Managing data location rules (IBM Knowledge Catalog)

You can create and manage data location rules control access to sensitive data. Data location rules are based on criteria that you define and an action that you select.

Prerequisites

Before you create data location rules, perform these tasks:

  1. Design your data location rule. See Designing data location rules.

  2. Understand how data location rules are evaluated and enforced. See Data location rules enforcement.

  3. Make sure that you have the required user permissions or ask your platform administrator to give them to you:

    • To create data location rules, you must have the Manage data protection rules permission.
    • To include governance artifacts in your rules, you must have the Access governance artifacts permission and you must be a collaborator in the categories of the governance artifacts that you want to use in the rule.
  4. Enable the enforcement of data location rules and set the data access convention by call the https://api.dataplatform.cloud.ibm.com/v3/enforcement/settings API to configure these settings:

    • Set enable_data_location_rules to true.
    • Set governance_dlr_type to one of these values:
      • AEAD: Default. Follows the “Allow Everything Author Deny” convention. Allows access to data unless a rule denies it. You write rules that deny access to data.

      • DEAA: Follows the “Deny everything author allow" convention. Denies access to data unless a rule allows it. You write rules that allow access to data.

    For example:

    curl -k -X PUT -H "Authorization:Bearer $userToken" -d "@./updateTenantSettings.json" -H "Content-type: Application/json" http://https://api.dataplatform.cloud.ibm.com/v3/enforcement/settings
    
    {
      "governance_dlr_type": "DEAA",
      "enable_data_location_rules": true,
    }
    

Creating data location rules

To create a data location rule:

  1. From the main menu, choose Governance > Rules.

  2. Click Add rule > Data location and sovereignty rule.

  3. Enter a name, a business definition that explains what this rule does in plain language, and select the direction that the data must be controlled. Include standard words and terms to make it easy to search for this rule. Click Next.

  4. In the When does this rule apply? section, define the conditions in the rule builder:

    1. Select the type of item. See Criteria.
    2. Select either the contains any or the does not contain any operator.
    3. Depending on the type of item, either search for and select one or more specific values or enter one or more values, separated by commas.
    4. If necessary, add more items to the condition by selecting the And or the Or operator and other sets of items and their values.
    5. If necessary, add more conditions by clicking the plus-sign icon.
  5. Select the action to take when the specified criteria are met:

    • Deny access to the data
    • Allow access to the data
    • Redact columns
    • Obfuscate columns
    • Substitute columns

    See Actions.

Editing data location rules

You can edit all aspects of a data location rule, including the name, the description, the data direction, the criteria, and the action.

To edit a data location rule, open the rule, click Edit rule, make your changes, and click Update.

The changes take effect immediately.

Deleting data location rules

To delete a data location rule, open the rule and click Delete rule.

After you confirm that you want to delete the rule, the rule is deleted immediately and is no longer enforced.

Learn more

Parent topic: Data location rules