Data access policy process

1. 1Determine the data access policy type that best fits your use case.
For more information, see Data access policy selection.
2. 2On the Data Access Management page, create a data access policy.
You can create the following types of data access policies:
• - Data access control policies
• - Data filter policies
• - Data de-identification policies
For more information, see Creating data access policies.
3. 3If you determine that you will be creating data de-identification policies, perform the following tasks:
1. aCreate precedence tiers so you can select them when you create the policies.
For more information, see Precedence tiers.
2. bCreate data protections so you can select them when you are create data de-identification rules.
For more information, see Data protections.
4. 4Create one or more rules to add to the data access policy.
The rule type matches the data access policy type. Rule types include the following rules:
• - Data access control rules
To create a data access control rule, you perform the following steps:
1. 1Select the data access control policy that is associated with the rule.
2. 2Give the rule a title and description.
3. 3Select the attributes that define the condition for the rule to activate.
4. 4Define filters based on data asset types that grant read, write, or delete permissions.
For more information, see Creating data access control rules.
• - Data filter rules
To create a data filter rule, you perform the following steps:
1. 1Select the data filter policy that is associated with the rule.
2. 2Give the rule a title and description.
3. 3Select the attributes that define the conditions for the rule to activate.
4. 4Define filters based on data classifications that will drop records from the result set.
For example, if you select a data classification called "Last Name," select the is any of operator, and you enter a string value of "Smith," Data Access Management will drop any record with "Smith" in the "Last Name" column. If instead, you selected the is not any of operator, Data Access Management will keep any record that has the value "Smith" in the "Last Name" column and drop all other records.
For more information, see Creating data filter rules.
• - Data de-identification rules
To create a data de-identification rule, you do the following:
1. 1Select which data de-identification policy this rule will be associated with.
2. 2Give the rule a title and description.
3. 3Select the attributes that define the conditions for this rule to activate.
4. 4Determine which data classifications to protect and whether they require field-level or cell-level de-identification.
You only assign one data protection to each data class. You can reuse the same data protection on multiple data classes.
5. 5Define field-level de-identifications, if applicable.
Determine which data protections to use to protect the data classifications. For example, a NAME column might be protected with a tokenized data protection relevant for name data. The data protection applies to the entire column.
6. 6Define cell-level de-identifications, if applicable.
Use cell-level de-identifications when the data that you want to protect is represented in multiple formats. For example, a POSTAL_CODES column might contain both U.S. and Canadian postal codes. Using cell-level de-identifications allows for a different data protection for each type of postal code. In this case, you can create tokenized data protections that match the format of each type of postal code. Data Access Management will apply the appropriate data protection based on whether the entry in the COUNTRY column is U.S. or Canada.
7. 7Optionally, add one or more alternative conditions under which the data protection applies.
For more information, see Creating data de-identification rules.
If you do not have a workflow configured, the data access policy will automatically change to published status.
If you have a workflow configured, the data access policy will change to draft status.
For more information about designing workflows, see Workflows in the Metadata Command Center help.