Skip to content

Tag Management

Tag Management in Privacera allows you to create, manage, and apply tags to resources across various data platforms. Tags are metadata labels that can be used to classify and organize data, making it easier to enforce access control and encryption/masking policies and manage data governance.

There are two steps to manage tags in Privacera:

  1. Tag Definition: This is the process of creating a tag and defining its attributes. Tag definitions are used to classify and organize data.
  2. Tagging Resources: This is the process of applying tags to resources. Tags can be applied to various data resources such as databases, tables, and columns.

flowchart RL

    subgraph Step 1: Tag Definition
        TAG1[Tag: PII <br> attribute=sensitivityLevel]
        TAG2[Tag: GDPR]
    end

    subgraph Step 2: Tagging Resources
        R1[Column: customer.email<br>sensitivityLevel=MEDIUM]
        R2[Column: customer.ssn<br>sensitivityLevel=HIGH]
        R3[File: s3://data/hr/euro_employees.csv]
        R4[Table: euro_customers]

        R1 -->|tagged with| TAG1
        R2 -->|tagged with| TAG1
        R3 -->|tagged with| TAG2
        R4 -->|tagged with| TAG2
    end
Privacera supports managing tags using APIs and Privacera Portal.

Tag Management via APIs

Privacera supports the standard APIs from Apache Ranger for tag management. The APIs allow you to create, update, delete, and retrieve tags and their associated metadata.

Here is the API documentation for your reference.

Tag Definition via Privacera Portal

Privacera Portal provides a user-friendly interface for managing tags. You can create, edit, and delete tags, as well as assign them to resources. The following sections describe how to manage tags using the Privacera Portal.

Managing Tag Definitions from Privacera Portal

Tag definitions are used to classify and organize data. You can create tag definitions to categorize data based on its sensitivity, e.g. PII, Sensitive, Confidential, etc.

  1. Go to Access Management > Tag Management.
  2. Click + Create Tag.
  3. Enter the Tag Name
  4. Click Save.

Optionally you can also add attributes to the tag definition. Attributes are name with type.

In the Privacera Portal, you can add attributes to a tag definition by following these steps:

  1. While creating or editing Tag Definition, click on Add Attribute.
  2. Enter the Attribute Name.
  3. Select the Attribute Type. Valid types are:
    • String
    • Integer
    • Boolean
    • Date
  4. Click Save.

Managing Tagging Resources

Tagging resources is the process of applying tags to resources. Tags can be applied to various data resources such as databases, tables, columns, and files.

To associate a tag with a resource, you can use the following steps:

  1. Go to Access Management > Tag Management.
  2. Click on the Tagged Resources tab
  3. Click + Tag Resource.
  4. Select the Service. This is the data platform where the resource is located. E.g. privacera_snowflake
  5. Select the Tags. This is the tag you want to apply to the resource. E.g. PII
  6. Select the Resource Type. The dropdown will show the available resource types based on the selected service. E.g. Table, Column, File
  7. For the Resource Type selected, enter the resource names for each resource hierarchy. For example, if you select Table, you will need to enter the database name and table name.
  8. Click Save.

If there are attributes defined for the tag, you will have the option to enter the attribute values for each resource. For example, if you have a tag PII with an attribute sensitivityLevel, you can enter the sensitivity level for each resource.

Service Tags

Service Tags are special tags originating from the data service platforms themselves. These tags are automatically synchronized with Privacera and displayed in the Privacera Portal, but they have some unique characteristics:

Supported Services

Currently, Service Tags functionality is supported only for Google BigQuery.

  1. Read-only Nature: Service Tags cannot be created, modified, or deleted through the Privacera Portal UI. They are managed exclusively at the service end.

  2. Automatic Synchronization: These tags are automatically synchronized from the data service to Privacera, ensuring that any changes made at the service level are reflected in Privacera.

  3. Policy Integration: Service Tags can be used in Tag-based Access Control and Masking policies to create service-specific access rules. This allows administrators to:

    • Create policies that specifically target service-defined classifications
    • Manage access controls based on the service's native tagging system
    • Apply masking policies using service-native tags to protect sensitive data
    • Enforce consistent access patterns across the organization using service-native tags

For example, if a cloud data warehouse service has its own classification tags like SENSITIVE_DATA or RESTRICTED_ACCESS, these tags will appear in Privacera and can be used in tag policies, even though they cannot be modified through the Privacera interface.

Creating Policies with Service Tags

To use service tags in your tag-based policies, follow these steps:

  1. Navigate to the tag policy creation page
  2. Locate and enable the Service Based Tags toggle switch
  3. Once enabled, three dropdown menus will appear in sequence:
    • Service Type: Select the type of service (e.g., Google BigQuery)
    • Service: Choose the specific service instance
    • Tag Type: Select the type of tag available for that service

After making selections in all three dropdowns, the relevant service tags will automatically populate in the Tags section of your policy. You can then use these service-specific tags to define your access control and masking rules.

Policy Behavior on Service Tag Deletion

When a service tag is deleted, the policies that were configured using this tag will be affected in different ways depending on their configuration:

  1. Policy Deletion (Single Tag Policy):

    • If a policy was created using only the service tag that is being deleted
    • The entire policy will be automatically deleted

  2. Policy Update (Multiple Tags Policy):

    • If a policy contains two or more service tags
    • And only one of these tags is being deleted
    • The policy will be updated to remove the deleted tag while preserving other configurations

  3. Policy Merge (Resource Signature Match):

    • If a policy contains multiple service tags
    • After removing the deleted service tag
    • If the resulting policy's resource signature matches an existing policy
    • The policy will be automatically merged with the matching existing policy

Data Catalog or External Tag Sources

Privacera supports integration with external tag sources such as Collibra, Alation, DataHub, and Apache Atlas. This allows you to import tags from these sources into Privacera and use them for access control and data governance. These integrations are generally needs some level of customization to map the tags definitions and attributes from the external source to the Privacera tag definitions and attributes. Please contact Privacera support for more information on how to set up these integrations.

For information on how to set up the integration with Data Catalog, please refer to the Data Catalog - Access Tags page.

Comments