Conflicting row filters applied to the same column

Important 

In Collibra 2024.05, we launched a new user interface (UI) for Collibra Data Intelligence Platform! You can learn more about this latest UI in the UI overview.

Use the following options to see the documentation in the latest UI or in the previous, classic UI:

Note While this topic is applicable to both classic and latest UI, any images in the topic show the latest UI.

Background

Row filters are used to control which rows are visible in a table. Protect offers the following row filters to manage data visibility:

  • Show Everything: This filter shows all rows in a table to the selected groups.
  • Hide Everything: This filter hides all rows in a table from the selected groups.
  • Show Some: This filter shows only specific rows in a table to the selected groups, based on the Data Classification assigned to the columns, while hiding the rest.
  • Hide Some: This filter hides only specific rows in a table from the selected groups, based on the Data Classification assigned to the columns, while showing the rest.
Note When you add any row filter to a table in a rule, groups that aren't selected in the rule lose access to all rows in that table. For example, if you create a rule to show or hide rows in a table specifically for the HR group, all other groups can't access any rows in that table. If you want other groups to be able to access all rows in that table, create another rule for those groups with the Show Everything row filter.
  • Show: This filter shows only specific rows in a table to the selected groups based on the Data Classification assigned to the columns, while hiding the rest.
  • Hide: This filter hides only specific rows in a table from the selected groups based on the Data Classification assigned to the columns, while showing the rest.

Row filters operate exclusively, meaning that you can't apply both filters simultaneously for the same Data Classification for the same group.

When does a filtering conflict occur?

A filtering conflict occurs when you try to apply both Show and Hide row filters to the same column, for the same group—whether through a single rule or multiple rules. A simple example is of a rule that has both Show and Hide filters for the same Data Classification. The filters conflict each other because you can’t simultaneously show and hide the same rows. You can, however, add multiple filters of the same type to include multiple column values.

Image of the Data Access Rule dialog box showing acceptable row filters

What happens when a filtering conflict occurs?

When a filtering conflict occurs within a single rule, the rule fails during synchronization.

When a filtering conflict occurs between multiple rules:

  • If the sync status of one was already Active, then the other changes to Failed.
  • If the sync status of both is Active or Pending, then both change to Failed.

Examples

The following examples describe what happens when you try to apply conflicting row filters to the same column.

Scenario

This scenario considers a single rule that applies different row filters to multiple Data Classifications that share the same column.

  • The rule grants access to the Marketing group for the Customer Data asset.
  • The Customer Data asset contains a column that is classified as both Country and State.
  • The rule filters rows for columns that are classified as Country in the selected asset, as follows:
    • Show only rows whose country code is BE.
  • The rule filters rows for columns that are classified as State in the selected asset, as follows:
    • Hide only rows whose country code is PL.

Image of the rule

Behavior

Note The following behavior is applicable regardless of whether the rule is for a single asset or multiple assets.

The rule will fail upon synchronization because of a filtering conflict. The conflict occurs because a column is classified as both Country and State, and Protect can't apply two opposing row filters (Show Some and Hide Some) to the same column for the same group (Marketing).

Tip To resolve the conflict, decide which row filter or Data Classification should take precedence, and then remove one of the two row filters or Data Classifications.

Explanation

According to the first filter: If any of the tables in the selected asset contain columns that are classified as Country, only the rows that contain BE in those columns are to be shown, while hiding the remaining rows.

According to the second filter: If any of the tables in the selected asset contain columns that are classified as State, only the rows that contain PL in those columns are to be hidden, while showing the remaining rows.

According to the scenario: The selected asset contains a column that is classified as both Country and State. This column can't simultaneously show only rows that contain BE and show rows that don't contain PL, which is why the rule will fail.

Scenario

This scenario is similar to the previous scenario except that this scenario considers two rules instead of one, with both rules granting access to the same group.

  • The first rule grants access to the Marketing group for the Customer Data asset.
  • The first rule filters rows for columns that are classified as Country in the selected asset, as follows:
    • Show only rows whose country code is BE.

    Image of Rule 1

  • The second rule grants access to the Marketing group for the Personal Information asset.
  • The second rule filters rows for columns that are classified as State in the selected asset, as follows:
    • Hide only rows whose country code is PL.

    Image of Rule 2

Behavior

The rules will fail upon synchronization because of a filtering conflict. The conflict occurs because a column is classified as both Country and State, and Protect can't apply two opposing row filters (Show Some and Hide Some) to the same column for the same group (Marketing).

Tip To resolve the conflict, decide which row filter or Data Classification should take precedence, and then remove one of the two row filters or Data Classifications.