π€ Who can do this? You will need to be an admin user to create purposes.
Create purpose
π¨ Careful! A purpose acts on at least one classification. This classification must be created before creating the purpose.
To create a purpose:
- From the left menu of any screen, click Governance.
- Under Access Control, click Purposes.
- If this is the first purpose, click the Get started button. Otherwise click the New Purpose button.
- Enter a meaningful name for the purpose, (optional) a description.
- In the lower-left corner, click the + icon.
- Select one or more classifications from the list, and then click on the purpose box again to close the list.
- Click Create to create the purpose.
You now have an empty purpose.
πͺ Did you know? The purpose will not yet control any access. Your users can still use the purpose to quickly browse assets with any of the classifications selected, though.
(Optional) Add rich documentation
To add rich documentation describing the purpose:
- Under Summary, then Channels, add any Slack channels relevant to the purpose.
- Under Resources, add links to external resources like PDFs, repositories, Notion, Confluence, Google Drive β anything that has a URL.
- Under Readme, write a richly-formatted description of the purpose.
Add policies
πͺ Did you know? For the purpose to control access, you need to define one or more policies. Repeat the following steps for each set of users and permissions you want to control through the purpose.
To add policies to the purpose, from within the purpose:
- Change to the Policies tab.
- Click the New Policy button and choose the type of policy.
Add a metadata policy
To grant or restrict permissions to change metadata:
- Choose Metadata Policy.
- Under Name, briefly describe the policy's intention.
- (Optional) Under Users and Groups, choose the users to whom to apply the policy. By default, all users will be included. To select others:
- In the Users and Groups box, click the x.
- Under Users and Groups, click the Add link.
- Search for and select the users and groups to control with the policy, and then click anywhere in the Metadata Policy sidebar.
- (Optional) For Configure permissions choose the permissions the policy will grant. By default, all permissions will be granted. To select others:
- To the right of Configure permissions click the Edit link.
- Select the permissions required. If you are unsure what they do, hover over the checkbox to see a more detailed description of each one.
- At the bottom of the list, click Save.
- (Optional) For Deny selected permissions choose whether you want to explicitly deny these permissions.
π¨ Careful! If enabled, this will override all grants of those permissions from any other policies for the same users.
- At the bottom of the Metadata Policy sidebar, click Save.
Add a data policy
To grant or restrict permissions to query or preview data:
- Choose Data Policy.
- Under Name, briefly describe the policy's intention.
- (Optional) Under Users and Groups, choose the users to whom to apply the policy. By default, all users will be included. To select others:
- In the Users and Groups box, click the x.
- Under Users and Groups, click the Add link.
- Search for and select the users and groups to control with the policy, and then click anywhere in the Data Policy sidebar.
- (Optional) For Configure permissions choose the masking the policy to apply. By default, no masking will be applied. To apply masking, under Masking(Optional) select the type of masking to apply. If you are unsure what they do, hover over each one to see a more detailed description and an example.
- (Optional) For Deny Permissions choose whether you want to explicitly deny the ability to query and preview data on these assets.
π¨ Careful! If enabled, this will override all grants of those permissions from any other policies for the same users. This will also deny at the table level β even if only 1 out of 100 columns in a table has the classification, previewing and querying will be denied for the entire table.
- At the bottom of the Data Policy sidebar, click Save.