The Access Policy transformation applies data de-identification policies and data filter policies created on the Data Access Management page in Data Governance and Catalog according to the properties of the Access Policy transformation. Data access policies are a set of policies and associated rules that apply data protections and filters that de-identify attributes or redact rows from the data accordingly.
Data access policies can replace, transform, or redact values in a data set while maintaining the overall usefulness of the data. A data access policy can protect different values in different mappings, based on factors such as the intended user of the data and metadata classifications that users assign to the source data. Data access policies can help your organization comply with data privacy regulations such as the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Rules in data access policy can apply multiple data filters based on the following attribute types:
•Asset term
•Data element term
•Data element classification
•Data entity classification
•Order usage context
•User group
Rules in data filter policies evaluate data elements based on their data element classification and data type using standard operators compared to specified values. Where the rule criteria is satisfied, a flag is set in an additional filter field for subsequent processing. For more information, see Data filter policy best practices.
Data de-identification rules apply pre-defined data protections to data element classifications. A data element classification is a categorization applied to fields within data assets to indicate the category of data such as birth dates, national identifiers, and postal codes.
Rules in an access policy can apply multiple data de-identification techniques, including the following operations:
•Retaining data
•Redacting all values of a given type such as birth dates
•Replacing specified field values with NULL
•Truncating values such as redacting the first three characters of a postal code
•Replacing values with consistently tokenized values such as always replacing "Smith" with "Abcd" or "1234" with "5678"
•Generalizing date values to the month, year, or decade
•Replacing values with a constant text value such as replacing all passwords with five asterisks
•Substituting values with values stored in a file
•Hashing values with standard algorithms
Data filter policies limit, filter, or otherwise restrict user access to records within a data asset.
Data filter rules apply pre-defined filters that control access to rows or records of data.
An Access Policy transformation doesn't display the data access policies, since those are dynamically applied based on the data and metadata. Users with the appropriate permissions manage data access policies on the Data Access Management page in Data Governance and Catalog.
Note: In order to use Access Policy transformations in your mappings, your organization must have Data Governance and Catalog in use.