Skip to content

Manage Sensitivity Labels

Overview

This feature allows you define sensitivity labels as an ordered flat list such as: Unclassified > Confidential > Secret > Top Secret. Each sensitivity label has a defintion, a hide data property (only used when applied to a column/field), and a color (for example confidential can be orange and top secret red).

Sensitivity labels can be manually applied by authorized users (with the Data Classification Editing capability object role assignment) to any individual object.

there is no inheritance such that setting a schema secret does not make each of its tables and respective columns secret.

However, there are inferred sensitivity labels so that when you apply a sensitivity label to an imported object, e.g. a column, then all the imported objects "downstream" in the data flow lineage will be given at least that level of sensitivity.

Sensitivity labels can also be updated in bulk (e.g. multiple columns at the same time).

Sensitivity labels can be automatically set through automatic data classification detection. For example, a data class SSN can be associated to a sensitivity label called Confidential or GDPR. In such case, any table columns or file fields detected as SSN will also automatically be set with that Confidential or GDPR sensitivity label.

The approval process of data classes also applies to sensitivity labels. In addition, approving a data class detection on a given object also approves its associated sensitivity label.

A sensitivity label may also be assigned to all new imported objects (data elements) on import (harvesting) a model. In addition, on subsequent imports, new data elements will be given the defined sensitivity label, but existing ones will not be changed. This way, one may assign a sensitivity label and even hide the data automatically for every data element in a model on the first harvest and approve or change that assignment, while on subsequent harvests only newly imported data elements will be assigned the automatic sensitivity label.

Sensitivity labels are highly visible in the UI, and can be used in worksheets (queried through Metadata Query Language (MQL) in the UI or the REST API). Applications can be built to query these sensitivity labels in order to automatically generate / enforce data security on the data stores (e.g. databases or file systems with Rangers). Note that sensitivity labels do not directly set or bypass the role based security of the repository, or automatically hide data from the repository (these actions can be set separately).

Manage the Pool of Sensitivity Labels

This feature allows you define sensitivity labels as an ordered flat list such as: Unclassified > Confidential > Secret > Top Secret. Each sensitivity label has a definition, a hide data property (only used when applied to a column/field), and a color (for example confidential can be orange and top secret red).

Steps

  1. Sign in as a user with at least the Application Administrator global capability

  2. Go to MANAGE > Sensitivity Labels in the banner.

  3. The list of sensitivity labels is presented.

  4. You may also

  5. Search for by Name or Definition.

  6. Add a new label

  7. Select a line and edit the properties or Delete an existing label

  8. Move Up or Move Down to specify degree of sensitivity (lowest at the top)

Example

Sign in as Administrator and Go to MANAGE > Sensitivity Labels.

By default, no predefined sensitivity labels are defined, so the list may be empty and means that this feature is inactive until you specify sensitivity labels.

Edit Sensitivity Labels

This feature allows you define sensitivity labels as an ordered flat list such as: Unclassified > Confidential > Secret > Top Secret. Each sensitivity label has a definition, a hide data property (only used when applied to a column/field), and a color (for example confidential can be orange and top secret red).

Steps

  1. Sign in as a user with at least the .

  2. Go to MANAGE > Sensitivity Labels in the banner.

  3. The list of sensitivity labels is presented.

  4. Click Add to add a new label.

  5. Click Delete to remove an existing label.

  6. Click Move Up. or Move Down to arrange the order of the labels.

Example

Sign in as Administrator and Go to MANAGE > Sensitivity Labels. and select Highly Confidential.

Propagation Through Lineage (Inference) of Sensitivity Label

MM propagates sensitivity labels through lineage. The feature was built on the assumption that customers would label only a small set of objects, allowing the application to hold the list of labeled objects in memory while tracing lineage whenever a label is added, removed, or updated. Both memory usage and lineage tracing are resource intensive.

In practice, many customers value the capability and label assets broadly, sometimes every column in a database, which drives up resource consumption and affects performance. Most customers set the lowest sensitivity level by default.

Some customers rely on our four pre-packaged labels (Internal, New Data, Confidential, and Highly Confidential) and often select the middle level, New Data, as their default.

To mitigate the load, MM allows customers choose which sensitivity labels participate in propagation, for example, limiting propagation to the Confidential and Highly Confidential labels only.