Tags are a core concept in Privacera Discovery and access control.
In addition to security policies for resources and roles, you can create tag-based policies. With tag-based policies you can manage access to sensitive data regardless of where the data is stored.
Privacera Discovery first scans data sources and tags all sensitive information across the enterprise, such as PERSON_NAME, PII, ADDR, or EMAIL_ADDR. A dataset attribute, such as a column, table, or a file can be tagged with metadata information that can be used to classify the data asset. For example, a column called "Email" or "Phone_Number" can be tagged as “PII".
The data administrator can then create policies based on those tags.
Privacera comes with a tag store that saves this additional information about the dataset that can be used to create policies. Tags enrich information about the existing data so that it can be used to further fine-tune and apply access control policies based on it.
To add a tag:
On the Privacera home page, on the left, expand the Discovery menu and click Tags Information.
Click the + icon.
The Add Tag dialog is displayed.
Enter the Tag Name (required).
Enter the Description.
The tag is added.
To edit tags:
- In the Tags Information page, from left column that displays the tag list, select the tag to edit and click Edit.
The Edit Tag dialog is displayed.
Note: You cannot change a tag name.
Update the Description field.
The tag is updated.
To delete tags:
- In the Tags Information page, from left column that displays the tag list, select the tag to edit and click Delete.
The following message is displayed “Are you sure you want to delete this tag?”
- Click Yes to delete the tag or No to return to the Tags Information page.
The tag is deleted.
Search for Tags
To search for tags:
In the Tags Information page, enter the tag name in the search filter and press enter.
The page will be displayed as per the search criteria.
Add, Edit, or Delete Tag Attributes
The Attributes field holds a list of attributes associated with a tag. You can filter the list of attributes using the search pattern option. This tab also displays the total count of records with this tag.
To add an attribute for a specific tag:
In the Tags Information page, from left column that displays the tag list, select the required tag.
Under Attributes, click + Add Attribute.
The Add Attribute dialog is displayed.
Enter the Name of the attribute.
Enter the Value of the attribute.
The Attribute is added to the selected tag.
Actions: Under Actions, you can delete or edit the attribute.
To export the tag file in JSON format:
Check the checkbox of the required tag and click the Export.
You can select multiple tags.
The tag file is exported.
To import a tag file in JSON format:
Click the Import icon.
The Import dialog is displayed.
Browse and select the JSON file and click Save.
The tag file is imported.
Fetch AWS S3 Tags
This feature allows you to fetch AWS S3 tags to Discovery. There are two levels of tags that can be fetched:
- Object Tags: Tags associated with the AWS S3 object/files in buckets.
- Bucket Tags: Tags associated with the S3 bucket.
To fetch AWS S3 tags:
Navigate to Discovery > Tags Information and create a tag name as 'AWS_S3_TAG'.
Navigate to Settings > Data Source Registration and add/update Application Properties as below:
Set "Fetch S3 Object Tags": true
Set "Fetch S3 Bucket Tags": true
By default properties are disabled and set as false.
Now, go to Data Inventory > Classifications and click AWS_S3_Tag under the Tag column, then click on View attributes link.
AWS S3 tags will be displayed in the Data Info grid.
If tag AWS_S3_TAG is not created, then AWS S3 tags will not be fetched and tag will not be displayed in Classification page.
If both Object and Bucket tag are enabled and having a common tag then Object tag will override Bucket tag.
For Example: If Bucket tag is 'owner=user1' and Object tag is 'owner=user2'
So, 'AWS_S3_TAG' tag will have 'owner=user2' as its attribute.
Tags fetched from AWS S3 will be added as attributes of 'AWS_S3_TAG'
This tag with attributes will be synced to Apache Ranger. Verify using the following URL.