Data Protection Classification
Data protection classification is currently a beta feature, which means you might experience inconsistent behavior across the product. |
Data protection classification is an additional layer of protection for sensitive and restricted data. This allows you to manage access to data in the following ways:
-
Hide data in attributes containing sensitive information by applying data classification tags to terms.
-
Manage access to protected data for specific groups and users by editing their access level for data classification tags.
-
Define the visibility of profile and DQ insights for protected attributes.
When to apply data protection classification?
You might want to protect some of the following types of sensitive data using data protection based on attribute classification:
-
Personally identifiable information (PII): Social security numbers, driver’s license numbers, passport numbers.
-
Protected health information (PHI): Medical records, patient histories, insurance information.
-
Financial data: Credit card numbers, bank account numbers, transaction details.
-
Intellectual property: Trade secrets, patents, copyrighted materials.
-
Confidential business information: Strategic plans, customer lists, pricing information.
For example, the following use cases can be accomplished with data protection classification:
-
In a marketing department dataset, salaries can be hidden from users who should not access this information. These users can still generate reports on employee headcount, average tenure, and staffing without viewing individual salary figures.
-
Protecting confidential information like medical records, financial data, or trade secrets, while allowing for analysis of non-sensitive data.
Exceptions
Take note that the admin
identity provider role bypasses all restrictions, including any applied data protection classifications.
Furthermore, additional configuration might be needed for the Profile & DQ insights tab. For details, see Configure profiling data protection.
Overview
Data associated with a classified term is hidden from unauthorized users and groups in all relevant contexts.
Classified data is marked with a lock icon.
If a classified term is present, available actions are restricted as well (sufficient access level is necessary for actions such as editing, deleting, sorting). Similarly, exporting classified data is restricted from unauthorized users and groups.
To view existing data protection classification tags, go to Data Protection > Data Protection Classifications.
The data protection classifications are not listed in order of hierarchy. |
To view the details about a tag, including the information about which terms the tag is applied to, select the name of the tag from the list.
Create data protection classifications
To create a new data protection classification tag:
-
Go to Data Protection > Data Protection Classifications.
-
Select Create.
-
Provide the following information:
-
Name: Enter a name for the tag.
-
Description (Optional): Provide a description of the tag.
-
-
Select Save.
You can now proceed with classifying terms using this tag.
Classify terms
Once you have created a data protection classification, you can then apply it to relevant terms. In turn, this protects the sensitive data in attributes such terms are applied to.
To classify terms:
-
Go to Business Glossary > Terms.
-
Select a term you want to classify.
-
On the Overview tab, in Data protection classification, select Apply classification.
-
In Classify data, select Add tag.
You can select multiple tags. In such cases, only users with View data access level or higher on all applied tags can view the data. -
Select Save.
The tagged data is now visible only to users with whom the selected data protection classification tags were shared with a View data access level or higher.
As your next step, we recommend configuring profiling data protection to define which widgets are displayed on the Profile & DQ insights tab.
Users with permission to edit and publish terms can freely classify and remove classification tags from them. Similarly, users with permission to edit a catalog item can freely classify and remove classification tags from terms associated with the catalog item. For more control over applying classifications in such scenarios, we recommend setting up a workflow that includes an approval for adding and removing classification. For more information about workflows, see Workflows. |
Configure profiling data protection
Data protection classification cannot selectively hide all restricted data from widgets on the Profile & DQ insights tab. Therefore, you have the option to hide widgets containing classified data from unauthorized users and groups.
To configure how Profile & DQ insights widgets respond to classified data:
-
Go to Data Protection.
-
From the Protect sensitive data with data classification tags description, select Show more and then configuration.
-
On the Profiling Data Protection Configuration screen, select Edit.
-
Clear the widgets that should be hidden from users and groups if data they are resctricted from viewing is present.
-
Select Save.
Any widgets you decide to keep active will stay public and can display restricted data even to unauthorized users as part of the Profile & DQ insights visualizations. |
Share data protection classifications with groups and users
Sharing a data protection classification tag works the same way as with any asset: classified data is only available to groups and users with whom the relevant tag was shared with a specific access level.
However, take note that having Full access to data protection classifications gives you the ability to access and provide access to restricted data to others. Therefore, we advise caution before providing any user or group with full access to data protection classifications.
The other access levels apply as follows to data protection classification:
-
Sharing with a View metadata access level lets users see the name of the classification tag but the data remains hidden.
-
Sharing with a View data access level or higher lets users view the classified data.
For more information about sharing, including step-by-step instructions, see Share Access to Assets and Access Levels. |
We recommend you share every data protection classification tag with the Organization group with a View metadata access level. This way, all users will be aware when they cannot view certain data and which data protection classification tag is applied, should they need to request access. |
Data protection classification across ONE
The principles described in this article apply across the entire Atacama ONE suite including:
-
ONE Data
-
Data transformation plans
-
Data Stories
To learn more about the specifics of data classification in Data Stories, see Data Protection Classification in Data Stories.
Was this page useful?