Data access policy process

1. 1Determine which type of data access policy best fits your use case.
For more information, see Data access policy selection.
2. 2On the Data Access Management page, create a data access policy.
You can create the following types of data access policies:
• - Data access control policies
• - Data filter policies
• - Data de-identification policies
For more information, see Creating data access policies.
3. 3If you determine that you will be creating data de-identification policies, do the following:
1. aCreate precedence tiers so you can select them when you are creating the policies.
For more information, see Precedence tiers.
2. bCreate data protections so you can select them when you are creating data de-identification rules.
For more information, see Data protections.
4. 4Create one or more rules to add to the data access policy.
The rule type matches the data access policy type. Rule types include the following:
• - Data access control rules
To create a data access control rule, you do the following:
1. 1Select which data access control policy this rule will be associated with.
2. 2Give the rule a title and description.
3. 3Select the attributes that define the condition for this rule to activate.
4. 4Define filters based on data asset types that grant read, write, or delete permissions.
For more information, see Creating data access control rules.
• - Data filter rules
To create a data filter rule, you do the following:
1. 1Select which data filter policy this rule will be associated with.
2. 2Give the rule a title and description.
3. 3Select the attributes that define the conditions for this rule to activate.
4. 4Define filters based on data classifications that will drop records from the result set.
For example, if you select a data classification called "Last Name," select the *is any of* operator, and enter a string of "Smith," Data Access Management will drop any record with "Smith" in the "Last Name" column. If instead, you selected the *is not any of* operator, Data Access Management will keep any record that has the value "Smith" in the "Last Name" column and drop all other records.
For more information, see Creating data filter rules.
• - Data de-identification rules
To create a data de-identification rule, you do the following:
1. 1Select which data de-identification policy this rule will be associated with.
2. 2Give the rule a title and description.
3. 3Select the attributes that define the conditions for this rule to activate.
4. 4Determine which data classifications to protect and whether they require field-level or cell-level de-identification.
You only assign one data protection to each data class. You can reuse the same data protection on multiple data classes.
5. 5Define field-level de-identifications, if applicable.
Determine which data protections to use to protect them. For example, a NAME column might be protected with a tokenized data protection relevant for name data. The data protection applies to the entire column.
6. 6Define cell-level de-identifications, if applicable.
Use cell-level de-identifications when the data that you want to protect is represented in multiple formats. For example, a POSTAL_CODES column might contain both U.S. and Canadian postal codes. Using cell-level de-identifications allows for a different data protection for each type of postal code. In this case, you can create tokenized data protections that match the format of each type of postal code. Data Access Management will apply the appropriate data protection based on whether the entry in the COUNTRY column is U.S. or Canada.
7. 7Optionally, you can add one or more alternative conditions under which the data protection applies.
For more information, see Creating data de-identification rules.
5. 5Publish the data access policy and enable it.
For more information, see Publishing a data access asset.