Cloudera Docs

Adding a tag-based PII policy

Example of how to add a PII tag-based policy. In this example we create a tag-based policy for objects tagged "PII" in Atlas. Access to objects tagged "PII" is allowed for members of the "audit" group. All other users (the "public" group) are denied access.

  1. Select Access Manager > Tag Based Policies, then select a tag-based service.
  2. On the List of Policies page, click Add New Policy.
    The Create Policy page appears:
  3. Enter the following information on the Create Policy page:
    Table 1. Policy Details
    Field Description
    Policy Type Set to Access by default.
    Policy Name PII
    TAG PII
    Audit Logging YES
    Description Restrict access to resources with the PII tag.
    Table 2. Allow Conditions

    Label

    Description

    Select Group

    audit

    Select User <none>
    Policy Conditions <none>
    Component Permissions

    hive

    (select all permissions)
    Table 3. Deny Conditions

    Label

    Description

    Select Group

    public

    Select User <none>
    Policy Conditions <none>
    Component Permissions

    hive

    (select all permissions)
    Table 4. Exclude from Deny Conditions

    Label

    Description

    Select Group

    audit

    Select User <none>
    Policy Conditions <none>
    Component Permissions

    hive

    (select all permissions)

    In this example we used Allow Conditions to grant access to the "audit" group, and then used Deny Conditions to deny access to the "public" group. Because the "public" group includes all users, we then used Exclude from Deny Conditions to exclude the "audit" group, in effect reinstating the "audit" group's original Allow access condition.

  4. Click Add to add the new policy.