Data protection rules (Watson Knowledge Catalog)
You create data protection rules to specify what data to control and how to control it.
Data protection rules apply to all governed catalogs and all assets within these catalogs. Data protection rules are automatically enforced when a catalog member attempts to view or act on a data asset in a governed catalog to prevent unauthorized users from accessing sensitive data. However, if the user who is trying to access the asset is the owner of the asset (by default, the user who created the asset), then access is always granted.
For example, you can create a data protection rule to deny access to data assets that contain confidential information. Without data protection rules, access to a data asset in a catalog is only restricted by privacy setting of the data asset, which specifies the users who can view and use the asset. You can also decide to mask data in asset columns depending on their contents. In this case users can view an asset but not all data is revealed to them. A lock icon () next to the column name indicates that the data in the column is masked by a data protection rule.
Data protection rules are published and active after creation. They are not subject to workflow. You can add data protection rules to policies, however, data protection rules are enforced regardless of whether they are included in any published policies.
A data protection rule consists of criteria that specify which data to control and an action that specifies how to prevent access to that data. This diagram shows the components of data protection rules.
The criteria consists of one or more conditions. A condition consists of two or more items that describe the contents of data or identify users and that are combined by operators:
- Asset owner
- The email address of the user who owns the asset. for example: email@example.com.
- Business term
- Business terms that are assigned to assets or columns within data assets.
- Data class
- The classification of a column that categorizes the content of the data, for example, customer number, date of birth, or city.
- Metadata associated with assets.
- User name
- The name or email address of an existing user.
- The type of sensitive information in the asset, for example, sensitive personal information, personally identifiable information, confidential, or none.
- The operations that are appropriate for the type of term and the position in the condition, for example, contains any, does not contain, And, and Or.
An action prevents catalog members from accessing the data specified by the conditions:
- Deny access to the entire asset. Affected users can see the entry for the asset in the catalog but cannot preview the contents of the asset or perform any actions on the asset.
- Mask the data in columns of relational data sets based on the type of content in the column. Depending on the method of data masking, data is redacted, substituted, or obfuscated with retained formatting in the asset preview. Affected users can see masked columns but the values are replaced, an icon indicates that the column is masked, and a tooltip lists the name of the policy.
When you create a data protection rule, is it enforced immediately. You need the Manage data protection rules permission to create, edit, or delete data protection rules.
You can add a data protection rule to one or more published policies, however, policies do not affect the enforcement of data protection rules. Data protection rules are enforced regardless of whether policies that reference them become inactive or are deleted.