You are here:
Policy-Based Governance in Data 360
Data governance policies are rules and guidelines that define how data is accessed, used, protected, and managed. These policies help align data handling with security requirements, compliance standards, and business objectives.
Data 360 enables you to simplify policy-based governance and scale it across your data environment with tags and metadata.
- Apply tags: Apply tags to data objects and fields to classify them based on sensitivity, business purpose, or compliance needs. Tags enable scaling the data governance policies as multiple objects are protected based on a single metadata attribute.
- Assign custom permissions: Assign custom permissions to apply the policy to the appropriate users.
- Define a policy criteria: Create data access or masking policies using tags and classifications and assign them to users based on custom permissions. For example, define a policy that grants access to all data tagged as “Non-Sensitive” or masks all fields tagged as “PII.”
Key Components
Policy-based governance in Data 360 comprises several core components that work together to determine how data access is controlled.
- Metadata: Describes the structure of the data, such as object names, field types, and tags that classify and govern the data.
- Resource: Refers to the actual data object or field being governed. For example, a customer table or an email field.
- Subject: Identifies the user or group the policy applies to. This is defined through custom permissions or user attributes.
- Policy Definition: Contains the rule that determines who can access what data, and under what conditions.
- Policy Enforcement: The execution layer that applies the policy at runtime, ensuring users only access the data they’re authorized to view and modify.
Access
Access policies determine if a user can view or interact with specific data. These policies typically allow or deny actions.
An allow policy explicitly allows access to data when certain conditions are met. For example, “Allow access to Sales records where the user’s region matches the record’s region.” Allow policies are commonly used to define who can access data.
A deny policy explicitly blocks access to data, even if other policies allow it. For instance, “Deny access to records marked as Confidential if the user isn’t in the Compliance team.” Deny policies take precedence over Allow policies and are useful for enforcing stricter controls or exceptions.
- Policy Types in Data 360
Data 360 offers two policy categories in data governance: role-based access control (RBAC) and attribute-based access control (ABAC). - Object, Field, and Record Level Security
Data governance policies in Data 360 control access to data at different levels such as object, field, and row, based on user roles, attributes, or relationships. - Dynamic Data Masking Policies in Data 360
Dynamic data masking conceals sensitive data without altering its usability, accuracy, or relationships. It applies to all Data 360 objects and fields, regardless of the access method. - Policy Enforcement in Data 360
Policies are enforced across different feature areas in Data 360 depending on whether the user is creating or consuming data. Policy enforcement doesn't take effect immediately in dashboards.
