Classifying your data
At a glance
Classifications let you label your data by sensitivity level. Define your own levels (Public, Internal, Confidential, etc.), apply them to your instances, then configure access policies that automatically restrict visibility based on the user's role.
Before you begin
- You must have the
governance.adminscope to create classification definitions. - The
governance.writescope is required to apply a classification to an instance. - Instances must exist in your ontology.
Steps
Define a classification level
- Open the Governance module from the sidebar.
- Select the Classifications tab.
- Click New level.
- Fill in the form:
| Field | Description | Example |
|---|---|---|
| Name | Label of the sensitivity level. | Confidential |
| Severity | Associated criticality. | High |
| Color | Color code for visual identification. | Red |
| Propagation | Automatically propagate to child data? | Yes |
| Description | Guide for users. | "Restricted distribution data, need-to-know access" |
- Click Save.
Apply a classification
- Navigate to an instance in the Browser.
- Open the instance detail.
- In the Classification section, click Add.
- Select the desired level (e.g., Confidential).
- The classification is applied immediately.
tip
If propagation is enabled, linked data (child instances, relationships) automatically inherit the same classification level.
Configure an access policy
Access policies (ABAC) let you control who can see classified data:
- In the Classifications tab, click Access policies.
- Click New policy.
- Configure:
| Field | Description | Example |
|---|---|---|
| Classification | The level concerned. | Confidential |
| Authorized roles | Who can access. | Manager, Director |
| Action | What to do for unauthorized users. | Hide, Redact, Deny |
- Save. The policy applies in real time.
Remove a classification
- Open the instance detail.
- In the Classification section, click the delete icon.
- Confirm the removal.
Expected result
Your sensitive data is identified by visual classification levels. Access policies ensure that only authorized roles can view classified information.
Limitations and common errors
| Situation | Solution |
|---|---|
| The classification does not propagate | Verify that the Propagation option is enabled on the definition. |
| A user sees classified data | Check the ABAC access policies and the user's roles. |
| "Classification already applied" | An instance can only carry each level once. |
Need help?
Contact us: Support and contact.