Skip to content

Workflow Policy#

Based on the tags specified in the policy, this policy removes or masks sensitive data from resources. This policy is set up with conditions to check sensitive tags, a file-size max limit (e.g. 1 MB), and file-data types to exclude (e.g. image).

  • If any of the conditions are met, then the file will be moved to a quarantine or transfer location.

  • If encryption is enabled, and any of the conditions are met, then the data will be encrypted and moved to the quarantine location. Optionally, an input file will be moved to the archive location before being encrypted.

Note

For the nested files, encryption is only supported for primitive data types, not complex data types.

Supported Data Sources#

The following data sources are supported for the Workflow without Encryption policy:

  • AWS S3
  • AZURE ADLS
  • GCP GCS

The following data sources are supported for the Workflow with Encryption policy:

  • AWS S3
  • AZURE ADLS

Supported File Formats#

For the supported file formats on which the policy can be applied, see Matrix for Supported File Formats.

The following fields are included in the Workflow policy:

  • Name: This field indicates the name of Workflow policy.

  • Type: This field indicates the type of the Workflow policy.

  • Alert Level (Optional): This field indicates the level of alert: High, Medium, or Low.

  • Description (Optional): This field contains the description for the Workflow policy.

  • Status: This field indicates the policy is enabled or disabled. It is enabled by default.

  • Application: This field specifies the data source from which the scanned resources can be accessed and where the Workflow policy will be applied.

  • Transfer Location (Optional): This field specifies the location to which the input file is transferred if any of the alert conditions are not met.

  • Quarantine Location: This field specifies the location where the input file is transferred if any of the alert conditions are met.

  • Archive Location (Optional): This field specifies the location where a copy of the original file is moved before any tagged records are removed from it.

  • Search for tags: The tags specified in this field help in identifying and classifying records that will be tagged and then expunged.

  • Apply Encryption Schemes: This field appears when you select the Encrypt Data checkbox. This field is populated with the names of the schemes that have been added to the application's Scheme section. To view the schemes, click and expand the Encryption & Masking from left menu, and then select the Schemes.

    Note

    If you want to use encryption for the policy, you have to add the privacera_service_discovery user. See Add Discovery User for Encryption Service.

  • Max File Size (MB): This field excludes files based on file size and raises an alert if the condition is met.

  • Exclude File Types: This field excludes the files based on file type and raises an alert if the condition is met.

The workflow policy provides two options:

  • Workflow Policy without Encryption

  • Workflow Policy with Encryption

Workflow Policy without Encryption#

The status of the workflow policy is enabled by default. If you do not want to encrypt your data, clear the Encrypt Data checkbox.

Add a Resource in the Data Zone#

To add a resource to a data zone, see Add Resources.

When you run a scan on a data zone, if the policy condition is met (matching sensitive tags, file size exceeds the maximum limit, or excluded data type), the data in the file is not encrypted and is moved to a quarantine location if an alert notification is generated.

If none of the conditions (sensitive tags, file type, and file size) are met and you have specified a transfer location, the file will be moved there.

Workflow Policy with Encryption#

If you want to encrypt data, select the Encrypt Data checkbox.

Add a Resource in the Data Zone#

To add a resource to a data zone, see Add Resources.

When you run a scan on a data zone, if the policy condition is met (matching sensitive tags, file size exceeding the maximum limit, or excluded data type), the data in the file is encrypted and moved to a quarantine location if an alert notification is generated; or else, sensitive data is removed.

If none of the conditions (sensitive tags, file type, and file size) are met and you have specified a transfer location, the file will be moved there.

If you have specified an archive location, the file will be moved there before being encrypted.