Masking Data

Pre-requisites

Understand the Permissions system
Understand our approach to Protecting Data Privacy and Confidentiality
Understand how Classifying data for compliance reasons works

How it Works

Each user in Foundation platform will have different roles and different permission for each data product.
Each column (or field) in a data product table will also have different confidentiality levels, this is defined by its classification (public, internal, confidential, top secret...)
The confidential columns (or fields) will be masked for users that do not have permission to see it.
Assume that a user has permission to query data for a data product table (with the action data:data_product:query). Based on user roles and permissions, as well as column data classification, Foundation decides on whether to mask the values of the respective columns.
To get access to confidential columns, users would need a role with action data:data_product:view_mask allowed against the corresponding data product table.
By default, all confidential columns will be masked. Users will received masked values not only when they query with SELECT statements, but also in all other actions like transformations, groupBy, aggregate, cte...

Here is an example of what masked data looks like:

Configuring which Classification Levels to Mask

To create a classification level that requires masking, you will need to provide the should_mask argument as "true" (the default is false) as below:

Endpoint: POST: /api/data/classification

{
  "name": "top_secret",
  "description": "string",
  "should_mask": true
}

The above example will create a classification level called top_secret. All columns that have classification = top_secret will be masked for users lacking the view_mask permission.

To assign the new classification level to columns of a data product table, please review Classifying data for compliance reasons

Creating a Role that Can Access Confidential Data

For more information on how to create roles, policies and permissions, visit Permissions

To create a policy which allows a role to see masked data, follow the steps in Manage Policies and assign the data:data_product:view_mask permission

{
    "name": "DataOwnerPolicy",
    "statements": [
        {
            "sid": "string",
            "principal": [
                "uuid"
            ],
            "action": [
                "data:data_product:view_mask"
            ],
            "resource": [
                "data_product_identifier"
            ],
            "effect": "allow",
            "scope": "data_product"
        }
    ]
}

PreviousCustomizing the approved Classification and Sensitivity values NextMonitoring the Execution of Transformation Jobs

Last updated 2 months ago