Working with Classification Rules

Procedure

  1. Open the Classification Policy Rules panel from the Classification Policy Finder by navigating to Discover > Classifications > Classification Policy Builder.
  2. It is recommended to use the Discover Sensitive Data scenario (Discover > End-to-End Scenario > Discover Sensitive Data) for modifying existing classification policies. Use the same Discover Sensitive Data scenario to create classification policy groups. Also, if groups have been created, they have to be explicitly selected.
Parent topic: Classification

Add a New Classification Policy Rule

Procedure

  1. Click the Add Rule button to open the Classification Rule definition panel.
  2. Enter a Rule Name.
  3. Optionally enter a new Category and/or Classification for the rule. The defaults are taken from the Classification Policy Definition for the policy.
  4. If the next rule in the classification policy should be evaluated after this rule is matched, mark the Continue on Match checkbox. The default is to stop evaluating rules when a rule is matched.
  5. Select a Rule Type. For a new rule, no Rule Type is selected. Once a Rule Type is selected, the panel expands to include the fields needed to define that type of rule. For the specifics of how to define each type of rule, see one of the following sections:
    • Define a Catalog Search Rule - Search the database catalog for table or column name
    • Define a Search for Data Rule - Match specific values or patterns in the data
      Note: The database authentication (user/password) defined within the datasource definition being used should have adequate levels of permission for the rule/search being defined. For example, in Oracle, a user with an appropriate role (such as SYSTEM or DBA) can properly search an access right within the database catalog. This note applies to the System Table choice when using Search for Data Rule Type. Do not check System Table if user does not have the SYSTEM role.
    • Define a Search for Unstructured Data Rule - Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba)
  6. Click the New Action button to add an action to be taken when this rule is matched. See Add a Classification Rule Action.
  7. Click Accept to add the rule to the policy.

Define a Catalog Search Rule

About this task

A catalog search rule searches the database catalog for table and/or column names matching specified patterns. Wildcards are allowed: % for zero to any number of characters, or _ (underscore) for a single character.

Procedure

  1. In the Table Type row, mark at least one type of table to be searched: Synonym, Table, or View. (Table is selected by default.)
  2. Optionally enter a specific name or a wildcard based pattern in the Table Name Like box. If omitted, all table names will be selected.
  3. Optionally enter a specific name or a wildcard based pattern in the Column Name Like box. If omitted, all column names will be selected.
  4. Click the Accept button when you are done.

Define a Search for Data Rule

About this task

A search for data rule searches one or more columns for specific data values. Wildcards are allowed: % for zero to any number of characters, or _ (underscore) for a single character. For example, the Rule Type is Search for Data, the Table Type is Table, and the Table Name Like is CREDIT%.

Procedure

  1. In the Table Type row, mark at least one type of table to be searched: Synonym, Table, or View. (Table is selected by default.)
  2. In the Table Name Like row, optionally enter a specific name or a wildcard based pattern. If omitted, all table names will be selected.
  3. In the Data Type row, select one or more data types to search.
  4. In the Column Name Like row, optionally enter a specific name or wildcard pattern. If omitted, all column names will be selected.
  5. Optionally enter a Minimum Length. If omitted, no limit.
  6. Optionally enter a Maximum Length. If omitted, no limit.
  7. In the Search Like field, optionally enter a specific value or a wildcard based pattern. If omitted, all values will be selected.
  8. In the Search Expression field, optionally enter a regular expression to define a pattern to be matched. To test a regular expression, click the (Regex) button to open the Build Regular Expression panel in a separate window. For detailed information about how to use regular expressions, see Regular Expressions.
  9. In the Evaluation Name, optionally enter a fully qualified Java™ class name that has been created and uploaded. The Java class will then be used to fire and evaluate the string. There is no validation that the class name entered was loaded and conforms to the interface. See Custom Evaluation and Manage Custom Classes for more information on creation and uploading of Java class files.
  10. Optionally enter a Fire only with Marker name. See Fire only with Marker.
  11. In the Hit Percentage field, optionally enter a percentage of matching data that should be achieved for this rule to fire. Data is returned if the percentage of matching data examined is greater than or equal (>=) then the percentage value entered, noting that an empty entry means it is not a condition and will not affect whether the rule fires or not and return data to the view screen, a 0 percentage will cause the rule to fire for this condition and return data to the view screen, and a percentage of 100 requires that all must match.
  12. In the Compare to Values in SQL field, optionally enter a SQL statement. The SQL entered, which must be based on returning information from one and only one column, will then be used as a group of values to search against the tables and/or columns selected. If used, the Compare to Values in SQL should follow the following rules:
    • The SQL statement MUST begin with SELECT
    • The SQL statement SHOULD NOT utilize the ';' semi-colon
    • The SQL entered MUST specify a schema value name in order to be accurate in returning results.
    • Good examples include: 
      SELECT ename FROM scott.emp
select EMPNUMBER from SYSTEM.EMP where EMPNUMBER in(5555,4444) 
select DNAME from SCOTT.DEPT where DNAME like 'A%G' 
SELECT ZIP from SCOTT.FOO where ZIP in (SELECT ZIP FROM SCOTT.FOO)
  13. In the Compare to Values in Group field, optionally select a group. The group selected will then be used as a group of values to search against the tables and/or columns selected. As long as one of the values within a group, that is either a public or a classifier group, matches, then the value rule will return data.
  14. Mark the Show Unique Values checkbox to add, to the Comments, details on what values matched the classification policy rules and fired. Use regular expressions in the Unique Values Mask field to redact the unique values. For example, mark the Unique Values checkbox and use ([0-9]{2]-[0-9]{3})-[0-9]{4} in the Unique Values Mask field to log the last four digits and redact the prefix digits.

Define a Search for Unstructured Data Rule

About this task

A Search for Unstructured Data rule examines a non-database file.

Procedure

  1. In the Search Like box, optionally enter a specific value or a wildcard based pattern. If omitted, all values will be selected.
  2. In the Search Expression box, optionally enter a regular expression to define a pattern to be matched. To test a regular expression, click the regex icon icon to open the Build Regular Expression panel in a separate window. For detailed information about how to use regular expressions, see Regular Expressions.
  3. Optionally enter a marker name.