Data protection types

Important 

In Collibra 2024.05, we launched a new user interface (UI) for Collibra Platform! You can learn more about this latest UI in the UI overview.

Use the following options to see the documentation in the latest UI or in the previous, classic UI:

Protect offers the following types of protection for the tables and columns in your databases through its data protection standards and data access rules.

Tip The term data in this topic refers to the tables and columns in a database.
Protection type Description Availability
Access-based Grants access to data Rules only
Column-based Masks data based on Data Category or Data Classification Both standards and rules
Row-based Filters data based on Data Classification Rules only

In this topic

Access-based protection

Access-based protection is the most basic type of protection that you can apply to your data. It involves granting the right group access to data based on the Collibra assets. It is available only in rules.

Example  Suppose that you want the HR group to be able to access the data in the Sales data set. You can then create a data access rule to grant access to the HR group for the Sales data set.

Image of the Data Access Rule dialog box with access-based protection

Column-based protection

Column-based protection uses masking levels to protect data in specific columns based on the Data Category or Data Classification assigned to the columns. It is available in both standards and rules.

Protect offers the following levels of column masking, ordered from most masked to least masked.

Image of column masking levels

Masking level Restrictiveness scale Description
Custom masking Most restrictive masking Shows the data as you define. For more information, go to Custom masking.
Default masking Highly restrictive masking Shows the data as 0 or *.
Hashing Moderately restrictive masking Shows the data as a set of random letters, numbers, and symbols.
Show last Less restrictive masking Shows the last few characters of the data. You can choose to show the last 1 through 20 characters of the data, with 4 being the most common choice.
No masking Least restrictive masking Shows the original data without any masking. This masking level is available only in rules.
Example  Suppose that you want the HR group to be able to access your source data, but you want to protect any data that is classified as personally identifiable information (PII) by masking it. You can then create a data protection standard to grant access to the HR group, and mask PII data by applying the required masking level. For more examples, go to Data protection standards and data access rules.

Image of the Data Protection Standard dialog box with column-based protection

Row-based protection

Row-based protection uses row filters to control which rows are visible in a table. It is available only in rules.

Protect offers the following row filters to manage data visibility:
  • Show Everything: This filter shows all rows in a table to the selected groups.
  • Hide Everything: This filter hides all rows in a table from the selected groups.
  • Show Some: This filter shows only specific rows in a table to the selected groups, based on the Data Classification assigned to the columns, while hiding the rest.
  • Hide Some: This filter hides only specific rows in a table from the selected groups, based on the Data Classification assigned to the columns, while showing the rest.
Note When you add any row filter to a table in a rule, groups that aren't selected in the rule lose access to all rows in that table. For example, if you create a rule to show or hide rows in a table specifically for the HR group, all other groups can't access any rows in that table. If you want other groups to be able to access all rows in that table, create another rule for those groups with the Show Everything row filter.
  • Show: This filter shows only specific rows in a table to the selected groups based on the Data Classification assigned to the columns, while hiding the rest.
  • Hide: This filter hides only specific rows in a table from the selected groups based on the Data Classification assigned to the columns, while showing the rest.

Row filters operate exclusively, meaning that you can't apply both filters simultaneously for the same Data Classification for the same group.

Example Suppose that you want the Sales group to be able to access the data set of only US-based customers. You can then create a data access rule to grant access to the Sales group, and show only the required rows by applying a row filter.

Image of a rule showing row-based protection

Example  Suppose that you want the HR group to be able to access the data set of only US-based customers. You can then create a data access rule to grant access to the HR group, and show only the required rows by applying a row filter.

Default masking for everyone else in Snowflake

You can define how sensitive data is masked for Snowflake roles that aren't included in any standards and rules using the Default masking for everyone field. By default, no masking is applied to such roles.

The Default masking for everyone field is available when adding the Protect for Snowflake capability to the Edge or Collibra Cloud site. It can help you control the default masking behavior for roles other than the ones included in standards and rules, by providing the following options:

  • No Masking: Shows the original data without masking. This is the default option.
  • Default Masking: Replaces the original data with 0 or *.
  • Hashing: Replaces the original data with a set of random letters, numbers, and symbols.
Example Suppose that:
  • In the Protect for Snowflake capability, the Default Masking option is selected in the Default masking for everyone field.
    Image of the Default masking fior everyone field
  • A rule is set for the Marketing group to protect data that is classified as sensitive (CAR_SENSITIVE_INFO) in the Car details asset by showing the last 3 characters.
    Inage of a rule for the Marketing group
  • No standard or rule is set for the Software Engineering group.

Then, in Snowflake, for those columns in the Car details asset that are classified as sensitive:

  • The Marketing group can see only the last 3 characters of the data.
    Image of the data shown to the Marketing group in Snowflake
  • The Software Engineering group can see 0 or * (default masking) in place of the data.
    Image of the data shown to the Engineering group in Snowflake

If the No Masking option is selected in the Default masking for everyone field, the Software Engineering group can see the original data.