Policies and Identifiers
Overview¶
Data Governance policies let you create access and data-governance controls without hand-listing every user, column, or row. Instead, you compose policies from reusable Identifiers and apply them to a chosen data scope.
There are two kinds of policy:
- an Access policy, which controls who can read or write data;
- a Governance policy, which applies a security rule to data, such as Masking or Row Filter.
You create either one in the guided Create Policy wizard, which has three steps: Define Rules → Name & Description → Review & Publish.
Core concepts¶
What a policy does¶
A policy's effect comes from the action you choose and the Identifiers it uses:
| Capability | What you choose |
|---|---|
| Access | Give the selected users Read access to view the data, or Write access to also edit it. |
| Masking | Hide or obscure chosen columns: replace each value with a Hash, show only the first or last 4 characters, or Nullify it entirely. |
| Row filtering | Limit the rows a Record Identifier matches: choose Allow Result to return only those rows, or Exclude Result to drop them. |
Identifiers¶
An Identifier is a reusable, named selection of users, columns, or rows that you define once and reference in many policies. It isn't limited to user attributes. You can define what an Identifier covers in whatever way fits: by attributes, by tags, by an explicit list, or by a custom condition.
Identifiers are what make policies simple to write and keep consistent: you describe who or what a policy targets in one place, and updating an Identifier updates every policy that uses it, so you never re-pick the same users or columns each time. When you author a policy, you reference Identifiers in the Define Rules step:
- User Identifier: a set of users, roles, or groups that defines who a policy applies to.
- Column Identifier: a set of columns, usually selected by tag.
- Record Identifier: a condition that uniquely identifies records and is used to enforce Row Filter policies.
Where a policy applies¶
You set a policy's target in the Data section of the wizard. Choose the scope:
- Data Tag: apply the policy wherever a classification tag appears.
- Data Product: apply it to a published data product.
- Specific Resource: apply it to selected assets.
Putting a policy into effect
A policy only enforces once it is published and applied to a resource.
- Publish to activate: save a policy as a Draft while you work on it, then publish it to make it Active. You can deactivate an active policy later to stop enforcing it without deleting it.
- Apply it to data: a policy must be attached to the data it governs. Apply it directly when you create the policy by setting its scope, or from the Data Catalog, using a resource's Apply Policy action.
Next steps¶
- Prev topic: Data Products
- Next topic: Identifiers