Requirements:

• SDD enabled

• Frameworks enabled

• Registered Snowflake, Databricks, Redshift, or Starburst (Trino) data sources

• Immuta permission GOVERNANCE

To activate a classification framework,

1. Navigate to Discover and select the Classification tab.

2. Click the more actions icon in the Actions column for the framework you want to activate.

3. Select Activate.

Deactivate a classification framework

1. Navigate to Discover and select the Classification tab.

2. Click the more actions icon in the Actions column for the framework you want to activate.

3. Select Deactivate.

Activate and manage classification frameworks using the API

To activate a framework using the Immuta API, see the Frameworks API reference page.

Requirements:

• SDD enabled

• Frameworks enabled

• Registered Snowflake, Databricks, Redshift, or Starburst (Trino) data sources

• Immuta permission GOVERNANCE

Immuta Discover provides identifiers out-of-the-box to recognize and tag data. Users can then utilize classification frameworks and build them to apply tags based off those identifier tags and their own catalog tags.

Tune identification frameworks and identifiers first to adjust where Discovered tags are applied. Because classification frameworks can apply classification tags from the Discovered tags, tuning SDD should come first and will have trickle-down effects on classification. Customizing SDD requires some initial work but will automate data tagging for all data sources in the future.

Follow the steps below to tune SDD for your data:

1. Create a new identification framework.

2. Configure the resulting tags in the identifiers.

3. Create an identifier specific to your organization.

4. Add a few data sources to your new framework: This will remove the tags from any previous identification frameworks and re-run identification with your new framework. From here, either continue to edit identifiers to reconfigure the applied tags, or if you are happy with the results, proceed to the next step.

5. Configure SDD to run your new framework on all data sources.

After SDD has applied entity tags, any active classification frameworks will automatically reapply their tags to account for any changes to Discovered tags. It may be necessary to adjust the classification tags based on your organization's data, security, and compliance needs.

Assess your data source tags

Requirement: Immuta permission GOVERNANCE or data owner

Target some data sources to manually review tags:

1. Navigate to the data dictionary for the data source by opening the Data Sources page and selecting a data source. Click the Data Dictionary tab to open the data dictionary.

2. The data dictionary lists the data source columns, with details about the name, data type, and a list of the tags on each column. Assess whether the tags are accurate to your data.

If you find that too many tags are applied

Tags may be unexpected but still accurate to your data. Additionally, they may have been applied because they were found to be the best match from the identifiers in the framework.

If you want to improve SDD and personalize it to your data, assess why the tag was applied to your data:

1. Is the identifier incorrectly matching your data and irrelevant to your organization? Delete the identifier that applied the tag from the identification framework.

2. Is the identifier incorrectly matching this specific column, but correct in other places? It must have been the most correct match found by identification. Create a better match by completing the following steps:

   1. Create an identifier specific to the column with a new Discovered tag.

   2. Add the identifier to the identification framework so this column is correctly matched by identification.

If you want to remove the unexpected tags, use one of the following how-to guides:

1. Deactivate frameworks irrelevant to your data sources.

2. Ensure the Discovered tags are applied properly by adjusting SDD.

3. Remove any excess tags. Note that classification tags build off of other tags, so removing a single classification or Discovered tag can have trickle-down effects on the data source.

4. Adjust the classification framework rules using the frameworks API.

If you find that tags are missing

If you were expecting some sensitive data to be tagged and it is not, enable additional tags using one of the following how-to guides:

1. Create classification frameworks relevant to your organization.

2. Ensure the Discovered tags are applied properly by adjusting SDD.

3. Add additional tags. Note that classification tags build off of other tags, so adding a single classification or Discovered tag can have trickle-down effects on the data source.

4. Adjust the classification framework rules using the frameworks API.

Tune your data dictionaries

Requirement: Immuta permissions GOVERNANCE and AUDIT

Tags can be edited on an individual basis for each data source. If broad changes to the classification framework are necessary to re-tag your data, use the frameworks API.

1. Navigate to the Data Sources page and select the data sources that you assessed and noted issues.

2. Click the Data Dictionary tab.

3. Delete unnecessary tags by clicking on the tag you want to remove from the column, and select Disable from the tag side sheet.

4. To add tags,

   1. Click Add Tags in the Actions column.

   2. Begin typing the name of the tag you want to add in the Search by Name field and select the tag from the dropdown list.

   3. Click Add.

After you have configured a data catalog integration and registered data sources in Immuta, you can start automating data classification of a column based on its context, which is the combination of

• associated tags already applied to the column

• tags applied to the neighboring columns and

• table tags on the data source.

The starter framework in this how-to is built to map a classification scale of restricted, confidential, internal, and public to Immuta's three-level scale, which can be visualized in the data source and query event dashboards.

Follow this guide to map your external catalog tags to the example framework, or consult the framework API guide for more information about the framework schema.

Requirement: An external catalog configured in Immuta

Customize the framework

Using the example framework below, customize the framework for your organization's classification tags:

{
  "shortName": "ECMC Framework",
  "name": "External Catalog Mapping Classification Framework",
  "description": "This framework maps the classification tags the organization has in Collibra to Immuta data sources.",
  "": [
    {
      "name": "ECMC.Confidentiality.Highly Sensitive",
      "source": "curated",
      "": [
        {
          "": "confidentiality",
          "": 2
        }
      ]
    },
    {
      "name": "ECMC.Confidentiality.Sensitive",
      "source": "curated",
      "sensitivities": [
        {
          "dimension": "confidentiality",
          "sensitivity": 1
        }
      ]
    },
    {
      "name": "ECMC.Confidentiality.Nonsensitive",
      "source": "curated",
      "sensitivities": []
    }
  ],
  "": [
    {
      "name": "ECMC 00001",
      "": {
        "name": "ECMC.Confidentiality.Highly Sensitive",
        "": "curated"
      },
      "": [
        {
          "name": "Restricted",
          "source": "collibra"
        }
      ],
      "": [],
      "": []
    },
    {
      "name": "ECMC 00002",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Sensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Confidential",
          "source": "collibra"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    },
    {
      "name": "ECMC 00003",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Sensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Internal",
          "source": "collibra"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    },
    {
      "name": "ECMC 00004",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Nonsensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Public",
          "source": "curated"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    }
  ],
  "": true
}

Parameters

For more information about these parameters see the Frameworks API reference guide.

1. tags: These tags are automatically created in Immuta with the sensitivity you assign. They must not already exist in Immuta. All tags used in the classificationTag parameter should be defined here.

2. tags.sensitivities: This is metadata for the sensitivity of the new tag. Use confidentiality for dimension. Options for sensitivity are 1 (shown as sensitive in Detect dashboards) and 2 (shown as highly sensitive in Detect dashboards). For nonsensitive, leave this parameter empty.

3. rules: These are the rules for applying the tags defined above. Each rule contains the classification tag to apply if the requirements are met and the requirements: the column tags, neighboring column tags, and table tags that must be present. All requirements within each defined rule must be met for the classification tag to be applied.

4. rules.classificationTag: The name and source of the tag you want applied if the rule requirements are met. This classification tag must be defined in tags. The source is curated.

5. rules.columnTags: These are the required tags for a column. If the tags defined here are found on a column, and the other tag rules are met, then the rule's classificationTag will be applied to the same column.

6. rules.neighborColumnTags: These are the required tags on other columns in the data source (or in the query if dynamic query classification is enabled). If the tags defined here are found on any column in the data source, and the other tag rules are met, then the rule's classificationTag will be applied to all the neighboring columns.

7. rules.tableTags: These are the required tags on the data source. If the tags defined here are found on the data source, and the other tag rules are met, then the rule's classificationTag will be applied to all the columns in that data source.

8. active: When true the framework is active and will apply tags when the rules are met.

How to edit rules

Follow the example below to map your external tags to the rules in the example framework.

This example framework has a rule where columns tagged DSF.Interpretation.Credentials.Secret by sensitive data discovery will be tagged RAF.Confidentiality.High:

"rules": [
{
    "name": "RAF 00004",
    "classificationTag": {
      "name": "RAF.Confidentiality.High",
      "source": "curated"
    },
    "columnTags": [
    {
        "name": "DSF.Interpretation.Credentials.Secret",
        "source": "curated"
    }
    ],
    "neighborColumnTags": [],
    "tableTags": []
}
]

To translate this to your tags, replace the name and source value of the columnTags, neighborColumnTags, or tableTags with your own. This new example is for a Collibra tag that an organization uses for confidential data. This rule now states: Apply the classification tag RAF.Confidentiality.High to a column if it has the collibra tag Confidential. Repeat this for your organization's remaining classification levels.

"rules": [
{
    "name": "RAF 00004",
    "classificationTag": {
      "name": "RAF.Confidentiality.High",
      "source": "curated"
    },
    "columnTags": [
    {
        "name": "Confidential",
        "source": "collibra"
    }
    ],
    "neighborColumnTags": [],
    "tableTags": []
}
]

Find the name and source for your tags

If you do not know the name or source for your tags, you can list your tags using the Immuta API:

curl \
    --request GET \
    --header "accept: application/json" \
    --header "Authorization: Bearer <your-token." \
    https://your-immuta-url.com/tag

This request will list all the tags in your Immuta environment, similar to this example response:

[
  {
    "id": 114,
    "name": "DataProperties.Cross-Sectional",
    "source": "curated",
    "deleted": false,
    "systemCreated": true
  },
  {
    "id": 2,
    "name": "Discovered.Country.Argentina",
    "source": "curated",
    "deleted": false,
    "systemCreated": true
  },
  {
    "id": 9,
    "name": "Discovered.Country.Australia",
    "source": "collibra",
    "deleted": false,
    "systemCreated": true
  }
]

Activate your new framework

Requirement: Immuta permission GOVERNANCE

Once you have made all the customizations to the example framework, make the following request using the Immuta API, with your full customized framework as the payload.

curl \
    --request POST \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer <your-token>" \
    --data @example-payload.json \
    https://your.immuta.com/frameworks/

Your new framework will now be visible in the Immuta UI by navigating the the Classification section under Discover.