- Platform Release 6.5
- Privacera Platform Installation
- Privacera Platform User Guide
- Privacera Discovery User Guide
- Privacera Encryption Guide
- Privacera Access Management User Guide
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Compliance Workflow
Data zones and workflow policies
Data zones are distinct areas in a data lake that serve specific and well-defined purposes.
Data owners and data governors can create data zones based on domains, business functional ownership, or other logical groupings. Some examples of data zones:
A data zone to manage customer data under the guardianship of a customer data steward.
A data zone to manage finance data assets under the guardianship of a data administrator from the finance organization.
Data zones simplify data access management and relieve IT of the burden of managing policies for the entire enterprise. The administrative function for a data zone can be delegated to specific data owners who have the proper permissions/roles to administer the zone. Administrators can apply selective workflow policies to their data zones.
Planning a data zone
Before you create a data zone, you should:
Identify the data owners and data governors for the data zone. Make sure these people have been added to Privacera as users.
Identify the resources, data sources and applications that should be included in the data zone.
Decide on a useful name and explanatory description for the data zone
Study the types of data zone policies to determine the kinds of policies you want to enforce in the data zone.
Create a data zone
To create a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, click +.
The Add Data Zone dialog is displayed.
In the Data Zone Name field, enter a name for the data zone.
In the Description field, enter a description (optional).
Click Save.
The data zone is created.
About the Data Zones page
The Data Zones page displays information about your data zones. This information is displayed in five different tabs:
Resources: This tab allows you to add files and folders for scanning so that you can apply policy to them. You can filter the list of resources using the search bar. The Resources tab displays the following information:
Application: The name of an application.
Resource: The name of a resource.
Re-evaluate: Allows you to re-validate resource files. Before selecting Re-evaluate , the resource file must already be scanned. This option is only available in the Right to Privacy policy and Expunge policies because these policies do not work with real-time and offline scans.
Actions: Allows you to edit or delete a resource.
Delegated Admin: A delegated admin has permission to scan data zone resources. By default, the delegated admin is privacera. Click the edit icon to change the delegated admin name.
Owners: A list of owners. You can filter the list using the search bar. The Owners tab displays the following information:
Owner: The name of the owner.
Description: The description of the owner.
Actions: Allows you to edit or delete an owner.
Policies: A list of policies. You can filter the policy list using the search bar. The Policies tab displays the following information:
Policy: The name of the policy.
Type: The type of policy. See Data Zone Workflow Policy Fields
Conditions: The conditions pertaining to the policy.
Alert Level: The alert levels: High, Medium, or Low.
Actions: The actions related to policy.
Enabled: The status of policy: Enabled or Disabled.
Settings: This allows you to edit the policy as well as you can delete the policy on clicking on respective icon under Settings column.
Tags: This tab displays the tags associated with the data zone. You can modify the tags by clicking the Edit.
Add resources
You can add two types of resources to a data zone:
Files
Database table names
To add resources to an existing data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
Select a data zone from the Data Zones menu and click ADD RESOURCE.
The Add Resource dialog is displayed.
Select an application from the Application dropdown menu (required).
In the Resource field, enter a resource name.
Note
You can add * wildcard entries for the table name.
Click Save.
The File Format resource is added.
Note
Similarly, you can add the Table format resource. i.e. DB Name and Table Name.
Click Save to create the Resource.
Configure data zone policies
Data zone policies are configured to monitor resources in a particular data zone or data lake. Alerts can be raised based on restricted users, user groups, subnets, subnet-range, tags, and restricted zones.
See Data Zone Workflow Policy Fields
To create a policy for data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, select the data zone and click the Policies tab.
Click Add Policy.
The Add Policy dialog is displayed.
In the Name field, enter a name for the policy (required).
Select an alert level from the Alert Level dropdown menu.
Select a policy type from the Type dropdown menu (required).
Note
This will change the Source label as needed. By default, Disallowed Movement policy is selected.
Enter a description into the Description field.
Using the Status toggle, set the status of the policy. By default, it is set to Enable.
Select the required Application.
Click Save.
The policy is created.
Create tags for data zones
To create a tag for data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, select an existing data zone and click the Tags tab.
Click Edit and select the Tag(s).
Select the tag(s) from the Tags dropdown menu.
Click Save.
The tags are created.
Edit data zones
To edit an existing data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, select the data zone to edit and click Edit.
The Edit Data Zone dialog is displayed.
In the Data Zone Name field, enter a name for the data zone (required).
In the Description field, enter description of the data zone.
Click Save.
The data zone is updated.
Delete data zones
To delete a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, select the created data zone and click Delete.
The Confirm Delete dialog displays.
Click Delete.
The data zone is deleted.
Disable data zones
To disable a data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, select the created data zone disable it using the Status toggle.
The data zone is disabled.
Enable data zones
To enable a data zone, do the following:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, select the created data zone and enable it using the Status toggle.
The data zone is enabled.
Import data zones
To import a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
In the Data Zones page, click the Import icon.
The Import Data Zone dialog is displayed.
Browse and select the JSON file you want to import.
Note
Only JSON format is allowed.
Click Import.
The data zone is imported.
Export data zones
To export a data zone, follow these steps:
From the navigation menu, select Compliance Workflow > Data Zones.
On the Data Zones page, click the Export icon.
Select the Data Zone(s) you want to export and click Export.
The Export Data Zone dialog displays.
Select either JSON or CSV as the export format.
Click Export.
The data zone is downloaded to your computer.
You can filter the data zone list using the Search Data Zone option. Also, the refresh feature allows you to view the updated datazone list.
Compliance Workflow Policies
Privacera has the following types of Compliance Workflow policies:
Note
If you want to use encryption for Compliance Workflow policies (i.e., De-Identification, Right to Privacy, and Workflow Encryption), you have to add the privacera_service_discovery user. See Add Discovery User for Encryption Service.
Note
The following Compliance Workflow policies are not supported on the GCP platform:
Workflow Policy
De-identification Policy
Right to Privacy Policy
Expunge Policy
Workflow Expunge Policy
Supported file formats by policy type
The following table shows the supported file formats for each policy type.
Policies | csv | avro | parquet | json | orc |
|---|---|---|---|---|---|
Workflow with Encryption | Yes | Yes | Yes | Yes | Yes |
Workflow without Encryption | Yes | Yes | Yes | Yes | Yes |
Workflow Expunge | - | - | - | Yes | - |
De-identification | Yes | Yes | Yes | Yes | Yes |
RTP | Yes | Yes | Yes | Yes | - |
Expunge | Yes | Yes | Yes | Yes | - |
Workflow Policies
Disallowed Movement Policy
This policy helps to monitor and raise alert if a user moves data to a restricted zone from any selected zones. You can add multiple source data zones by pressing enter after each value.
The Disallowed Movement Policy has the following fields:
Name: The name of the Disallowed Movement Policy.
Type: The type of policy.
Alert Level :The alert level: high, medium, or low.
Description: The description of the Disallowed Movement Policy.
Source: Allows you to add multiple data zones to be disallowed.
Disallowed Tags policy
This policy helps to monitor and raises an alert if any PII tags are identified. You can add multiple tags by clicking enter after each value.
The Disallowed Tags policy has the following fields:
Name: The name of the Disallowed Movement policy.
Type: The type of policy.
Alert Level : The alert level: high, medium, or low.
Description: The description of the Disallowed Movement policy.
Disallowed Tags: Allows you to add multiple tags to be disallowed.
Add Disallowed Tags policy
If you are creating Disallowed Movement and Disallowed Tags policies, then you can capture data zone movement using Spark. Data Zone movement can be captured in HDFS to S3.
To capture Data Zone movement using Spark, follow these steps:
Note
These data zones are examples. You should create your own.
Create directories in HDFS and add the file in one of the HDFS locations:
hdfs dfs -mkdir /colour/purple hdfs dfs -mkdir /colour/pink hdfs dfs -put /finance_us.csv /colour/purple/
Add both the created directories in Include resource of HDFS.
Create two Data Zones and add the two folders in those two Data Zones' Resources.
SourceDz: It should have resource e.g. /colour/purple/ and also the Data Zone tag.
DestinationDz: It should have resource e.g. /colour/pink/ and also the policies configured for disallowed movement and disallowed tags.
Set the Application property as follows:
Generate Alert All Part Files = false
Note
If you set Generate Alert All Part Files to false, the system generates an alert for the first two part files. If you set this property to true, the system generates an alert for all part files.
Go to the terminal and log into Spark shell as follows:
spark-shell --packages com.databricks:spark-csv_2.10:1.5.0 scala> val df = sqlContext.read.format("com.databricks.spark.csv").option("header", "true").load("/colour/purple/finance_us.csv") scala> df.coalesce(1).write.mode ("overwrite").format("com.databricks.spark.csv").option("header", "true").save("/colour/pink/finance_us_11") scala> df.repartition(4).write.mode ("overwrite").format("com.databricks.spark.csv").option("header", "true").save("/colour/pink/finance_us_100")The following output is displayed:
Kafka Topics: Check the Kafka topics audit consumption for Alerts and Lineage.
Alerts Details: Check the Alerts Details tab on the resource details for this resource.
Lineage: Check the Lineage for this resource.
Alerts Generated for part file : Check the Data Zone Graph for the alerts generation for the part files in DestinationDz.
Disallowed Subnets Policy
This policy helps to monitor and raise alerts if users moving the data into a specific data zone belong to restricted IP addresses. You can add multiple IP addresses by clicking enter after each value.
The Disallowed Subnets Policy has the following fields:
Name: The name of Disallowed Subnets Policy.
Type: The type of policy.
Alert Level : The alert level: high, medium, or low.
Description: The description for Disallowed Subnets Policy.
Disallowed Subnets: Allows you to add multiple IP Addresses to be disallowed.
Disallowed Users Policy
Disallowed Users Policy
This policy helps to monitor and raise alert if restricted users move the data into a specific data zone. You can add multiple users by clicking enter after each value for e.g. sally, mark, jason as shown in the image.
Add Disallowed Users Policy
The Disallowed Users Policy has the following fields:
Name: This field indicates name of Disallowed Users Policy.
Type: This field indicates type of policy.
Alert Level : This field indicates alert level: High, Medium, or Low.
Description: This field indicates description for Disallowed Users Policy.
Disallowed Users: This field allows you to add multiple users to be disallowed to move the data into specific data zone..
Disallowed Groups Policy
The Disallowed Groups Policy policy raises an alert if a user belonging to a restricted user group moves data into a specified data zone. You can add multiple user groups by clicking enter after each value. For example: safari, HDFS, superusers, and admin.
The Disallowed Groups Policy has the following fields:
Name: The name of the Disallowed Groups Policy.
Type: The type of policy.
Alert Level: The alert level: high, medium, or low.
Description: The description of the Disallowed Groups Policy.
Disallowed Users: Allows you to add multiple user groups to be disallowed to move the data into a specific data zone.
Disallowed Subnet Range Policy
The Disallowed Subnet Range Policy monitors and raises an alert if data is moved into a data zone that belongs to a restricted IP address range. The UI is similar to the disallowed_subnets policy, with the addition of a pair of IP addresses. Add a pair of IP addresses to specify the range by clicking enter after each single IP address.
The Disallowed Subnet Range Policy has the following fields:
Name: The name of the Disallowed Subnet Range Policy.
Type: The type of policy.
Alert Level : The alert level: high, medium, or low.
Description: The description of the Disallowed Subnet Range Policy.
Disallowed Subnet Range: Allows you to add IP address ranges to be restricted. Restricted IP addresses are unable to move data into the specified data zones.
Workflow policy
This policy includes conditions such as sensitive tags, maximum file size (for example, 1 MB), and excluded data types (for example, images). If any of the alert conditions are met, the file is moved to a quarantine location. If encryption is enabled and a sensitive tag is found, then the column with the sensitive tag is encrypted.
Note
For nested files, encryption is only supported for primitive data types, not complex data types.
Workflow policy supported data sources
The Workflow without encryption policy supports the following data sources:
AWS S3
Azure ADLS
GCP GCS
The Workflow with encryption policy supports the following data sources:
AWS S3
Azure ADLS
Supported file formats
For a list of supported file formats that the Workflow policy can be applied to, see Supported file formats by policy type
Workflow policy fields
The following fields are included in the Workflow policy:
Name: The name of Workflow policy.
Type: The Workflow policy type.
Alert Level (Optional): The level of alert: high, medium, or low.
Description (Optional): A description of the Workflow policy.
Status: A toggle to enable or disable the policy. It is enabled by default.
Application: The data source from which the scanned resources can be accessed and where the Workflow policy will be applied.
Transfer Location (Optional): The location to which the input file is transferred if any of the alert conditions are not met.
Quarantine Location: The location where the input file is moved if any of the alert conditions are met.
Archive Location (Optional): The location where a copy of the original file is moved before any tagged records are removed from it.
Search for tags: The tags that help in identifying and classifying records that will be tagged and then expunged.
Apply Encryption Schemes: This field appears when you select the Encrypt Data checkbox. This field is populated with the names of the schemes that have been added to the application's Scheme section. To view the schemes, click and expand the Encryption & Masking from left menu, and then select the Schemes.
Max File Size (MB): This field excludes files based on file size and raises an alert if the condition is met.
Exclude File Types: This field excludes the files based on file type and raises an alert if the condition is met.
The workflow policy provides two options:
Workflow policy without encryption
Workflow policy with encryption
Workflow policy without encryption
The status of the workflow policy is enabled by default. If you do not want to encrypt your data, clear the Encrypt Data checkbox.
Add a resource to a data zone
To add a resource to a data zone, see Add resources
When you run a scan on a data zone, and if any of the alert conditions are met (matching sensitive tags, file size exceeds the maximum limit, or excluded data type), the file is moved to a quarantine location.
If none of the conditions are met and you have specified a transfer location, the file will be moved to the transfer location.
Workflow policy with encryption
If you want to encrypt data, select the Encrypt Data checkbox.
Add a resource to a data zone
To add a resource to a data zone, see Add resources.
When you run a scan on a data zone, and if any of the alert conditions are met (matching sensitive tags, file size exceeding the maximum limit, or excluded data type), the column with the sensitive tag is encrypted and the file is moved to a quarantine location.
If none of the alert conditions are met and you have specified a transfer location, the file will be moved there.
If you have specified an archive location, the file will be moved to the archive location before being encrypted.
De-identification policy
The De-identification policy encrypts sensitive data from resources based on specified tags.
Supported data sources
The following data sources are supported in the AWS cloud for the De-identification policy:
S3
Snowflake
Redshift
AuroraDB Postgres
AuroraDB MySQL
PostgreSQL
Supported file formats
For a list of supported file formats that the De-identification policy can be applied to, see Supported file formats by policy type.
De-identification policy fields
The De-identification policy has the following fields:
Name: The name of the De-identification policy .
Type: The type of policy.
Alert Level (Optional) : The alert level: high, medium, or low.
Description (Optional): A description of the De-identification policy.
Status: A toggle used to enable or disable the policy. It is enabled by default.
Application: The data source from which the scanned resources can be accessed and where the De-identification policy will be applied.
Destination Location: The location where the encrypted sensitive data will be transferred.
Note
Some applications such as Snowflake and Presto SQL follow the
[Db].[Schema].[Table]hierarchy. You need to provide the destination location in the correct format[Db].[Schema]for these applications.Archive Location: This field specifies the location where a copy of the input file is stored before any tagged records are encrypted.
Note
Some applications such as Snowflake and Presto SQL follow the
[Db].[Schema].[Table]hierarchy. You need to provide the archive location in the correct format[Db].[Schema]for these applications.Search for tags: The tags used to identify or classify the data to be encrypted.
Apply Encryption Schemes: A list of scheme names that have been added to the Schemes page. To view the schemes, select Encryption & Masking > Schemes from the navigation menu.
Add a resource to a data zone
To add a resource to a data zone, see Add Resources. .
When you run a scan on a data zone, the policy will be applied and the data will be encrypted and moved to the destination location. The source file will be moved to the archive location.
If the destination location is not provided, the data will be encrypted in the resource file itself.
Right to Privacy policy
With lookup data and static masking algorithms, sensitive information such as email addresses, phone numbers, and street addresses are encrypted in the source folder and subject to the Right to Privacy (RTP).
Lookup files must be in .csv format. The fields in the lookup file are compared to the records in the resource files. If the tag is found (the value in the lookup file matches the value in the resource file for the specified tag (Search for tags)), then the field value in the resource file will be encrypted. Ensure that the header of the lookup file matches the header of the tag to be searched.
Note
The resource file should be scanned before applying the RTP policy. The RTP policy does not work on real-time or offline scans.
Right to Privacy policy supported data sources
The following data sources are supported by the RTP policy. Click the tab to display the data sources that are supported in the cloud.
AWS
S3
Snowflake
Redshift
AuroraDB Postgres
AuroraDB MySQL
PostgreSQL
Microsoft Azure
Azure ADLS
MSSQL Server Synapse
GCP
Google Cloud Storage
Right to Privacy policy supported file formats
For a list of supported file formats that the Right to Privacy policy can be applied to, see Supported file formats by policy type
Right to Privacy policy fields
The following fields are included in the RTP policy:
Name: The name of the RTP policy.
Type: The type of policy.
Alert Level: The level of alert: high, medium, or low.
Description: A description of the RTP policy.
Status: A toggle to enable or disable the RTP policy. It is enabled by default.
Application: The data source from which the scanned resources can be accessed and where the RTP policy will be applied.
Lookup Application: The name of the data source containing the lookup file. The lookup file must be in
.csvformat, with tag names in the header columns.Lookup File Location: The location of the lookup file.
Archive Location (Optional): This field specifies the location where a copy of the input file is stored before any tagged records are encrypted.
Note
Some applications such as Snowflake and Presto SQL follow the
[Db].[Schema].[Table]hierarchy. You need to provide the archive location in the correct format[Db].[Schema]for these applications.Search for tags: Tags used to identify or classify data to be encrypted.
Apply Encryption Schemes: A list of scheme names that have been added to the Schemes page. To view the schemes, select Encryption & Masking > Schemes from the navigation menu.
Use LITERAL: If this feature is enabled, the sensitive values in the resource file are replaced with literals for scheme. For more information about LITERAL, see About LITERAL.
Auto Run: If this feature is enabled, the RTP policy is applied after a specified time interval.
Add a
.csvfile to the Lookup File Location field, and it should specify which sensitive data needs to be removed from resources based on tags. For example: File name is input.csv with EMAIL tag (sample@gmail.com), PERSON_NAME tag (Alex).Now, when the resource file is being scanned, if sample@gmail.com tagged with EMAIL and Alex tagged with PERSON_NAME are matched, then this row will be considered for RTP.
Expunge policy
The Expunge policy removes sensitive information such as usernames and email addresses from your data. This information is moved into a quarantine folder.
The fields in the lookup file are compared to the records in the resource files. If the tag is found (the value in the lookup file matches the value in the resource file for the specified tag (Search for tags)), then the field value in the resource file will be deleted. Ensure that the header of the lookup file matches the header of the tag to be searched.
Note
The resource file should be scanned before applying the Expunge policy. The Expunge policy does not work on real-time or offline scans.
Expunge policy supported data sources
Thr Expunge policy supports the following data sources. Click the tab to display the data sources that are supported in the cloud.
AWS
S3
Snowflake
Redshift
AuroraDB Postgres
AuroraDB MySQL
PostgreSQL
Microsoft Azure
MSSQL Server Synapse
GCP
Google Cloud Storage
Expunge policy supported file formats
For a list of supported file formats that the Expunge policy can be applied to, see Supported file formats by policy type
Expunge policy fields
The following fields are included in the Expunge policy:
Name: The name of the Expunge policy.
Type: The type of policy.
Alert Level: The level of alert: high, medium or low.
Description: The description of the Expunge policy.
Status: A toggle to enable or disable the policy. It is enabled by default.
Application: The data source from which the scanned resources can be accessed and where the Expunge policy will be applied.
Lookup Application: The name of the data source containing lookup file. The lookup file should be in
.csvformat, with tag names in the header columns.Lookup File Location: The location of the lookup file.
Quarantine Location: The location of the data removed from the input file.
Note
Some applications such as Snowflake and Presto SQL follow the
[Db].[Schema].[Table]hierarchy. You need to provide the Quarantine location in the correct format[Db].[Schema]for these applications.Archive Location (Optional): The location of a copy of the original file.
Note
Some applications such as Snowflake and Presto SQL follow the
[Db].[Schema].[Table]hierarchy. You need to provide the Archive location in the correct format[Db].[Schema]for these applications.Search for tags: Tags that identify and classify the data to be removed.
Auto Run: If this feature is enabled, the Expunge policy is applied after a specified time interval.
Lookup File Location: Add a
.csvfile to the Lookup File Location field, and it should specify which sensitive data needs to be removed from resources based on tags. For example: File name is input.csv file with EMAIL tag (sample@gmail.com).When the file is being scanned, if “sample@gmail.com” tagged with EMAIL is matched, then this row will be removed.
Consider the following example:
A file, test_file.csv, is added to a data zone. Search for as EMAIL tag is added.
The scheduler is triggered and the system applies the Expunge policy to the resource (test_file.csv).
After applying the Expunge policy, a row in test_file.csv that contains sensitive information is removed from the file and moved to the specified quarantine location.
Workflow Expunge Policy
The Workflow Expunge policy removes sensitive data from resources based on specified tags. This policy accepts only newline-delimited JSON records format. For nested files, the Workflow Expunge policy is not supported.
Workflow Expunge policy supported data sources
The Workflow Expunge policy can be applied to the following data sources:
AWS S3
Azure ADLS
Workflow Expunge policy supported file formats
For a list of supported file formats that the Workflow Expunge policy can be applied to, see Supported file formats by policy type
Workflow Expunge policy fields
The Workflow Expunge policy has the following fields:
Name: The name of the Workflow Expunge policy.
Type: The type of policy.
Note
The Workflow Expunge policy is not visible in the dropdown of policies by default. To configure it, see Workflow Expunge Policy Setup.
Alert Level: The level of alert: high, medium or low.
Description: A description of the Workflow Expunge policy.
Status: A toggle to enable or disable the Workflow Expunge policy. It is enabled by default.
Application: The data source from which the scanned resources can be accessed and where the Workflow Expunge policy will be applied.
Transfer Location: The location that the input file is transferred to if no tagged records match the tags specified in the policy.
Quarantine Location: The location to which the input file is moved after the sensitive data is removed.
Archive Location (Optional): The location of a copy of the original file.
Search for tags: Tags that help in identifying or classifying the data to be tagged and then expunged.
Add a resource to a data zone
To add a resource in the data zone, see Add resources.
If the policy conditions are met (matching sensitive tags, file size exceeds the maximum limit, or excluded data type) when you run a scan on a data zone, then sensitive data is deleted from the file and moved to a quarantine location. Non-sensitive data will be moved to a transfer location.
Alerts Dashboard
The Alerts Dashboard provides a brief overview of anomalies in data zone scans. If a data zone has a policy for a disallowed tag or disallowed movement (when a file is incorrectly copied from one data zone to another), then an alert is generated.
For more detail about disallowed tags and disallowed data zone movement, see Data Zone Movement.
View Alerts Dashboard
To view the Alerts Dashboard, select Compliance Workflow > Alerts Dashboard from the navigation menu.
The Alerts Dashboard displays the following information:
Alert Time: The time that the alert was triggered.
Alert Level: The level of alert: high, medium, or low.
User: The name of the user.
Policy: The name of the policy.
Alert For: The details of the alert.
Reason: The reason for the alert.
Export: See Export Alert Detail.
Alerts Dashboard search filters
You can filter the alerts displayed on the Alerts Dashboard using the following methods:
Search by Category: Allows you to view alerts by category.
Include Policies: Allows you to view alerts that are marked under Include Policy.
Exclude Policies: Allows you to view alerts that are marked under Exclude Policy.
Export alert details
You can export details about alerts from the Alerts Dashboard .
To export alert details, do the following:
On the Alerts Dashboard, click Export.
From the dropdown menu, select an export format: CSV or JSON.
The Export dialog displays.
Data Zone Dashboard
Data zones are used to group and label areas within your data lake to serve specific, well defined purposes. You can apply different policies and workflows to the resources in your data zones for tailored control over your data.
Datazone - Information page
Information about individual data zones can be viewed on the Datazone - Information page.
To view the Datazone - Information page, do the following:
From the navigation menu, select Compliance Workflow > Data Zone Dashboard.
Select the data zone you want to view.
The Datazone - Information page displays.
The Datazone - Information page displays the following information:
Resource: The list of resources.
Tag: The list of tags.
Show All Tag: View all of the tags. By default, this is disabled.
Add / Edit: Add or edit the existing tags.
Datazone - Information page search filters
You can apply the following search filters on the Datazone - Information page:
Search by Resource: Search using resource names.
Search by Application: Filter results by selecting an application from the dropdown menu.
Search by Tags: Filter results by selecting tags from the dropdown menu.
Data zone movement
To view a summary of data zone movement, select Compliance Workflow > Data Zone Movement from the navigation menu.
View undefined data zone movements
On the Data Zone Movement page, click Show Undefined Zone Movements to view undefined zone movements.
Filter data zone movements
You can filter the data zone list using the Filter Data Zone option. You can also filter data zone movements by date range, including:
Today
Yesterday
Last 30 Days
This Month
Last Month
Custom Range
Note
By default, the date range is set to Last 7 Days.
Click Refresh to refresh the list of data zones.
Workflow policy use case example
Workflow policy without encryption
Add the workflow policy without encryption
Follow the steps above to add a workflow policy. In the policy, clear the Encrypt Data checkbox, if selected.
Add a resource
Select a datazone that you want to apply the workflow policy to.
Select the Resources tab.
Click Add Resource..
Note
You can add a folder or file as a resource. Resource files must be in CSV, Parquet, orc, JSON, or avro format.
Click Save.
When you run the scan on the datazone, the policy will now be applied and the data in the file will not be encrypted.
Workflow policy with encryption
Add the workflow policy with encryption
Follow the steps above to add a workflow policy. In the policy, select the Encrypt Data checkbox, and select an Encryption Scheme to the tag you want to encrypt.
Add a resource
Select a datazone that you want to apply the workflow policy to.
Select the Resources tab.
Click Add Resource button. You can add a folder or file as a resource.
Note
Resource files must be in CSV, Parquet, orc, JSON, or avro fomat.
Click Save.
Now, when you run the scan on datazone, the policy will be applied and the data in the file will be encrypted, for those tags that were marked to be encrypted.
Workflow Expunge policy
Enable Workflow Expunge policy
By default, the Workflow Expunge policy is not visible in the dropdown list of policies. To configure the Workflow Expunge policy, do the following in Discovery of Privacera Manager and Privacera Portal:
Privacera Manager
Run the following commands:
cd ~/privacera/privacera-manager cp config/sample-vars/vars.aws.discovery.yml config/custom-vars/ vi config/custom-vars/vars.aws.discovery.yml
Add the following property:
DISCOVERY_WORKFLOW_EXPUNGE_POLICY_ENABLED=true
Run the update:
cd ~/privacera/privacera-manager ./privacera-manager.sh update
Privacera Portal
Go to System configuration in the portal and add the following custom properties:
privacera.portal.datazone.policy.workflow.expunge.enable=true
Add the workflow policy
Follow the steps above to add a workflow policy. In the policy, select the Encrypt Data checkbox, and select an Encryption Scheme to the tag you want to encrypt.
Add a resource
Select a datazone that you want to apply the workflow policy to.
Select the Resources tab.
Click Add Resource button. You can add a folder or file as a resource.
Note
Resource files must be in JSON format.
Click Save.
When you run the scan on the datazone, the policy will now be applied and the data in the file will be encrypted for those tags that were marked to be encrypted.