Skip to content

Tag Policies

A tag is a label that a user attaches to an object. It describes some attriute of the object so that access can be controlled based on that attribute. A tag can be applied to multiple data sources or types of data.

For example, database columns labeled "Email" or "Phone Number" can be tagged as “PII”. You can then write policies that control access to PII-tagged data.

Adding Services#

  1. From the homepage, click Access Management > Tag Policies.

  2. Click Add service (plus sign) at the top of a service group panel.

  3. Type a Service Name and **Description.

  4. Set the Active Status.

  5. Enter the Key and Value in Add New Configuration . You can add multiple configurations.

  6. To verify the configuration, click Test Connection.

Create Access Policies#

  1. From the homepage, click Access Management > Tag Policies.

  2. On the Tag Policies page, click a service in a service group panel.

  3. Select the Access tab.

  4. Click Add New Policy.

  5. Configure the policy.

    • Policy Type: Accept the default value (Access).

    • Policy Name: Must be unique among all policies.

    • Normal/Override: If you select Override, this policy takes precedence over other policies.

    • Policy Labels: Enter the label for this policy. This helps during search reports and filter policies based on the labels.

    • Tag: Enter the applicable tag name.

    • Policy Conditions: Click Add Conditions+ to add policy conditions (This is applied at the policy level).

    • Audit Logging: When enabled, an event is entered in the audit log when this policy is applied. 

Create Masking Policies#

  1. From the homepage, click Access Management > Tag Policies.

  2. On the Tag Policies page, click a service in a service group panel.

  3. Select the Masking tab.

  4. Click Add New Policy.

  5. Configure the masking policy general settings.

    • Policy Type: Accept the default value (Access).

    • Policy Name: Must be unique among all policies.

    • Normal/Override: If you select Override, this policy takes precedence over other policies.

    • Add Validity Period: Select the start and end time of the policy along with the timezone and save.

    • Policy Labels: Enter the label for this policy. This helps during search reports and filter policies based on the labels.

    • Tag: Enter the applicable tag name.

    • Policy Conditions: Click Add Conditions+ to add policy conditions (This is applied at the policy level).

    • Audit Logging: Enable/disable Audit Logging. Toggle to 'No', if this policy doesn't need to be audited. By default, it is selected as 'Yes'. 

  6. Apply masking conditions.

    1. Under Masking Conditions, click Add (+).

    2. Select the roles to which this policy applies. To assign a role as an Administrator for the resource, add component permissions and define admin permissions. The administrator can create sub-policies based on the existing policies.

    3. Select the groups to which this policy applies. To assign a group as an Administrator for the resource, add component permissions and define admin permissions. The administrator can create sub-policies based on the existing policies. The public group contains all users, so setting a condition for the public group applies to all users.

    4. Select the users to which this policy applies. To assign a user as an Administrator for the resource, add component permissions, and define admin permissions. The administrator can create sub-policies based on the existing policies.

    5. Click Add Conditions+ and configure the policy conditions.

      1. Set Accessed after... to Yes or No and click Syntax Check.

      2. Enter a boolean expression. This option is applicable to allow or deny conditions on tag-based policies.

    6. Click Add Permissions+ and configure the Component Permissions.

    7. Click Select Masking Option and select a masking type.

    8. Default: Accept the masking scheme applied by the system.

    9. Custom: Enter a custom masked value or expression. Custom masking can use any valid Hive UDF (Hive that returns the same data type as the data type in the column being masked).  

Note: Conditions are evaluated sequentially as listed in the policy.


Last update: October 5, 2021