Data protection rules enforcement

Data protection rules are enforced in governed catalogs when all prevailing conditions for enforcement are met. Conditions for enforcement can include catalog settings, the identity of the user, the data format, and the tool that is reading the data. Enforcement can extend to projects and virtualized tables in some circumstances.

When you create a data protection rule, it is enforced immediately, unless the affected asset has a cached preview. In that case, the rule enforcement might be delayed for up to one day. If you change the profile of an asset in a way that triggers the enforcement in a governed catalog of a data protection rule, the rule is enforced after the asset preview is refreshed. The asset preview is refreshed daily by default. Alternatively, you can manually refresh the preview.

Scope of enforcement

Data protection rules are enforced in the following workspaces:

Catalogs: Rules are dynamically enforced when both of these conditions are true:

  • The catalog has governance enforcement that is enabled. Governance enforcement is set during catalog creation and can't be changed after the catalog is created.
  • The user is not the asset owner. The asset owner always sees the original data and is not affected by the rule.

Projects:

Assets in projects are enforced when a deep enforcement solution is configured; or when both of these following conditions are true:

  • If you have existing assets that were previously added from a governed catalog, the assets might retain its static enforcement behavior. For assets with retained static enforcement, the rules are enforced based on the user who added the asset at the time it was added, and appears the same for all other users in the project.
  • The assets with retained static enforcement are previewed, downloaded, or opened in the Data Refinery tool. Data Refinery does not support data protection rules for row filtering. Data Refinery jobs fail if the asset is governed by row-filtering data protection rules. Also, if you add an asset from IBM Knowledge Catalog to a project that is governed by row-filtering data protection rules, the masking will not be enforced in Data Refinery.

Data assets that are masked by a masking flow are permanently masked for all users. See Masking in projects.

Data virtualization: Rules are enforced when all of these conditions are true:

  • Data protection rule enforcement is enabled for virtualized tables.
  • The object is accessed as a result of a query.
  • The data asset is published to a catalog that is configured to enforce data protection rules.

See Masking virtual data.

Also check the known issues for other situations where data protection rules are not enforced. For more information, see Known issues and limitations.

Data protection rules can permanently mask data in an asset with masking flow. See Masking data with Masking flow.

Evaluation precepts for data protection rules

Data protection rules evaluate requests to access data assets by using the precepts described in the following table.

Precept Explanation
Don't enforce rules for asset owners If the user who is trying to access the asset is the owner of the asset (by default, the user who created the asset), then the rule is not enforced.
Restrict access to assets during profiling If the asset is being profiled at the same time as data protection rules that depend on profiling are being evaluated, then only the owner can access the asset. If profiling and evaluation fail to complete within 24 hours, the asset is blocked to all users except the owner of the asset.
Allow or deny access if no rules apply When the asset does not meet the criteria for any data protection rule, the behavior depends on the data access convention setting:
• (Default) If the data access convention is set to Unlocked, the user is allowed access to the data.
• If the data access convention is set to Locked, the user is denied access to the data.

See Managing rule settings.
Enforce rules on assets based on a tenant modality setting for aliases Two data assets that have the same resource key are perceived to represent the same underlying data, therefore these assets are termed as aliases. You can set how to determine which aliases to use upon an evaluate resource operation by a tenant modality setting. Call the update tenant settings API to configure the asset_dealiasing_item_selection option to one of the following values:
- Oldest (default): By creation date.
- Latest: By last modification date.
- Merge: Merges annotations such as terms and tags of all aliases.
Enforce most secure or most lenient action When a user who is not the owner of the asset attempts to access the asset, all data protection rules are evaluated. If the asset meets the criteria for multiple rules, the behavior depends on the rule action precedence setting.

(Default) If the rule action precedence is set to Most secure action wins, the following order of security precedence is applied:
1. Deny access
2. Mask columns or filter rows
3. Allow access

If the rule action precedence is set to Most lenient action wins, the following order of lenience precedence is applied:
1. Allow access
2. Mask columns or filter rows
3. Deny access

See Rule action precedence.
Mask with most privacy or most utility When a user who is not the owner of the asset attempts to access the asset, all data protection rules are evaluated. If the asset meets the criteria for multiple rules, and more than one of the rules masks data, the masking method precedence is applied.

(Default) If the masking method precedence is set to Method with the most privacy wins, the following order of most privacy precedence is applied:
1. Redact method
2. Substitute method
3. Obfuscate method

If the masking method precedence is set to Method with the most utility wins, the following order of most utility precedence is applied:
1. Obfuscate method
2. Substitute method
3. Redact method

See Masking method precedence for more information.

Masking enforcement

Masking has these effects on the appearance of an asset in a catalog, a project, or the Data virtualization workspace:

  • The data preview shows a shield icon a shield icon in the header of affected columns and a tooltip displays the name of the rule.
  • The data preview shows masked values in the affected columns.
  • The Profile page does not show profiling details for masked data columns.
  • If the data asset is downloadable, the file contains the masked values.

The schema information for the asset always reflects the total number of columns that are contained in the original asset.

For virtual data, masking enforcement in Data Virtualization has restrictions and other differences. See Masking virtual data.

Masking in projects

Masking flow jobs, write a masked copy of the source asset data in the configured target tables.

Any newly created projects are enforced when a deep enforcement solution is configured; or when both of these conditions are true:

  • If you have existing assets that were previously added from a governed catalog, the assets might retain its static enforcement behavior. For assets with retained static enforcement, the rules are enforced based on the user who added the asset at the time it was added, and appears the same for all other users in the project.
  • The assets with retained static enforcement are previewed, downloaded, or opened in the Data Refinery tool. Data Refinery does not support data protection rules for row filtering. Data Refinery jobs fail if the asset is governed by row-filtering data protection rules. Also, if you add an asset from IBM Knowledge Catalog to a project that is governed by row-filtering data protection rules, the masking will not be enforced in Data Refinery.

Learn more

Parent topic: Data protection rules