Creating data de-identification rules

To define data de-identification rules, you add conditions based on user, usage, or metadata context, then assign data protections to data classes. Note that you must create data protections separately on the Data Protection tab in order to complete all steps in this procedure.

1Open a data de-identification policy and select the Rules tab.

2Click the plus sign.

The Overview tab appears.

The following image shows the Overview tab:

The image shows the Overview tab, which includes Name and Description fields. "Next" and "X" buttons appear at the top of the page.

3Enter a name and description for the rule.

4Click Next.

The Rule tab appears. On this tab, you specify the conditions that will prompt Data Access Management to apply your data protections to data classes. You also specify the data protections.

5In the Conditions section, click New Row.

The following image shows the Conditions section of the Rule tab:

The image shows the Conditions section of the Rule tab. The tab includes one condition. The condition is Usage Context is any of Customer Analysis. A "New Row" button appears. "Back," "Save," and "X" buttons appear at the top of the page.

6Select Or or And to determine whether the rule activates when at least one condition is true ("Or") or when all conditions are true ("And").

7For each condition, select an attribute, an operator, and relevant values.

Each attribute appears.

8Select a contextual attribute, such as "User Group" or "Usage Context."

9Select an operator, such as "is any of" or "is not any of."

10Click Add Value to select the value of the contextual attribute.

11Once you've selected the desired values within the list, click Add Value in the list to save those selections.

12Click New Row again to create another condition.

13Continue this process until you have created all of the conditions necessary.

You now create field level de-identifications for this rule.

The following image shows the Field Level De-identification section of the Rule tab:

The image shows the Field Level De-identification section of the Rule tab. The user is working in the Field-Level Data Protections section of the page. The de-identification has a class of "Address Information," protected with a protection technique called "ConsistentToken."

14Select a data class.

15Assign a data protection to the data class.

Note: You must have created a data protection separately on the Data Protection tab prior to this step in order to assign it in this step.

16Click New Row to select another data class.

Continue this process until you have specified all field-level data protections relevant to the rule.

Note: If a data element has multiple data classifications, the first occurrence of any of the assigned data classifications determines the data protection applied.

17Click Save.

You need to publish the policy associated with this rule for this new rule to take effect.

See Publishing a data access asset.

Creating cell-level de-identifications

After you create a data de-identification rule and add conditions to it, you can define cell-level de-identifications. To complete all steps in this procedure, you'll create data protections separately on the Data Protection tab.

1In the Assign a data protection section, click Add Cell-Level De-Identification.

The following image shows the Cell-Level De-Identification section of the Rule tab.

Subsections include "If," "Then," and "Else, Then," arranged vertically. The sections work together to enable you to define a SQL-type query that can run on the data values. In each section, you select a class, a data type, and an operator or a data protection.

2In the If section, select Or or And to determine whether the cell-level de-identification activates when at least one condition is true ("Or") or when all conditions are true ("And").

3In the If section, click New Row.

4Start creating a condition by selecting a data class.

5Select a data type.

6Select an operator.

Note: The data type you select determines list of available operators. Not all operators work with all data types.

7Select or enter a value for the data class. Not all operators require values.

Note: Text strings are case sensitive. Your database will calculate the date value in Coordinated Universal Time (UTC).

8Optionally, click New Row to add another condition to the data protection and repeat the previous steps.

9In the Then section, select a data class to which to assign a data protection when the condition is true.

10Select a data protection.

Note: If a data element has multiple data classifications, the first occurrence of any of the assigned data classifications determines the data protection applied.

11Optionally, click New Row to add another data protection to the condition.

12You can optionally add an alternative condition and set of protections to your first condition by building a condition in the Else If section:

aSelect Or or And to determine whether the rule activates when at least one condition is true ("Or") or when all conditions are true ("And").
bSelect a data class.
cSelect an operator.
dSelect or enter a value.
eOptionally, add a new row to add further data classes, operators, and values to the condition.
fIn the Then section, assign a data protection to each data class.

Note: The data classes that appear are the ones that you chose in the If statement.

gIn the Else section, specify how Data Access Management will transform the data classes that you identified as part of your initial Then condition that do not satisfy the conditions in this cell-level de-identification section.

Note: The data classes that appear are the ones that you chose in the If statement.

13Save the rule.

You can create multiple cell-level de-identification sections within a rule. Follow the same procedure for each section. Your updates take effect when you publish the policy associated with the rule.

See Publishing a data access asset.