atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Radley (JIRA)" <>
Subject [jira] [Commented] (ATLAS-1821) Classification propagation from entity to a derivative or child entity
Date Thu, 25 May 2017 09:39:04 GMT


David Radley commented on ATLAS-1821:

I think having the classifications propagate is powerful. I am concerned that we need to restrict
which classifications propagate across which relationships. If we want to pursue a declarative
approach to this, I would like to understand the process by which conflicts are resolved and
by who and how we know that these conflict resolutions meet with the companies governance

We have a use case where the glossary is set up with a Glossary Term National Insurance number,
which is tagged as confidential. It is mapped to a masked column and an unmasked column. The
masked column can be public, but the unmasked column need to get the Terms security classification.
This would not be a conflict. 

I suggest a rules based approach be used instead. In this case a governance team could define
a set of rules around how classifications flow , including special cases. Maybe something
like :

for all Glossary terms that have assigned assets, flow the terms confidentiality level classification
to the assigned asset, except in the case where if the assigned asset is masked -  then classify
it as public 

We are then in a position to author rules that encapsulate best governance practices and play
a part to enforce governance standards.   

> Classification propagation from entity to a derivative or child entity
> ----------------------------------------------------------------------
>                 Key: ATLAS-1821
>                 URL:
>             Project: Atlas
>          Issue Type: Improvement
>          Components:  atlas-core, atlas-webui
>            Reporter: Srikanth Venkat
>             Fix For: 0.9-incubating
> User Story:
> As a data steward, I need a scalable way to quickly and efficiently propagate classification
across the information supply chain to support efficient searches and classification based
security for compliance and audit purposes. 
> This requires:
> 1. Classifications for derivative entities should be inherited from the originator and
to child entities from parent. 
> For example, if a Hive column is classified "Confidential" then resulting column created
from a CTAS operation should also be tagged "Confidential" to maintain the classification
of the original entity. In the case where 2 or more entities are composed, the derivative
entity should have the union of all classifications of each source entity.
> 2. Business Terms:
> a. Child business terms should inherit the classifications associated with the parent
> b. The option to propagate classification to child business terms in a hierarchy should
be provided
> c. Ability to update the propagated tags manually via UI or through the API
> d. Tagging a term should propagate to data assets that are already attached to that business
term as well
> 3. Data assets
> a. For all supported data asset types in Atlas, if a derivative asset is created it should
inherit the tags and attributes from the original asset.
> b. the option to propagate tags to child entities should be provided (e.g. if you tag
a folder in HDFS optionally tag all the files within it)
> c. Ability to update the propagated tags manually via UI or through the API
> d. Tagging a parent object should be inherited after child creation dynamically (unless
a flag is set not to do this)
> e. Derived data assets should have the tags of the original data asset.
> Conflict resolution - if there are different values for attributes on tags (classifications)
on upstream or parent entities used to derive a data asset then user needs to be prompted
for action to resolve the conflict. Once resolved, the resolved value should be carried forth
to derived assets.

This message was sent by Atlassian JIRA

View raw message