Managing data protection rules (IBM Knowledge Catalog)
You can create and manage data protection rules to define how to control access to sensitive data in governed catalogs. Data protection rules are based on criteria that you define and an action that you select.
- Prerequisites
- Creating data protection rules
- Editing data protection rules
- Deleting data protection rules
Prerequisites
Before you create data protection rules, perform these tasks:
- Design your data protection rule. See Designing data protection rules.
- Understand how data protection rules are evaluated and enforced. See Data protection rules enforcement.
- Make sure that you have the required user permissions or ask your platform administrator to give them to you:
- To create data protection rules, you must have the Manage data protection rules permission.
- To include governance artifacts in your rules, you must have the Access governance artifacts permission and you must be a collaborator in the categories of the governance artifacts that you want to use in the rule.
Creating data protection rules
To create a data protection rule:
-
From the main menu, choose Governance > Rules.
-
Click Add rule > New data protection rule.
-
Enter a name and a business definition that explains what this rule does in plain language. Include standard words and terms to make it easy to search for this rule. Click Next.
-
In the When does this rule apply? section, define the conditions in the rule builder:
- Select the type of item. See Criteria.
- Select either the contains any or the does not contain any operator.
- Depending on the type of item, either search for and select one or more specific values or enter one or more values, separated by commas.
- If necessary, add more items to the condition by selecting the And or the Or operator and other sets of items and their values.
- If necessary, add more conditions by clicking the plus-sign icon.
-
Select the action to take when the specified criteria are met:
- Deny access to the data
- Redact columns
- Obfuscate columns
- Substitute columns
- Filter rows
See Actions.
-
If you choose one of the following mask data (Redact columns, Obfuscate columns, or Substitute columns), configure masking:
- Select which column property to use to identify columns to mask: business term, data class, column name, or tag. See Masking criteria.
- Specify one or more names of that property. For example, if you selected data class, specify one or more data class names.
For data classes with well-defined formats, such as Email Address or Credit Card Number, the preserve format method is used. For data classes, such as Driver's License or Account Number, identifier masking method is used; as preserve format masking is not possible for these data classes.
- If you want to use advanced masking techniques on data assets in projects, configure the advanced masking options. See Advanced masking options.
The following lists the default masking option settings:
- Consistency is set to Repeatable.
- Input validation is disabled.
- Reversibility is disabled.
- Consistency is set to Repeatable.
-
Click Create.
The data protection rule is published immediately and evaluated for enforcement the next time a user attempts to access a data asset in a governed catalog.
Editing data protection rules
You can edit all aspects of a data protection rule, including the name, the description, the criteria, and the action.
To edit a data protection rule, open the rule, click Edit rule, make your changes, and click Update.
The changes take effect immediately.
Deleting data protection rules
To delete a data protection rule, open the rule and click Delete rule.
After you confirm that you want to delete the rule, the rule is deleted immediately and is no longer enforced.
Learn more
- Designing data protection rules.
- Data protection rules evaluation
- Data fabric tutorial: Protect your data
- Advanced data masking
Parent topic: Data protection rules