Set up Protect

Important 

In Collibra 2024.05, we launched a new user interface (UI) for Collibra Platform! You can learn more about this latest UI in the UI overview.

Use the following options to see the documentation in the latest UI or in the previous, classic UI:

Tip 

The information in this topic varies depending on the data source you select below.

Data source

Enable Protect

This section describes how to make Protect available on your Collibra environment.

  1. Contact Collibra Support or your representative to enable Protect on your Collibra environment.
  2. Ensure that the Protect global roles and global permissions are correctly set.

    Image of the Protect global roles

    Image of the Protect global roles

  3. Ensure that the following setting is enabled by Collibra: feature.protect.databricks
    Tip This can be done by adding the following JVM parameter via Collibra Console and then restarting the service: -Dfeature.protect.databricks=true

On the main toolbar, if you click , Protect is shown.

Set up Protect for AWS Lake Formation

This section describes how to establish a connection between AWS Lake Formation and Protect.

Steps

  1. Ingest data from the data source.
    1. Download the JDBC driver for Amazon Athena.
    2. Create a JDBC connection from your Edge site to Amazon Athena.
      Tip When creating the connection, in the Connection provider field, select Generic JDBC connection. Additionally, in the PropertyConnection properties section, set the IncludeTableTypes connection property to true. This property creates a distinction between tables and views in the ingested metadata, creating Table assets and View assets in Collibra. If the property is set to false, the metadata is ingested as Table assets.
    3. Add the Catalog JDBC ingestion capability to the Edge site.
      Tip When adding the capability, in the Capability template field, select Catalog JDBC Ingestion. Additionally. in the JDBC Connection field, select the JDBC connection created in step 1b.
    4. Register and synchronize the data source.
    The following image shows an ingested AWS Lake Formation database. The Data Source Type attribute containing the value Amazon Athena is added to the database asset only after the Catalog JDBC ingestion process is complete.

    Image of an ingested Athena database

    Image of an ingested Athena database

  2. Create an AWS connection from the Edge site to Amazon Athena.
    Tip When creating the connection, in the Connection provider field, select AWS connection. Additionally, ensure that the user associated with the Access Key ID used in the connection has the required permissions.
  3. Add the Protect for AWS Lake Formation capability to the Edge site
    1. On the main toolbar, click Products iconSettings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
    4. On the Capabilities tab, click Add Capability.
      The Add Capability dialog box appears.
    5. Select Collibra Protect for AWS Lake Formation.
    6. Enter the required information.
      FieldDescription
      NameName to identify the capability.
      DescriptionDescription for the capability.
      Capability templateCollibra Protect for AWS Lake Formation.
      AWS Lake Formation ConnectionAWS Lake Formation connection created in step 2 to connect to AWS Lake Formation.
    7. Click Create.
    Tip 
    • When adding the capability, in the AWS Lake Formation Connection field, select the AWS connection created in step 2.
    • Don't add more than one Collibra Protect for AWS Lake Formation capability to the Edge site.

Set up Protect for BigQuery

This section describes how to establish a connection between BigQuery and Protect.

Steps

  1. Ingest data from BigQuery.
    1. Download the JDBC driver for Google BigQuery.
    2. Create a JDBC connection from your Edge site to Google BigQuery.
      Tip When creating the connection, in the Connection provider field, select Generic JDBC connection. Additionally, in the PropertyConnection properties section, set the value of the Other connection property to SupportNativeDataType=True.
    3. Add the Catalog JDBC ingestion capability to the Edge site.
      Tip When adding the capability, in the Capability template field, select Catalog JDBC Ingestion. Additionally. in the JDBC Connection field, select the JDBC connection created in step 1b.
    4. Register and synchronize the data source.
    The following image shows an ingested BigQuery database. The Data Source Type attribute containing the value Google BigQuery is added to the database asset only after the Catalog JDBC ingestion process is complete.

    Ingested BigQuery database

    Ingested BigQuery database

  2. Create a GCP connection from the Edge site to Google BigQuery.
    Tip 
    • Apart from the JDBC connection created for the Catalog ingestion, Protect for BigQuery requires an extra connection, which is the GCP connection. The GCP connection is necessary because Protect requires access to certain GCP APIs that cannot be reached through the JDBC connection alone. The GCP connection ensures that data protection is enforced.
    • When creating the connection, in the Connection provider field, select GCP connection. Additionally, ensure that the user associated with the GCP Service Account used in the connection has the required permissions.
  3. Add the Protect for BigQuery capability to the Edge site.
    1. On the main toolbar, click Products iconSettings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
    4. On the Capabilities tab, click Add Capability.
      The Add Capability dialog box appears.
    5. Select Collibra Protect for Google BigQuery.
    6. Enter the required information.
      FieldDescription
      NameName to identify the capability.
      DescriptionDescription for the capability.
      Capability templateCollibra Protect for Google BigQuery.
      GCP ConnectionGCP connection created in step 2 to connect to Google Cloud Platform.
      Exclude partitioned columns

      By default, partitioned columns aren't masked. If you want partitioned columns to be masked, clear this checkbox.

      Tip Partitioned columns are those that are used to organize the data in a table by dividing the table into smaller, more manageable sections called partitions.
      Grant access to tables
      Note This feature is relevant only if the Grant access to the data linked to these assetsGrant Access to Data Linked to Selected Assets checkbox is selected in a data access rule that contains only row filters.

      By default, the Grant access to tables checkbox is cleared. This means that Protect creates policy tags with the Fine-Grained Reader role and assigns them to the BigQuery columns governed by the rule. If you select the Grant access to tables checkbox, Protect instead assigns policy tags with the BigQuery Data Viewer role to the BigQuery tables governed by the rule.

    7. Click Create.
    Tip 
    • When adding the capability, in the GCP Connection field, select the GCP connection created in step 2.
    • Don't add more than one Collibra Protect for Google BigQuery capability to the Edge site.
    • If the version of the capability is 1.97.1, ensure that the JSON content in the GCP Service Account field in the GCP connection you created is Base64 encoded. You can find the version of the capability in the Version column on the Capabilities tab.

Set up Protect for Databricks

This section describes how to establish a connection between Databricks and Protect.

Steps

  1. Ingest data from Databricks.
    1. Download the JDBC driver for Databricks.
    2. Create a JDBC connection from your Edge site to Databricks.
      Tip When creating the connection, in the Connection provider field, select Username/Password JDBC connection. Additionally, in the Connection string field, include EnableArrow=0.
    3. Add the Catalog JDBC ingestion capability to the Edge site.
      Tip When adding the capability, in the Capability template field, select Catalog JDBC Ingestion. Additionally, in the JDBC Connection field, select the JDBC connection created in step 1b.
    4. Register and synchronize the data source.
    The following image shows an ingested Databricks database. The Data Source Type attribute containing the value SparkSQL is added to the database asset only after the Catalog JDBC ingestion process is complete.

    Ingested Databricks database

    Ingested Databricks database

  2. Create a Username/Password JDBC connection from the Edge site to Databricks.
    Tip When creating the connection, in the Connection provider field, select Username/Password JDBC connection. Additionally, ensure that the user associated with the Databricks role used in the connection has the required privileges.
  3. Add the Protect for Databricks capability to the Edge site.
    1. On the main toolbar, click Products iconSettings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
    4. On the Capabilities tab, click Add Capability.
      The Add Capability dialog box appears.
    5. Select Collibra Protect for Databricks.
    6. Enter the required information.
      FieldDescription
      NameName to identify the capability.
      DescriptionDescription for the capability.
      Capability templateCollibra Protect for Databricks.
      JDBC Connection

      Username/Password JDBC connection created in step 2 to connect to Databricks.

    7. Click Create.
    Tip 
    • When adding the capability, in the JDBC Connection field, select the Username/Password JDBC connection created in step 2.
    • Don't add more than one Collibra Protect for Databricks capability to the Edge site.

Set up Protect for Snowflake

This section describes how to establish a connection between Snowflake and Protect.

Steps

  1. Ingest data from the data source.
    1. Download the JDBC driver for Snowflake.
    2. Create a JDBC connection from your Edge site to Snowflake.
      Tip When creating the connection, in the Connection provider field, select Username/Password JDBC connection.
    3. Add the Catalog JDBC ingestion capability to the Edge site.
      Tip 

      When adding the capability, in the Capability template field, selectselect Catalog JDBC Ingestion. Additionally, in the JDBC Connection field, select the JDBC connection created in step 1b.

    4. Register and synchronize the data source.
    The following image shows an ingested Snowflake database. The Data Source Type attribute containing the value Snowflake is added to the database asset only after the Catalog JDBC ingestion process is complete.

    Ingested Snowflake database

    Ingested Snowflake database

  2. Create a Username/Password JDBC connection from the Edge site to Snowflake.
    Tip When creating the connection, in the Connection provider field, select Username/Password JDBC connection. Additionally, ensure that the user associated with the Snowflake role used in the connection has the required privileges.
  3. Add the Protect for Snowflake capability to the Edge site.
    1. On the main toolbar, click Products iconSettings.
      The Settings page opens.
    2. In the tab pane, click Edge.
      The Sites tab opens.
    3. In the table, click the name of the site whose status is Healthy.
      The site page opens.
    4. On the Capabilities tab, click Add Capability.
      The Add Capability dialog box appears.
    5. Select Collibra Protect for Snowflake.
    6. Enter the required information.
      FieldDescription
      NameName to identify the capability.
      DescriptionDescription for the capability.
      Capability templateCollibra Protect for Snowflake.
      JDBC Connection

      Username/Password JDBC connection created in step 2 to connect to Snowflake.

      Snowflake role testing

      An option that determines how Snowflake checks roles (that is, Protect groups) for applying data protection standards and data access rules. This is to accommodate Snowflake users who have multiple roles. This field contains the following options:

      • CURRENT_ROLE: Checks only the primary role assigned to the Snowflake user. This is the default option.
      • IS_ROLE_IN_SESSION: Checks all the roles assigned to the Snowflake user, including secondary roles, within the active session.
    7. Click Create.
    Tip 
    • When adding the capability, in the JDBC Connection field, select the Username/Password JDBC connection created in step 2.
    • Don't add more than one Collibra Protect for Snowflake capability to the Edge site.

What's next?