Understand how data access policies de-identify data and filter it when you apply them through an Access Policy transformation.
You create data access policies on the Data Access Management page in Data Governance and Catalog.
Data access policies can replace, transform, or redact values in a data set while maintaining the overall usefulness of the data. A data access policy can protect different values with different mappings, based on factors such as the intended user of the data and metadata classifications that users assign to the source data. Data access policies can help your organization comply with data privacy regulations such as the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Rules in a data access policy can apply multiple data filters based on the following attribute types:
•Asset term
•Data element term
•Data element classification
•Data entity classification
•Order usage context
•User group
Access Policy transformations can apply the following types of data access policies:
•Data filter policies
•Data de-identification policies
Data filter policies are sets of data filter rules that limit, filter, or otherwise restrict user access to records within a data asset. Data filter rules do this by applying pre-defined filters that control access to rows or records of data.
Data filter rules evaluate data elements based on their data element classification and data type using standard operators compared to specified values. Where the rule criteria is satisfied, a flag is set in an additional filter field for subsequent processing. For more information, see Data access policy best practices.
Data de-identification policies are sets of data de-identification rules that apply pre-defined data protections to data element classifications. A data element classification is a categorization applied to fields within data assets to indicate the category of data such as birth dates, national identifiers, and postal codes.
Data de-identification rules can apply multiple data de-identification techniques, including the following operations:
•Retaining data
•Redacting all values of a given type such as birth dates
•Replacing specified field values with NULL
•Truncating values such as redacting the first three characters of a postal code
•Replacing values with consistently tokenized values such as always replacing "Smith" with "Abcd" or "1234" with "5678"
•Generalizing date values to the month, year, or decade
•Replacing values with a constant text value such as replacing all passwords with five asterisks