Module 3: How Immuta Data Policies can Balance access with privacy using column masking and row filtering

Anne and Manny are now able to access the credit card data. However, none of the table information is masked or filtered based on the user’s “need to know”.

The CDO wants to know if Owen can create a Data Policy so that Anne is not able to see the Credit Card Number, but Manny can see them. Also, Analysts have a Country attribute which specifies which countries they can see data for.

How can Immuta enforce these policies? Let’s find out…

In this module you will:

• Login to Immuta as Owen and inspect the existing Attribute Names and values

• Use the Attributes to Create a “Global Data Policy” that carefullly controls how Manny and Anne see the credit card transaction data.

• Login to Immuta as Anne and Manny and confirm policy behavior

Inspect Manny and Anne’s Attributes. Note the Country Attribute and that Manny has the values ‘US’ and ‘CA’ (for Canada) and Anne has only the value ‘US’:

(Note: If Manny’s Country Attribute does not contain the “US” and “CA”, then fix that by editing his Country Attribute List.)

The first Global Data Policy we will create is shown below.

It masks all columns Tagged as Credit Card Numbers with Null for everyone except for Managers in the Fraud Department :

The second Global Data Policy we will create is shown below.

It filters rows for data sources with columns Tagged as Credit Card Numbers by joining the transaction_country column with the User’s Country Attribute:

The following clips show how Owen created these two policies in the Immuta policy editor:

Mask-CC-NUMBER
Limit-by-Country

The following clip shows how Manny and Anne see this table after the above policies are activated:

Troubleshooting:

If the masking or filtering effect does not show up for Manny and Anne, confirm the Data Policy has been applied precisely as follows: