Conflicting row filters applied to the same column

Note While this documentation is applicable to both classic UI and latest UI, the following images show the latest UI.

Background

Row filters are used to control which rows are visible in a table. Protect offers the following row filters to manage data visibility:

Hide: This filter hides only specific rows in a table based on the Data Classification assigned to the columns, while showing the rest.
Show: This filter shows only specific rows in a table based on the Data Classification assigned to the columns, while hiding the rest.

These filters operate exclusively, meaning that you can't apply both filters simultaneously for the same Data Classification for the same group.

When does a filtering conflict occur?

A filtering conflict occurs when you try to apply both Show and Hide row filters to the same column, for the same group—whether through a single rule or multiple rules. A simple example is of a rule that has both Show and Hide filters for the same Data Classification. The filters conflict each other because you can’t simultaneously show and hide the same rows. You can, however, add multiple filters of the same type to include multiple column values.

Image of the Data Access Rule dialog box showing acceptable row filters

What happens when a filtering conflict occurs?

When a filtering conflict occurs within a single rule, the rule fails during synchronization.

When a filtering conflict occurs between multiple rules:

If the sync status of one was already Active, then the other changes to Failed.
If the sync status of both is Active or Pending, then both change to Failed.

Examples

The following examples describe what happens when you try to apply conflicting row filters to the same column.

Filtering conflict within a rule

Scenario

This scenario considers a single rule that applies different row filters to multiple Data Classifications that share the same column.

The rule grants access to the Marketing group for the Customer Data asset.
The Customer Data asset contains a column that is classified as both Country and State.
The rule filters rows for columns that are classified as Country in the selected asset, as follows:
- Show only rows whose country code is BE.
The rule filters rows for columns that are classified as State in the selected asset, as follows:
- Hide only rows whose country code is PL.

Image of the rule

Behavior

Note The following behavior is applicable regardless of whether the rule is for a single asset or multiple assets.

The rule will fail upon synchronization because of a filtering conflict. The conflict occurs because a column is classified as both Country and State, and Protect can't apply two opposing row filters (Show and Hide) to the same column for the same group (Marketing).

Tip To resolve the conflict, decide which row filter or Data Classification should take precedence, and then remove one of the two row filters or Data Classifications.

Explanation

According to the first filter: If any of the tables in the selected asset contain columns that are classified as Country, only the rows that contain BE in those columns are to be shown, while hiding the remaining rows.

According to the second filter: If any of the tables in the selected asset contain columns that are classified as State, only the rows that contain PL in those columns are to be hidden, while showing the remaining rows.

According to the scenario: The selected asset contains a column that is classified as both Country and State. This column can't simultaneously show only rows that contain BE and show rows that don't contain PL, which is why the rule will fail.