How to Use a Classification Framework with Your Own Tags

After you have configured a data catalog integration and registered data sources in Immuta, you can start automating data classification of a column based on its context, which is the combination of

• associated tags already applied to the column

• tags applied to the neighboring columns and

• table tags on the data source.

The starter framework in this how-to is built to map a classification scale of restricted, confidential, internal, and public to Immuta's three-level scale, which can be visualized in the data source and query event dashboards.

Follow this guide to map your external catalog tags to the example framework, or consult the framework API guide for more information about the framework schema.

Requirement: An external catalog configured in Immuta

Customize the framework

Using the example framework below, customize the framework for your organization's classification tags:

{
  "shortName": "ECMC Framework",
  "name": "External Catalog Mapping Classification Framework",
  "description": "This framework maps the classification tags the organization has in Collibra to Immuta data sources.",
  "": [
    {
      "name": "ECMC.Confidentiality.Highly Sensitive",
      "source": "curated",
      "": [
        {
          "": "confidentiality",
          "": 2
        }
      ]
    },
    {
      "name": "ECMC.Confidentiality.Sensitive",
      "source": "curated",
      "sensitivities": [
        {
          "dimension": "confidentiality",
          "sensitivity": 1
        }
      ]
    },
    {
      "name": "ECMC.Confidentiality.Nonsensitive",
      "source": "curated",
      "sensitivities": []
    }
  ],
  "": [
    {
      "name": "ECMC 00001",
      "": {
        "name": "ECMC.Confidentiality.Highly Sensitive",
        "": "curated"
      },
      "": [
        {
          "name": "Restricted",
          "source": "collibra"
        }
      ],
      "": [],
      "": []
    },
    {
      "name": "ECMC 00002",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Sensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Confidential",
          "source": "collibra"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    },
    {
      "name": "ECMC 00003",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Sensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Internal",
          "source": "collibra"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    },
    {
      "name": "ECMC 00004",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Nonsensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Public",
          "source": "curated"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    }
  ],
  "": true
}

Parameters

For more information about these parameters see the Frameworks API reference guide.

1. tags: These tags are automatically created in Immuta with the sensitivity you assign. They must not already exist in Immuta. All tags used in the classificationTag parameter should be defined here.

2. tags.sensitivities: This is metadata for the sensitivity of the new tag. Use confidentiality for dimension. Options for sensitivity are 1 (shown as sensitive in Detect dashboards) and 2 (shown as highly sensitive in Detect dashboards). For nonsensitive, leave this parameter empty.

3. rules: These are the rules for applying the tags defined above. Each rule contains the classification tag to apply if the requirements are met and the requirements: the column tags, neighboring column tags, and table tags that must be present. All requirements within each defined rule must be met for the classification tag to be applied.

4. rules.classificationTag: The name and source of the tag you want applied if the rule requirements are met. This classification tag must be defined in tags. The source is curated.

5. rules.columnTags: These are the required tags for a column. If the tags defined here are found on a column, and the other tag rules are met, then the rule's classificationTag will be applied to the same column.

6. rules.neighborColumnTags: These are the required tags on other columns in the data source (or in the query if dynamic query classification is enabled). If the tags defined here are found on any column in the data source, and the other tag rules are met, then the rule's classificationTag will be applied to all the neighboring columns.

7. rules.tableTags: These are the required tags on the data source. If the tags defined here are found on the data source, and the other tag rules are met, then the rule's classificationTag will be applied to all the columns in that data source.

8. active: When true the framework is active and will apply tags when the rules are met.

How to edit rules

Follow the example below to map your external tags to the rules in the example framework.

This example framework has a rule where columns tagged DSF.Interpretation.Credentials.Secret by sensitive data discovery will be tagged RAF.Confidentiality.High:

"rules": [
{
    "name": "RAF 00004",
    "classificationTag": {
      "name": "RAF.Confidentiality.High",
      "source": "curated"
    },
    "columnTags": [
    {
        "name": "DSF.Interpretation.Credentials.Secret",
        "source": "curated"
    }
    ],
    "neighborColumnTags": [],
    "tableTags": []
}
]

To translate this to your tags, replace the name and source value of the columnTags, neighborColumnTags, or tableTags with your own. This new example is for a Collibra tag that an organization uses for confidential data. This rule now states: Apply the classification tag RAF.Confidentiality.High to a column if it has the collibra tag Confidential. Repeat this for your organization's remaining classification levels.

"rules": [
{
    "name": "RAF 00004",
    "classificationTag": {
      "name": "RAF.Confidentiality.High",
      "source": "curated"
    },
    "columnTags": [
    {
        "name": "Confidential",
        "source": "collibra"
    }
    ],
    "neighborColumnTags": [],
    "tableTags": []
}
]

Find the name and source for your tags

If you do not know the name or source for your tags, you can list your tags using the Immuta API:

curl \
    --request GET \
    --header "accept: application/json" \
    --header "Authorization: Bearer <your-token." \
    https://your-immuta-url.com/tag

This request will list all the tags in your Immuta environment, similar to this example response:

[
  {
    "id": 114,
    "name": "DataProperties.Cross-Sectional",
    "source": "curated",
    "deleted": false,
    "systemCreated": true
  },
  {
    "id": 2,
    "name": "Discovered.Country.Argentina",
    "source": "curated",
    "deleted": false,
    "systemCreated": true
  },
  {
    "id": 9,
    "name": "Discovered.Country.Australia",
    "source": "collibra",
    "deleted": false,
    "systemCreated": true
  }
]

Activate your new framework

Requirement: Immuta permission GOVERNANCE

Once you have made all the customizations to the example framework, make the following request using the Immuta API, with your full customized framework as the payload.

curl \
    --request POST \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer <your-token>" \
    --data @example-payload.json \
    https://your.immuta.com/frameworks/

Your new framework will now be visible in the Immuta UI by navigating the the Classification section under Discover.