Working with governed data in IBM Match 360

You can associate your IBM Match 360 service instance with a governed data catalog that uses data protection rules. When you associate a governed catalog with the service, IBM Match 360 seamlessly enforces data protection rules.

Data protection rules are created and managed at the Cloud Pak for Data platform level by IBM Knowledge Catalog. After the rules are created, they are available across the platform and applied to all governed catalogs and projects. For more information, see Data protection rules.

You can associate a governed catalog either during the initial setup of your service instance or later from the master data home Manage tab. After you associate a governed catalog with IBM Match 360, you cannot later modify or remove it or its connected governance assets from the IBM Match 360 service instance.

Data masking

IBM Match 360 fulfills data protection rules by masking data. Masking is used to hide sensitive data while still allowing users to work with their master data assets. Depending on the specific data protection rules in place, data can be masked in different ways:

  • Redaction - The masked data is replaced with ten X characters.
  • Substitution - The masked data is replaced with randomly generated values to preserve referential integrity.
  • Obfuscation - The masked data is replaced with values that preserve referential integrity and the original data format.

For more information about the different methods of masking data, see Masking data (IBM Knowledge Catalog).

When you are working with governed data in the master data workspace, a shield icon shield icon indicates masked data next to an attribute name indicates that its values are masked by a data protection rule. Governed data is also masked on the pair review screens.

When you export master data that is covered by a data governance rule, the exported file includes masked values for governed data.

Governed data and user permissions

Data governance rules do not apply to users who have manager permissions in IBM Match 360, such as data engineers and administrators.

The following table shows the difference between the actions that a non-manager can complete in the master data workspace compared to a manager.

Master data workspace user permissions for governed data
Master data workspace action Users without manager role (data steward or entity viewer) Users with manager role (data engineer or admin)
Simple search No restrictions No restrictions
View simple search results Masked fields are excluded from results No restrictions
Advanced search Cannot create search rules that use governed attributes No restrictions
View advanced search results Governed data is masked No restrictions
Add record Cannot add records with governed attributes No restrictions
Edit record Cannot edit records with governed attributes No restrictions
Delete record Cannot delete records with governed attributes No restrictions
Export data Governed data is masked No restrictions

IBM Match 360 applies governance to search results equally, regardless of whether you search for records or entities.

Learn more

Parent topic: Managing master data by using IBM Match 360