Tags and Metadata

Overview¶

Tags and Metadata in Privacera's Governance Hub provide a centralized system for creating, managing, and applying classification tags to data assets. This capability enables consistent data governance by allowing you to define reusable tags with custom attributes that can be applied across your entire data ecosystem.

Accessing Tags and Metadata¶

To access the Tags and Metadata management interface:

1. Navigate to Governance Hub in the left sidebar
2. Select Tags and Metadata

The Tags and Metadata interface displays all defined tags, their configurations, and associated attributes.

Tags and Metadata Interface¶

Search Functionality¶

Use the search bar at the top to filter tags:

• Enter tag names to quickly find specific tags
• Search results update dynamically as you type
• Useful for large tag libraries

Add Tag Button¶

Click the ADD TAG button in the top-right corner to create new tags.

Tag Components¶

Each tag definition includes several key components:

Tag Name¶

• Purpose: Unique identifier for the tag
• Requirements: Must be unique across the system
• Best Practice: Use uppercase, descriptive names (e.g., SENSITIVE, DATA_CLASS, RESTRICTED)
• Example: SENSITIVE, RESTRICTED, COMPLIANCE_TAG, DATA_QUALITY

Supported Resource Types¶

Defines which types of resources the tag can be applied to:

• All Resources: Tag can be applied to any resource type (databases, schemas, tables, columns, etc.)
• Specific Types: Limit tag application to specific resource types (examples):
  • database - Database level
  • schema - Schema level
  • table - Table level
  • column - Column level

Example Configurations:

• RESTRICTED → All Resources: Can be applied at any level
• SENSITIVE → column: Can only be applied to columns
• DATA_CLASS → column, table: Can be applied to columns or tables

Attribute Definitions¶

Attributes define the metadata that must or can be provided when applying the tag:

Attribute Properties¶

Each attribute has the following properties:

• Key: The attribute name/identifier
• Type: Data type of the attribute value
  • String: Text values, such as names or descriptions.
  • Number: Any numeric value, including decimals.
  • Integer: Whole numbers only (no decimals).
  • Boolean: True/false values to indicate flags or switches.
• Helper Text: Descriptive text to guide users when providing attribute values
• Required: Whether the attribute must be provided when applying the tag
  • yes: Mandatory field
  • no: Optional field

Example Attribute Configurations¶

SENSITIVE Tag:

1
2

Key: data_type      Type: String    Required: no
Key: source         Type: String    Required: no

RESTRICTED Tag:

1

Key: level          Type: String    Required: yes

DATA_CATEGORY Tag:

1

Key: category_name  Type: String    Required: yes

COMPLIANCE_TAG:

1

Key: regulation_type Type: String    Required: no

Creating a New Tag¶

To create a new tag:

1. Click the ADD TAG button
2. Fill in the tag details:
   • Tag Name: Enter a unique, descriptive name
   • Type: Sensitive, Confidential, Internal or Public
   • Description: Provide a clear description of the tag's purpose
   • Supported Resource Types: Select which resource types this tag applies to
3. Define attributes:
   • Click Add Attribute to create attribute definitions
   • For each attribute:
     • Enter the attribute Key name
     • Select the Type
     • Add Helper Text (optional but recommended)
     • Mark as Required if mandatory
4. Click Save to create the tag

Deleting Tags¶

To delete a tag:

1. Locate the tag in the list
2. Click the Delete icon (🗑) in the Actions column
3. Confirm the deletion

Common Tag Patterns¶

Data Classification Tags¶

Used to classify data sensitivity levels:

1
2
3
4

Tag: DATA_CLASSIFICATION
Resource Types: All Resources
Attributes:
  - classification_level (String, Required): "Public", "Internal", "Confidential", "Restricted"

1
2
3
4
5

Tag: SENSITIVITY
Resource Types: column, table
Attributes:
  - level (String, Required): "High", "Medium", "Low"
  - reason (String, Optional): Explanation for sensitivity level

Compliance and Regulatory Tags¶

Used to mark data subject to regulations:

1
2
3
4
5

Tag: REGULATORY_COMPLIANCE
Resource Types: All Resources
Attributes:
  - regulation_name (String, Required): Name of applicable regulation
  - compliance_scope (String, Required): Scope of regulatory requirement

1
2
3
4
5

Tag: PROTECTED_DATA
Resource Types: column, table
Attributes:
  - protection_type (String, Required): Type of data protection required
  - retention_days (Number, Required): Data retention period

Operational Tags¶

Used for data management and operations:

1
2
3
4

Tag: DEPLOYMENT_ENV
Resource Types: All Resources
Attributes:
  - environment (String, Required): "Production", "Staging", "Development", "Test"

1
2
3
4
5

Tag: DATA_OWNER
Resource Types: database, schema, table
Attributes:
  - team (String, Required): Owning team name
  - contact (String, Required): Contact email

Domain-Specific Tags¶

Used to classify data by business domain or subject area:

1
2
3
4
5

Tag: BUSINESS_DOMAIN
Resource Types: All Resources
Attributes:
  - domain_name (String, Required): "Finance", "HR", "Marketing", "Sales"
  - sub_domain (String, Optional): Specific sub-domain

1
2
3
4
5

Tag: GEOGRAPHY
Resource Types: column
Attributes:
  - geo_type (String, Optional): Type of geographic data
  - region (String, Optional): Geographic region

Tag Governance Best Practices¶

Naming Conventions¶

• Use Uppercase: Tag names should be in uppercase (e.g., SENSITIVE, not sensitive)
• Be Descriptive: Names should clearly indicate the tag's purpose
• Avoid Abbreviations: Unless they are widely understood in your industry
• Stay Consistent: Maintain naming consistency across similar tags

Attribute Design¶

• Required vs. Optional: Only mark attributes as required if they're essential
• Helper Text: Always provide clear helper text to guide users
• Appropriate Types: Choose the correct data type for each attribute
• Validation: Consider using enums for attributes with predefined values

Resource Type Selection¶

• Be Specific: If a tag only applies to columns, don't allow all resources
• Consider Hierarchy: Tags at higher levels (database, schema) may inherit to lower levels
• Flexibility: Use "All Resources" for tags that legitimately apply everywhere

Integration with Access Management¶

Tags defined in Tags and Metadata can be used directly in access policies:

Tag-Based Policies¶

Create access policies that reference tags:

1
2
3
4

Policy: Restrict Sensitive Data Access
Condition: HAS_TAG('SENSITIVE')
Action: Deny Read
Principals: henry, marketing_group

Attribute-Based Conditions¶

Use tag attributes in policy conditions:

1
2
3
4
5
6
7

Policy: Regulated Data Access
Condition: 
  - HAS_TAG('REGULATORY_COMPLIANCE')
  - TAG.regulation_name == 'Industry_Standard'
  - USER.compliance_certified == 'true'
Action: Allow Read
Principals: auditor_role

Dynamic Policies¶

Leverage tag metadata for dynamic policy evaluation:

1
2
3
4
5
6
7

Policy: Restricted Data by Environment
Condition:
  - HAS_TAG('DEPLOYMENT_ENV')
  - TAG.environment == 'Production'
  - HAS_TAG('RESTRICTED')
Action: Read 
Principals: Analysts_Group

For more information on using tags in access policies, see:

• Tag-Based Access Control (TBAC)
• Tag Management in Access Management

Applying Tags to Resources¶

Tags can be applied to resources through multiple methods:

Manual Tagging in Data Catalog¶

1. Navigate to Data Catalog
2. Select the resource (table or column)
3. Add tags from the available tag library
4. Provide required attribute values
5. Save the tag application

API-Based Tagging¶

Programmatic Tag Management APIs¶

Privacera provides REST APIs for programmatic tag management, enabling automation and integration with external systems.

Creating Tags via API¶

Use the Metadata Service (MDS) API to create tag definitions programmatically.

API Endpoint:

1

POST <MDS-URL>/api/v1/metadata/tags

Request Payload:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

{
    "tag": {
        "name": "PII",
        "type": "Sensitive",
        "description": "Personally Identifiable Information requiring protection",
        "attributeDefinitions": {
            "sensitivity_level": {
                "type": "string",
                "required": true,
                "description": "Sensitivity level of the resource"
            }
        },
        "source": "Portal"
    }
}

Payload Fields:

• name (required): Unique name for the tag (e.g., "PII", "DATA_CLASSIFICATION")
• type (required): Tag classification type. Valid values:
  • Sensitive - For sensitive data requiring protection
  • Confidential - For confidential business information
  • Internal - For internal-use data
  • Public - For publicly accessible data
• description (optional): Description of the tag's purpose and usage
• attributeDefinitions (optional): Object defining tag attributes
  • Each attribute has:
    • type: Data type (string, number, integer, boolean, date, etc.)
    • required: Whether the attribute is mandatory (true/false)
    • description: Description of the attribute
• source (required): Origin of the tag creation (e.g., "Portal", "API", "Discovery")

Example - Creating a Data Classification Tag:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

{
    "tag": {
        "name": "DATA_CLASSIFICATION",
        "type": "Confidential",
        "description": "Tag for classifying data sensitivity levels",
        "attributeDefinitions": {
            "classification_level": {
                "type": "string",
                "required": true,
                "description": "Classification level: Public, Internal, Confidential, Restricted"
            },
            "data_owner": {
                "type": "string",
                "required": false,
                "description": "Data owner responsible for the classified data"
            }
        },
        "source": "API"
    }
}

Creating Resources via API¶

Before applying tags, ensure resources are registered in the metadata catalog.

API Endpoint:

1

POST <MDS-URL>/api/v1/metadata/resources/sync

Request Payload:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

{
  "appCode": "APP001",
  "serviceName": "snowflake_production",
  "serviceType": "SNOWFLAKE",
  "resources": [
    {
      "resource": "customer_db/customer_schema/customers_table/email",
      "resourceType": "column"
    },
    {
      "resource": "customer_db/customer_schema/customers_table/ssn",
      "resourceType": "column"
    },
    {
      "resource": "customer_db/customer_schema/customers_table",
      "resourceType": "table"
    }
  ]
}

Payload Fields:

• appCode (required): Application identifier for the integration
• serviceName (required): Name of the data service (must match configured service)
• serviceType (required): Type of data source (e.g., "SNOWFLAKE")
• resources (required): Array of resources to register
  • resource: Full path to the resource (hierarchical format: database/schema/table/column)
  • resourceType: Type of resource (e.g., "database", "schema", "table", "column", "view", "function")

Applying Tags to Resources via API¶

Associate tags with resources using the tag-resource mapping API.

API Endpoint:

1

POST <MDS-URL>/api/v1/metadata/tags/resource-mappings

Request Payload:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

{
    "tagResourceMappings": [
        {
            "tagName": "PII",
            "resourcePath": "customer_db/customer_schema/customers_table/email",
            "serviceName": "snowflake_production",
            "serviceType": "SNOWFLAKE",
            "appCode": "APP001",
            "tagAttributes": {
                "sensitivity_level": "high"
            }
        },
        {
            "tagName": "PII",
            "resourcePath": "customer_db/customer_schema/customers_table/ssn",
            "serviceName": "snowflake_production",
            "serviceType": "SNOWFLAKE",
            "appCode": "APP001",
            "tagAttributes": {
                "sensitivity_level": "high"
            }
        }
    ]
}

Payload Fields:

• tagResourceMappings (required): Array of tag-to-resource mappings
  • tagName (required): Name of the tag to apply (must exist in the system)
  • resourcePath (required): Full path to the resource (must match registered resource)
  • serviceName (required): Name of the data service
  • serviceType (required): Type of data source
  • appCode (required): Application identifier
  • tagAttributes (optional): Object containing attribute key-value pairs
    • Keys must match attribute definitions in the tag
    • Required attributes must be provided

Example - Bulk Tagging:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

{
    "tagResourceMappings": [
        {
            "tagName": "DATA_CLASSIFICATION",
            "resourcePath": "finance_db/transactions/payment_details/credit_card",
            "serviceName": "snowflake_production",
            "serviceType": "SNOWFLAKE",
            "appCode": "APP001",
            "tagAttributes": {
                "classification_level": "Restricted",
                "data_owner": "finance_team"
            }
        },
        {
            "tagName": "COMPLIANCE_TAG",
            "resourcePath": "finance_db/transactions/payment_details",
            "serviceName": "snowflake_production",
            "serviceType": "SNOWFLAKE",
            "appCode": "APP001",
            "tagAttributes": {
                "regulation_type": "PCI-DSS"
            }
        }
    ]
}

API Workflow¶

Complete workflow for programmatic tag management:

1. Create Tag Definition

   Text Only
   1 2	POST /api/v1/metadata/tags → Define tag with attributes

2. Register Resources

   Text Only
   1 2	POST /api/v1/metadata/resources/sync → Ensure resources exist in catalog

3. Apply Tags to Resources

   Text Only
   1 2	POST /api/v1/metadata/tags/resource-mappings → Associate tags with resources and provide attribute values

Related Topics¶

• Data Catalog
• Tag-Based Access Control (TBAC)
• Tag Management
• Data Catalog Integration with Access Tags