Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

Data Protection Classification

Data protection classification adds an extra layer of access control for sensitive data. It lets you hide data in specific attributes from users who shouldn’t see it, while still allowing them to work with the rest of the asset.

What data protection classification is for

Standard access levels control whether someone can view or edit an entire asset. Data protection classification goes deeper, letting you control visibility at the attribute level.

Data protection classification lets you:

  • Protect sensitive attributes: Hide data in attributes containing information like personal identifiers, financial data, or confidential business information.

  • Control access by tag: Manage who can see protected data by sharing classification tags with specific groups and users.

  • Maintain visibility of non-sensitive data: Users without access to protected attributes can still work with the rest of the asset (for example, see profiling and DQ results).

When to use data protection classification

Consider data protection classification for:

  • Personally identifiable information (PII): Social security numbers, passport numbers, driver’s license numbers.

  • Protected health information (PHI): Medical records, patient histories, insurance details.

  • Financial data: Credit card numbers, bank account details, transaction records.

  • Confidential business information: Pricing strategies, customer lists, trade secrets.

  • Intellectual property: Patents, proprietary research, copyrighted materials.

Examples

A marketing department dataset contains employee salaries alongside headcount and tenure data

Classify salary attributes so that most users can generate staffing reports without seeing individual compensation.

Medical research data includes patient identifiers alongside anonymized health metrics

Classify PII attributes so analysts can work with aggregate health data while patient details remain protected.

How it works

Data protection classification uses your existing glossary to identify sensitive data:

  1. Create classification tags that represent sensitivity levels (for example, "PII", "Confidential", "Restricted").

  2. Apply tags to terms in your business glossary that describe sensitive data (for example, tag the term "Social Security Number" as PII).

  3. Apply terms to attributes: data in those attributes is then hidden from unauthorized users.

This approach means you classify once at the term level, and protection follows wherever that term is used across your catalog.

When a user views a protected catalog item:

  • If they have view data access or higher on the relevant classification tag, they see the protected data.

  • If they only have view metadata access on the tag, they see that data is classified but cannot view the actual values or run related actions.

  • Protected data is marked with a lock icon.

Permissions considerations

Keep in mind:

  • Admin users bypass all data protection classifications.

  • Users who can edit and publish terms can also add and remove classification tags.

  • Users who can edit a catalog item can modify classification tags on associated terms.

Review who has edit permissions on terms and catalog items to ensure your classification scheme stays protected.

Set up data protection classification

Create a classification tag

  1. Go to Glossary > Data protection classifications.

  2. Select Create.

  3. Enter a Name for the tag (for example, "PII", "Confidential").

  4. Optionally, describe what the data protection classification is used for and provide other useful information.

  5. Select Save.

  6. Publish your changes to start applying this tag to terms.

Apply tags to a term

  1. Go to Business Glossary > Terms.

  2. Select the term you want to classify.

  3. In Data protection classification, select Apply classification.

  4. Select Add tag and choose one or more tags.

  5. Select Save. Data in attributes associated with this term is now protected.

Share classification tags

Classification tags work like other assets: you control access by sharing.

To make protected data visible to certain users, share the data protection tag with view data access or higher. For detailed instructions about sharing, see Share an Asset.

Users with view metadata access see that data is classified but cannot view values.

Share every classification tag with your root group at view metadata access. This way, all users know when data is protected and which tag applies, should they need to request access.

Configure profiling data protection

Some widgets showing profile and data quality insights might display protected data in visualizations. You can configure which elements are hidden from users who don’t have access to the classified data.

  1. Go to Glossary > Data protection classifications.

  2. From the Protect sensitive data with data classification tags description, select Show more and then configuration.

  3. Select Edit.

  4. Clear the elements that should be hidden when protected data is present.

  5. Select Save.

Elements you keep active might display protected data to users without access to the classification tag.

Best practices for data protection classification

  • Use consistent naming: Create a clear taxonomy for classification tags that your organization understands (for example, "Public", "Internal", "Confidential", "Restricted").

  • Start with broad sharing with view metadata access: Let everyone see that data is protected, then grant view data access only to those who need it.

  • Be cautious with full access: Users with full access to a classification tag can share protected data with others. Limit this to data governance leads.

  • Document your classification scheme: Make sure users understand what each tag means and how to request access to protected data.

Was this page useful?