5 Replies Latest reply on Jun 8, 2020 5:00 AM by US ITS DATA CATALOG ADMINISTRATION

    View Sensitive Data security

    US ITS DATA CATALOG ADMINISTRATION Active Member

      We have started to utilize some sensitive data domains (under data domain groups PII, PCI, PHI) and want to restrict access to sensitive data for specific resources to specific groups.  We have created two roles (Data Owner, Data Steward) and multiple groups (Data Owner - Finance, Data Steward - Talent, etc) that have write access to specific resources.  We then assign individuals to the groups.  We also give metadata and data read access to all users for all resources so they can see but not edit the data. 

       

      It appears that because the security is inherited that I cannot assign the View Sensitive Data Privilege at the Role level or Group level because this gives to much access. 

       

      Examples - If I assign the role with the privilege to 10 groups and then assign a user to one of those groups he inherits the privilege and can essentially see sensitive data across all of those groups.

       

      If instead I assign the groups that privilege and then assign a user to one of those groups he inherits the privilege and can essentially see sensitive data across all of those groups.

       

      Is there a way around this or must I maintain that privilege at the user level?

        • 1. Re: View Sensitive Data security
          Venkatesh Srinivasan Seasoned Veteran

          When you assign privileges to a group, all subgroups and users belonging to the group inherit the privileges.

          When you assign a role to a user, the user inherits the privileges belonging to the role.

          When you assign a role to a group, the group and all subgroups and users belonging to the group inherit the privileges belonging to the role. The subgroups and users do not inherit the role.

           

          So, the ideal approach is to have a dedicated group with the users who needs to see the sensitive data, and grant them with 'View Sensitive Data' permission.

          • 2. Re: View Sensitive Data security
            Utkarsh Pandey Active Member

            The Privileges provide at Group level for a resource will be by default inherited to the user level as well .

             

            For example if we give Read and Write  Privileges at Group level that  will be inherited to all the user present in that group for that particular resource  . That can be further manage at user level .

            • 3. Re: View Sensitive Data security
              US ITS DATA CATALOG ADMINISTRATION Active Member

              What we have is the third scenario.  We create roles and assign the privileges to the role.  We assign the roles to groups.  We the assign the users to the groups as well. 

              We want our users to be able to see ALL non-sensitive data but only certain folks to see sensitive data.  I do not see how we can pull this off if the privileges are at the role, group, or user level and the metadata and data read permission is required on the resource.

               

              I do not think your approach would work because of the way we have all users set up as "general users".  This general users group is our security domain which we populate through our LDAP config from an AD group.  In this case we assign privileges (View Data) to the group in the Administrator.  In the Catalog Administrator this group has Metadata and Data Read access to all resources.  As we understand it they must have this to be able to see ANY value frequency.  Without it they could not even see non-sensitive data. 

               

              Since I now have users that are both general users (through the LDAP config) and Data Owners/Data Stewards then if I give the role, group, or even the user the View Sensitive Data privilege directly they would be able to see the sensitive data on any resource.  

              • 4. Re: View Sensitive Data security
                Cybill Gregorio New Member

                I have the same question.

                - View Sensitive Data on Resource A only

                - View Sensitive Data on Resource B only

                - View Sensitive Data on Resource A & B only

                - No Access to View Sensitive Data at all.

                 

                How can this be achieved?

                 

                Thank you.

                • 5. Re: View Sensitive Data security
                  US ITS DATA CATALOG ADMINISTRATION Active Member

                  I think the last one is the easiest answer.  If you do not assign the View Sensitive Data privilege to the group, role, or user they will not be able to see the sensitive data (meaning the asset has a data domain in PII, PCI, PHI data domain group).

                   

                  For the others I think the security would have to be at the user level.  If the user has view sensitive data assigned (either directly, through a role, or through a group) then you would assign them "Metadata and Data Read" access to Resource A, Resource B, or both in the Catalog Administrator at the user level and not at the group or role level.

                   

                  Note: If they have metadata and data read access to any other resource they would also be able to see the sensitive fields.