[
https://issues.apache.org/jira/browse/ATLAS-1821?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16024460#comment-16024460
]
David Radley commented on ATLAS-1821:
-------------------------------------
I think having the classifications propagate is powerful. I am concerned that
we need to restrict which classifications propagate across which relationships.
If we want to pursue a declarative approach to this, I would like to understand
the process by which conflicts are resolved and by who and how we know that
these conflict resolutions meet with the companies governance policies.
We have a use case where the glossary is set up with a Glossary Term National
Insurance number, which is tagged as confidential. It is mapped to a masked
column and an unmasked column. The masked column can be public, but the
unmasked column need to get the Terms security classification. This would not
be a conflict.
I suggest a rules based approach be used instead. In this case a governance
team could define a set of rules around how classifications flow , including
special cases. Maybe something like :
for all Glossary terms that have assigned assets, flow the terms
confidentiality level classification to the assigned asset, except in the case
where if the assigned asset is masked - then classify it as public
We are then in a position to author rules that encapsulate best governance
practices and play a part to enforce governance standards.
> Classification propagation from entity to a derivative or child entity
> ----------------------------------------------------------------------
>
> Key: ATLAS-1821
> URL: https://issues.apache.org/jira/browse/ATLAS-1821
> Project: Atlas
> Issue Type: Improvement
> Components: atlas-core, atlas-webui
> Reporter: Srikanth Venkat
> Fix For: 0.9-incubating
>
>
> User Story:
> As a data steward, I need a scalable way to quickly and efficiently propagate
> classification across the information supply chain to support efficient
> searches and classification based security for compliance and audit purposes.
> This requires:
> 1. Classifications for derivative entities should be inherited from the
> originator and to child entities from parent.
> For example, if a Hive column is classified "Confidential" then resulting
> column created from a CTAS operation should also be tagged "Confidential" to
> maintain the classification of the original entity. In the case where 2 or
> more entities are composed, the derivative entity should have the union of
> all classifications of each source entity.
> 2. Business Terms:
> a. Child business terms should inherit the classifications associated with
> the parent term.
> b. The option to propagate classification to child business terms in a
> hierarchy should be provided
> c. Ability to update the propagated tags manually via UI or through the API
> d. Tagging a term should propagate to data assets that are already attached
> to that business term as well
> 3. Data assets
> a. For all supported data asset types in Atlas, if a derivative asset is
> created it should inherit the tags and attributes from the original asset.
> b. the option to propagate tags to child entities should be provided (e.g. if
> you tag a folder in HDFS optionally tag all the files within it)
> c. Ability to update the propagated tags manually via UI or through the API
> d. Tagging a parent object should be inherited after child creation
> dynamically (unless a flag is set not to do this)
> e. Derived data assets should have the tags of the original data asset.
> Conflict resolution - if there are different values for attributes on tags
> (classifications) on upstream or parent entities used to derive a data asset
> then user needs to be prompted for action to resolve the conflict. Once
> resolved, the resolved value should be carried forth to derived assets.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
