How to Use a Built-In Classification Framework with Your Own Tags
The built-in classification frameworks in Immuta provide a quick way to leverage your own catalog or data platform tags to establish classifications tags. These classification tags can then be used in the Immuta Data Platform for query activity visualizations, monitors, reports, and policies. After you have configured a data catalog integration and registered data sources in Immuta, you can start automating data classification of a column based on its context by considering the combination of its associated tags, its neighboring columns' tags, or its table tag. Classification frameworks also provide query event context. To use classification frameworks with your current tags from an external catalog, use one of the following options:
- Follow the tutorial below: This starter framework is built to map a classification scale of restricted, confidential, internal, and public to Immuta's three level scale. It requires an external catalog to be set up, but all other steps are described below.
- Use Risk Assessment Framework (RAF): This minimal framework allows you to map your own classification tags to Immuta classification tags. Then, your users' queries will have a sensitivity score on the Detect dashboard and in audit logs based on the classification tags on the data columns they queried. Use this option if you have already classified your organization’s data in an external catalog and want that metadata reflected in Immuta as Sensitive and Highly Sensitive.
- Use a compliance framework: This option allows you to map your own tags describing your data to Immuta's predefined classification tags in the context of a specific compliance framework. Immuta provides built-in frameworks for GDPR, CCPA, and HIPAA. Map your tags to the most comparable Data Security Framework (DSF) tag, and Immuta will apply the classification tag based on the framework. Use this option if you have descriptive tags on your data and want that metadata mapped to a specific compliance framework.
Follow this guide to map your external catalog tags to the example framework, or consult the framework API guide for more information about the framework schema.
Customize the framework
Using the example framework below, customize the framework for your organization's classification tags.
Example framework
{
"shortName": "ECMC Framework",
"name": "External Catalog Mapping Classification Framework",
"description": "This framework maps the classification tags the organization has in Collibra to Immuta data sources.",
"tags": [
{
"name": "ECMC.Confidentiality.Highly Sensitive",
"source": "curated",
"sensitivities": [
{
"dimension": "confidentiality",
"sensitivity": 2
}
]
},
{
"name": "ECMC.Confidentiality.Sensitive",
"source": "curated",
"sensitivities": [
{
"dimension": "confidentiality",
"sensitivity": 1
}
]
},
{
"name": "ECMC.Confidentiality.Nonsensitive",
"source": "curated",
"sensitivities": []
}
],
"rules": [
{
"name": "ECMC 00001",
"classificationTag": {
"name": "ECMC.Confidentiality.Highly Sensitive",
"source": "curated"
},
"columnTags": [
{
"name": "Restricted",
"source": "collibra"
}
],
"neighborColumnTags": [],
"tableTags": []
},
{
"name": "ECMC 00002",
"classificationTag": {
"name": "ECMC.Confidentiality.Sensitive",
"source": "curated"
},
"columnTags": [
{
"name": "Confidential",
"source": "collibra"
}
],
"neighborColumnTags": [],
"tableTags": []
},
{
"name": "ECMC 00003",
"classificationTag": {
"name": "ECMC.Confidentiality.Sensitive",
"source": "curated"
},
"columnTags": [
{
"name": "Internal",
"source": "collibra"
}
],
"neighborColumnTags": [],
"tableTags": []
},
{
"name": "ECMC 00004",
"classificationTag": {
"name": "ECMC.Confidentiality.Nonsensitive",
"source": "curated"
},
"columnTags": [
{
"name": "Public",
"source": "curated"
}
],
"neighborColumnTags": [],
"tableTags": []
}
],
"active": true
}
Parameters
For more information about these parameters see the Frameworks API reference guide.
tags: These tags are automatically created in Immuta with the sensitivity you assign. All tags used in theclassificationTagparameter should be defined here.tags.sensitivities: This is metadata for the sensitivity of the new tag. Useconfidentialityfordimension. Options forsensitivityare1(shown as sensitive in Detect dashboards) and2(shown as highly sensitive in Detect dashboards). For nonsensitive, leave this parameter empty.rules: These are the rules for applying thetagsdefined above.rules.classificationTag: This classification tag must be defined intags. Add the name you want and thesourceiscurated. This is the tag that will be applied if the rule requirement is met.rules.columnTags: This object represents tags on a column. If the tag defined here is found on a column, then the rule'sclassificationTagwill be applied to the same column.rules.neighborColumnTags: This object represents tags on other columns in the data source. If the tag defined here is found on any column in the data source, then the rule'sclassificationTagwill be applied to all the neighboring columns.rules.tableTags: This object represents tags on the data source. If the tag defined here is found on the data source, then the rule'sclassificationTagwill be applied to all the columns in that data source.active: Whentruethe framework is active and will apply tags when the rules are met.
How to edit rules
Follow the example below to map your external tags to the rules in the example framework.
The Immuta built-in framework, Risk Assessment Framework has a rule where columns tagged DSF.Interpretation.Credentials.Secret by sensitive data discovery will be tagged RAF.Confidentiality.High:
"rules": [
{
"name": "RAF 00004",
"classificationTag": {
"name": "RAF.Confidentiality.High",
"source": "curated"
},
"columnTags": [
{
"name": "DSF.Interpretation.Credentials.Secret",
"source": "curated"
}
],
"neighborColumnTags": [],
"tableTags": []
}
]
To translate this to your tags, replace the name and source value of the columnTags, neighborColumnTags, or tableTags with your own. This new example is for a Collibra tag that an organization uses for confidential data. This rule now states: Apply the classification tag RAF.Confidentiality.High to a column if it has the collibra tag Confidential. Repeat this for your organization's remaining classification levels.
"rules": [
{
"name": "RAF 00004",
"classificationTag": {
"name": "RAF.Confidentiality.High",
"source": "curated"
},
"columnTags": [
{
"name": "Confidential",
"source": "collibra"
}
],
"neighborColumnTags": [],
"tableTags": []
}
]
Find the name and source for your tags
If you do not know the name or source for your tags, you can list your tags using the Immuta API:
curl \
--request GET \
--header "accept: application/json" \
--header "Authorization: Bearer <your-token." \
https://your-immuta-url.com/tag
This request will list all the tags in your Immuta environment, similar to this example response:
[
{
"id": 114,
"name": "DataProperties.Cross-Sectional",
"source": "curated",
"deleted": false,
"systemCreated": true
},
{
"id": 2,
"name": "Discovered.Country.Argentina",
"source": "curated",
"deleted": false,
"systemCreated": true
},
{
"id": 9,
"name": "Discovered.Country.Australia",
"source": "collibra",
"deleted": false,
"systemCreated": true
}
]
Activate your new framework
Requirement: Immuta permission GOVERNANCE
Once you have made all the customizations to the example framework, make the following request using the Immuta API, with your full customized framework as the payload.
curl \
--request POST \
--header "Content-Type: application/json" \
--header "Authorization: Bearer <your-token>" \
--data @example-payload.json \
https://your.immuta.com/frameworks/
Your new framework will now be visible in the Immuta UI by navigating the the Classification section under Discover.