To define data de-identification rules, you add conditions based on user, usage, or metadata context, then assign data protections to data classes. Note that you must create data protections separately on the Data Protection tab in order to complete all steps in this procedure.
1Open a data de-identification policy and select the Rules tab.
2Click the plus sign.
The Overview tab appears.
The following image shows the Overview tab:
3Enter a name and description for the rule.
4Click Next.
The Rule tab appears. On this tab, you specify the conditions that will prompt Data Access Management to apply your data protections to data classes. You also specify the data protections.
5In the Conditions section, click New Row.
The following image shows the Conditions section of the Rule tab:
6Select Or or And to determine whether the rule activates when at least one condition is true ("Or") or when all conditions are true ("And").
7For each condition, select an attribute, an operator, and relevant values.
Each attribute appears.
8Select a contextual attribute, such as User Group or Usage Context.
9Select an operator, such as is any of or is not any of.
10Click Add Value to select the value of the contextual attribute.
11Once you've selected the desired values within the list, click Add Value in the list to save those selections.
12Click New Row again to create another condition.
13Continue this process until you have created all of the conditions necessary.
You now create field level de-identifications for this rule.
The following image shows the Field Level De-identification section of the Rule tab:
14Select a data class.
15Assign a data protection to the data class.
Note: You must have created a data protection separately on the Data Protection tab prior to this step in order to assign it in this step.
16Click New Row to select another data class.
Continue this process until you have specified all field-level data protections relevant to the rule.
Note: If a data element has multiple data classifications, the first occurrence of any of the assigned data classifications determines the data protection applied.
17Click Save.
You can now create filters for the rule.
Creating cell-level de-identifications
After you create a data de-identification rule and add conditions to it, you can define cell-level de-identifications. To complete all steps in this procedure, you'll create data protections separately on the Data Protection tab.
1In the Assign a data protection section, click Add Cell-Level De-Identification.
The following image shows the Cell-Level De-Identification section of the Rule tab.
2In the If section, select Or or And to determine whether the cell-level de-identification activates when at least one condition is true ("Or") or when all conditions are true ("And").
3In the If section, click New Row.
4Start creating a condition by selecting a data class.
5Select a data type.
Note: If you use cell-level de-identification involving dates that might be applied in Access Policy transformations in Data Integration, create a cell-level de-identification with two distinct criteria. In one criterion, use the date data type. In the other criterion, use the timestamp data type with the same values as the first criterion. This second criterion is for the Access Policy transformation. You might need to adjust your filter or create multiple filters if your condition contains multiple constraints using an And operator.
6Select an operator.
Note: The data type you select determines list of available operators. Not all operators work with all data types.
7Select or enter a value for the data class. Not all operators require values.
Note: Text strings are case sensitive. Your database will calculate the date value in Coordinated Universal Time (UTC).
8Optionally, click New Row to add another condition to the data protection and repeat the previous steps.
9In the Then section, select a data class to which to assign a data protection when the condition is true.
10Select a data protection.
Note: If a data element has multiple data classifications, the first occurrence of any of the assigned data classifications determines the data protection applied.
11Optionally, click New Row to add another data protection to the condition.
12You can optionally add an alternative condition and set of protections to your first condition by building a condition in the Else If section:
aSelect Or or And to determine whether the rule activates when at least one condition is true ("Or") or when all conditions are true ("And").
bSelect a data class.
cSelect an operator.
dSelect or enter a value.
eOptionally, add a new row to add further data classes, operators, and values to the condition.
fIn the Then section, assign a data protection to each data class.
Note: The data classes that appear are the ones that you chose in the If statement.
gIn the Else section, specify how Data Access Management will transform the data classes that you identified as part of your initial Thencondition that do not satisfy the conditions in this cell-level de-identification section.
Note: The data classes that appear are the ones that you chose in the If statement.
13Save the rule.
You can create multiple cell-level de-identification sections within a rule. Follow the same procedure for each section. Your updates take effect when the policy associated with the rule is published.
If you do not have a workflow configured, the rule will automatically change to published status.
If you have a workflow configured, the rule and its associated policy will change to draft status.
For more information about designing workflows, see Workflows in the Metadata Command Center help.
