Data protection types

Important

In Collibra 2024.05, we launched a new user interface (UI) for Collibra Platform! You can learn more about this latest UI in the UI overview.

Use the following options to see the documentation in the latest UI or in the previous, classic UI:

Latest UI Classic UI

Protect offers the following types of protection for the tables and columns in your databases through its data protection standards and data access rules.

Tip The term data in this topic refers to the tables and columns in a database.

Protection type	Description	Availability
Access-based	Grants access to data	Rules only
Column-based	Masks data based on Data Category or Data Classification	Both standards and rules
Row-based	Filters data based on Data Classification	Rules only

In this topic

Access-based protection

Access-based protection is the most basic type of protection that you can apply to your data. It involves granting the right group access to data based on the Collibra assets. It is available only in rules.

Example Suppose that you want the HR group to be able to access the data in the Sales data set. You can then create a data access rule to grant access to the HR group for the Sales data set.

Image of the Data Access Rule dialog box with access-based protection

Column-based protection

Column-based protection uses masking levels to protect data in specific columns based on the Data Category or Data Classification assigned to the columns. It is available in both standards and rules.

Protect offers the following levels of column masking, ordered from most masked to least masked.

Image of column masking levels

Masking level	Restrictiveness scale	Description
Custom masking	Most restrictive masking	Shows the data as you define. For more information, go to Custom masking.
Default masking	Highly restrictive masking	Shows the data as 0 or *.
Hashing	Moderately restrictive masking	Shows the data as a set of random letters, numbers, and symbols.
Show last	Less restrictive masking	Shows the last few characters of the data. You can choose to show the last 1 through 20 characters of the data, with 4 being the most common choice.
No masking	Least restrictive masking	Shows the original data without any masking. This masking level is available only in rules.

Example Suppose that you want the HR group to be able to access your source data, but you want to protect any data that is classified as personally identifiable information (PII) by masking it. You can then create a data protection standard to grant access to the HR group, and mask PII data by applying the required masking level. For more examples, go to Data protection standards and data access rules.

Image of the Data Protection Standard dialog box with column-based protection

Row-based protection

Row-based protection uses row filters to control which rows are visible in a table. It is available only in rules.

Protect offers the following row filters to manage data visibility:

Show Everything: This filter shows all rows in a table to the selected groups.
Hide Everything: This filter hides all rows in a table from the selected groups.
Show Some: This filter shows only specific rows in a table to the selected groups, based on the Data Classification assigned to the columns, while hiding the rest.
Hide Some: This filter hides only specific rows in a table from the selected groups, based on the Data Classification assigned to the columns, while showing the rest.

Note When you add any row filter to a table in a rule, groups that aren't selected in the rule lose access to all rows in that table. For example, if you create a rule to show or hide rows in a table specifically for the HR group, all other groups can't access any rows in that table. If you want other groups to be able to access all rows in that table, create another rule for those groups with the Show Everything row filter.

Show: This filter shows only specific rows in a table to the selected groups based on the Data Classification assigned to the columns, while hiding the rest.
Hide: This filter hides only specific rows in a table from the selected groups based on the Data Classification assigned to the columns, while showing the rest.

Row filters operate exclusively, meaning that you can't apply both filters simultaneously for the same Data Classification for the same group.

Example Suppose that you want the Sales group to be able to access the data set of only US-based customers. You can then create a data access rule to grant access to the Sales group, and show only the required rows by applying a row filter.

Image of a rule showing row-based protection

Example Suppose that you want the HR group to be able to access the data set of only US-based customers. You can then create a data access rule to grant access to the HR group, and show only the required rows by applying a row filter.

Show more information

Consider the Customer asset, which contains the following columns, where the Country column is classified as Region.

Customer ID	Name	Country	Amount
1	Anya A	US	1000
2	Bobby B	Canada	1500
3	Carol C	US	2000
4	Dora D	UK	3000

Without row-based protection in the rule, the HR group can see all the rows in the table. Howerver, with row-based protection, the HR group can see only those rows that contain the value US in the Country column.

Customer ID	Name	Country	Amount
1	Anya A	US	1000
3	Carol C	US	2000

Default masking for everyone else in Snowflake

You can define how sensitive data is masked for Snowflake roles that aren't included in any standards and rules using the Default masking for everyone field. By default, no masking is applied to such roles.

The Default masking for everyone field is available when adding the Protect for Snowflake capability to the Edge or Collibra Cloud site. It can help you control the default masking behavior for roles other than the ones included in standards and rules, by providing the following options:

No Masking: Shows the original data without masking. This is the default option.
Default Masking: Replaces the original data with 0 or *.
Hashing: Replaces the original data with a set of random letters, numbers, and symbols.

Example Suppose that:

In the Protect for Snowflake capability, the Default Masking option is selected in the Default masking for everyone field.
A rule is set for the Marketing group to protect data that is classified as sensitive (CAR_SENSITIVE_INFO) in the Car details asset by showing the last 3 characters.
No standard or rule is set for the Software Engineering group.

Then, in Snowflake, for those columns in the Car details asset that are classified as sensitive:

The Marketing group can see only the last 3 characters of the data.
The Software Engineering group can see 0 or * (default masking) in place of the data.

If the No Masking option is selected in the Default masking for everyone field, the Software Engineering group can see the original data.