Managing rule conventions (Watson Knowledge Catalog)
You can choose between two types of data access conventions for data protection rules. You can allow access to data unless a rule prevents it, or you can deny access to data unless a rule allows it.
Before you create data protection rules, plan and evaluate who the rules are allowing to access the data or denying access to the data. Designing your rules after your careful planning provides a solid foundation for determining the criteria for enforcing the rules and the corresponding enforcement actions. This careful planning process also minimizes chance for a future decision to switch rule access. If you decide later to change your access paradigm for your rules, you must first delete all of the existing rules, and then re-create the new rules for that rule class.
The following conventions apply to data protection rules.
Required permissions
You must have this user permission to set rule conventions:
- Administer platform
Allowing access to data convention
The default behavior in the allow access convention is for data access to be granted. If you want to protect specific data, you must write rules that explicitly deny certain data access based on user or data attributes.
With the allow access data convention, data protection rules have these available actions:
- Deny access to data
- Mask data
- Filter rows
An example of using this convention might include creating data protection rules that allow all company employees to access fellow employee data in general, but to restrict access to payroll information. To accomplish this, you can write a rule specifying that any asset containing attributes denoting it is related to payroll data must be denied for any user who is not in the human resource department. Thus all data of all types is allowed, and only the exception of payroll data for employees who are not in human resources is denied.
The allow access convention is the default data convention for data protection rules.
Denying access to data convention
The default behavior for the deny access convention is to deny access to data. If you want to reveal specific data, you must write rules that explicitly allow specific users to see the data. In an environment where most data access needs to be restricted, the deny convention allows you to write a few rules where data is allowed instead of writing a rule for every case where data must be restricted.
An example of using the deny convention might be a catalog containing sensitive personal information that is not allowed to be viewed between departments. In that case, any data asset tagged as marketing being accessed by any user other than a member of the marketing group must be denied. However, a user who is a member of the marketing user group is allowed to see assets tagged as marketing. The convention results in all users being denied access to all data, except users in the marketing user group, who are allowed to access data that is tagged as marketing by the data protection rule.
With the deny access data convention, data protetion rules have these available actions:
- Allow access to data
- Mask data
- Filter rows
Setting the data access convention
The rule convention must be set before your team creates data protection rules . You must delete any existing rules before you change the convention. When you change the convention, rules have a different set of allowed actions.
Rule convention for data protection rules
To set the rule convention, call the rule enforcement setting API and set governance_access_type
to one of these values:
-
AEAD: Default. Follows the “Allow Everything Author Deny” convention. Allows access to data unless a rule denies it. You write rules that deny access to data, mask data, or filter rows from data.
-
DEAA: Follows the “Deny everything author allow" convention. Denies access to data unless a rule allows it. You write rules that allow access to data, mask data, or filter rows from data.
Managing rule settings
Establishing a precedence for rules and masking methods helps you determine:
- The rule to apply when multiple rules that have different actions apply to the same data values.
- The masking method to apply when multiple rules that have different masking methods apply to the same data values.
Learn more
Parent topic: Administering