Managing rule conventions (Watson Knowledge Catalog)

You can choose between two types of data access conventions for data protection rules. You can allow access to data unless a rule prevents it, or you can deny access to data unless a rule allows it.

Before you create data protection rules, plan and evaluate who the rules are allowing to access the data or denying access to the data. Designing your rules after your careful planning provides a solid foundation for determining the criteria for enforcing the rules and the corresponding enforcement actions. This careful planning process also minimizes chance for a future decision to switch rule access. If you decide later to change your access paradigm for your rules, you must first delete all of the existing rules, and then re-create the new rules for that rule class.

The following conventions apply to data protection rules.

Required permissions

You must have this user permission to set rule conventions:

Allowing access to data convention

The default behavior in the allow access convention is for data access to be granted. If you want to protect specific data, you must write rules that explicitly deny certain data access based on user or data attributes.

With the allow access data convention, data protection rules have these available actions:

An example of using this convention might include creating data protection rules that allow all company employees to access fellow employee data in general, but to restrict access to payroll information. To accomplish this, you can write a rule specifying that any asset containing attributes denoting it is related to payroll data must be denied for any user who is not in the human resource department. Thus all data of all types is allowed, and only the exception of payroll data for employees who are not in human resources is denied.

The allow access convention is the default data convention for data protection rules.

Denying access to data convention

The default behavior for the deny access convention is to deny access to data. If you want to reveal specific data, you must write rules that explicitly allow specific users to see the data. In an environment where most data access needs to be restricted, the deny convention allows you to write a few rules where data is allowed instead of writing a rule for every case where data must be restricted.

An example of using the deny convention might be a catalog containing sensitive personal information that is not allowed to be viewed between departments. In that case, any data asset tagged as marketing being accessed by any user other than a member of the marketing group must be denied. However, a user who is a member of the marketing user group is allowed to see assets tagged as marketing. The convention results in all users being denied access to all data, except users in the marketing user group, who are allowed to access data that is tagged as marketing by the data protection rule.

With the deny access data convention, data protetion rules have these available actions:

Setting the data access convention

The rule convention must be set before your team creates data protection rules . You must delete any existing rules before you change the convention. When you change the convention, rules have a different set of allowed actions.

Rule convention for data protection rules

To set the rule convention, call the rule enforcement setting API and set governance_access_type to one of these values:

Managing rule settings

Establishing a precedence for rules and masking methods helps you determine:

Learn more

Parent topic: Administering