, and user groups.
For example, consider building rules based on the business terms
and SPI
. In addition, the user group user attribute with values PII
, ADMINISTRATORS
, and DATA STEWARDS
.
The asset space and user space can be partitioned as illustrated in the following table:DEVELOPERS
Business term | User group |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
,
|
|
,
|
|
,
|
|
,
|
|
A Venn diagram that illustrates this example with the assets partitioned:
Choosing the outcome for each partition
Decide what the outcome is for each combination of the example attributes and values.
Business term | User group | Action or outcome selected |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
,
|
|
|
,
|
|
|
,
|
|
|
,
|
|
|
An example set of outcomes where green indicates
, red indicates Allow
, yellow indicates Deny
, and brown indicates Obfuscate
in the following Venn diagrams for each user group:Redact
The example table and diagrams help provide clarity to the selected behavior for all the partitions.
Defining rules for each partition
Depending on the convention Unlocked (
) or Locked (AEAD
) appropriate rules can be designed to enforce the outcome requirements. For example, consider a scenario where the following
rule settings are chosen:DEAA
- Convention: Locked (
) where without any rules, no users get access to any data.DEAA
- Rule action precedence: Most secure action wins
- Rule masking method precedence: Method with most privacy wins
With the specified settings and outcomes, rules can be designed with the following rules:
- Rule 1
- Condition
IF (userGroup contains ADMINISTRATORS)
- Action
ALLOW
- Rule 2
- Condition
IF (userGroup contains DATA STEWARDS) AND (businessTerm contains SPI)
- Action
REDACT (SPI)
- Rule 3
- Condition
IF (userGroup contains DATA STEWARDS) AND (businessTerm contains PII)
- Action
OBFUSCATE (PII)
Rule 4 The following rules 4.1 and 4.2 are two different rules for each user group
and DEVELOPERS
:DATA STEWARDS
- Rule 4.1
- Condition
IF (userGroup contains DEVELOPERS) AND NOT (businessTerm CONTAINS {SPI, PII})
- Action
ALLOW
- Rule 4.2
- Condition
IF (userGroup contains DATA STEWARDS) AND NOT (businessTerm CONTAINS {SPI, PII})
- Action
ALLOW
- Optional The following rule combines rules 4.1 and 4.2 into a single rule:
- Condition
IF (userGroup contains {DATA STEWARDS, DEVELOPERS}) AND NOT (businessTerm CONTAINS {SPI, PII})
- Action
ALLOW
- Rule 5
- Condition
IF (userGroup contains DEVELOPERS) AND (businessTerm CONTAINS PII) AND NOT (businessTerm CONTAINS SPI)
- Action
REDACT (PII)
If more asset or user attributes are included when data protection is designed, the outcome table requires extra columns to enumerate all possibilities.
A screen capture of Rule 2 in a user interface:
Continuing with the example, consider including another asset attribute, such as a data class with
value to the rule space. To design rules in this scenario, repeat the following previous tasks with this new partitioning of
the asset space:SSN
- Identifying or partitioning the asset and user space.
- Choosing the outcome for each partition.
- Defining rules for each partition.
Business term | Data class | User group | Action or outcome selected |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Venn diagrams for each user group which includes a data class with
value to the rule space:SSN
With the added attribute and corresponding selected outcomes, the following rules are modified in the rule space:
- Rule 6
- Condition
IF (userGroup contains DATA STEWARDS) AND (dataClass contains SSN)
- Action
REDACT (SSN)
- Rule 7
- Condition
IF (userGroup contains DEVELOPERS) AND (dataClass contains SSN) AND NOT (businessTerm CONTAINS SPI)
- Action
REDACT (SSN)
- Rule 4' (modification of Rule 4)
- Condition
IF (userGroup contains {DATA STEWARDS, DEVELOPERS}) AND NOT (businessTerm CONTAINS {SPI, PII}) AND NOT (dataClass CONTAINS SSN)
- Action
ALLOW
If instead, the convention that is chosen is Unlocked (AEAD), rules can instead be designed in the following settings:
- Convention: Unlocked (
) where without any rules, all users get access to all data.AEAD
- Rule action precedence: Most secure action wins
- Rule masking method precedence: Method with most privacy wins
Business term | User group | Action or outcome selected |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
,
|
|
|
,
|
|
|
,
|
|
|
,
|
|
|
- Rule 1
- Condition
IF (userGroup contains DATA STEWARDS) AND (businessTerm contains SPI)
- Action
REDACT (SPI)
- Rule 2
- Condition
IF (userGroup contains DATA STEWARDS) AND (businessTerm contains PII)
- Action
OBFUSCATE (PII)
- Rule 3
- Condition
IF (userGroup contains DEVELOPERS) AND (businessTerm CONTAINS SPI)
- Action
DENY
- Rule 4
- Condition
IF (userGroup contains DEVELOPERS) AND (businessTerm CONTAINS PII)
- Action
REDACT (PII)
- Rule 5
- Condition
IF NOT (userGroup contains {ADMINISTRATORS, DATA STEWARDS, DEVELOPERS})
- Action
DENY
If the asset attribute, such as data class with
value is added to the rule space, rules can be modified based on this new partitioning of the asset space.SSN
Business term | Data class | User group | Action or outcome selected |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Rule 6
- Condition
IF (userGroup contains {DATA STEWARDS, DEVELOPERS}) AND (dataClass contains SSN)
- Action
REDACT (SSN)
Tip:
For Unlocked (
) convention, if assets with a AEAD
tag and without public
, PII
, or SPI
were preferred to be accessible to all users, such as the outcome
selected was SSN
, then the existing Rule 5 would need to be modified by adding the following extra predicates:Allow
- Rule 5' (modification of Rule 5)
- Condition
IF NOT (userGroup contains { ADMINISTRATORS, DATA STEWARDS, DEVELOPERS } ) AND NOT (tag CONTAINS PUBLIC) AND ((businessTerm CONTAINS {SPI, PII}) OR (dataClass CONTAINS SSN))
- Action
DENY
(Optional) Defining dynamic meta rules for decision exception processing
Dynamic meta rules are created to add exceptions for certain super users. When a dynamic meta rule is defined for a certain user or user group, all data protection rules that are defined in Defining rules for each partition section, are skipped and access is granted to all assets to the users in the dynamic meta rule. For example, if a
user group needs a super user access, the following dynamic meta rule can be defined:SUPERADMINS
- Dynamic meta rule
- Condition
IF (userGroup contains SUPERADMINS)
- Action
ALLOW
A dynamic meta rule is only defined with action of
in both Locked and Unlocked systems.ALLOW
Learn more
Parent topic: Planning to implement data governance