Data location rules enforcement (IBM Knowledge Catalog)

Data location rules are enforced in notebooks in projects when all prevailing conditions for enforcement are met.

Experimental This is an experimental release and is not yet supported for use in production environments. To try out this experimental feature, respond to this post for an example tutorial and additional information about the API.

Scope of enforcement

For the experimental release, data location rules are enforced in notebooks.

Evaluation precepts for data location rules

Data location rules evaluate requests to access data assets by using the precepts described in the following table.

Precept Explanation
Allow access when source and target locations match If the source location or sovereignty of the data asset and target location or sovereignty of the user who is attempting to access the data asset are the same, access to the asset is allowed. When the location or sovereignty boundary is not crossed, data location rules are not enforced.
Restrict access to assets during profiling If the profiling does not exist for the asset and there are data location rules that depend on profiling information, then the evaluation outcome is always to deny access to the asset.
Allow or deny access if no rules apply When the asset does not meet the criteria for any data location rule, the behavior depends on the data access convention setting:
• (Default) If the data access convention is set to Locked, the user is denied access to the data.
• If the data access convention is set to Unlocked, the user is allowed access to the data.

See Managing rule settings.
Enforce most secure or most lenient action When a user who is in a different location from the asset attempts to access the asset, all data location rules are evaluated. If the asset meets the criteria for multiple rules, the behavior depends on the rule action precedence setting.

(Default) If the rule action precedence is set to Most secure action wins, the following order of security precedence is applied:
1. Deny access
2. Mask columns or filter rows
3. Allow access

If the rule action precedence is set to Most lenient action wins, the following order of lenience precedence is applied:
1. Allow access
2. Mask columns or filter rows
3. Deny access

See Rule action precedence.
Mask with most privacy or most utility When a user who is in a different location from the asset attempts to access the asset, all data location rules are evaluated. If the asset meets the criteria for multiple rules, and more than one of the rules masks data, the masking method precedence is applied.

(Default) If the masking method precedence is set to Method with the most privacy wins, the following order of most privacy precedence is applied:
1. Redact method
2. Substitute method
3. Obfuscate method

If the masking method precedence is set to Method with the most utility wins, the following order of most utility precedence is applied:
1. Obfuscate method
2. Substitute method
3. Redact method

See Masking method precedence for more information.

Learn more

Parent topic: Data location rules