Data Labels and Tags
A data label is the primary classification in Cyral for the data
locations (like tables, collections, or S3 buckets) that you want to
protect. Think of it as the real-world category of the data stored in
a location. As examples, you can think of data labels such as CCN
(credit card number), SSN (social security number), DOB (date of
birth), Name, Address, and so on.
In the example below, we use the label CCN to label two data locations in separate
repositories:
| Data Label | Data location |
|---|---|
CCN | Location finance.customers.bank_card in the claims database |
CCN | Location applications.borrowers.credit_card_number in the loans database |
When you write a policy rule, you'll use data labels rather than specific table and column names to specify which data the rule protects.
A single data label can refer to many locations in many repositories. You'll use Data Maps to associate each data label with one or more specific locations (for example, tables, columns, or buckets) in your repositories.
When adding a data location to the Data Map, you must give it a
single data label. Note that while a location can only have one data label, the
same data label can be used for multiple, distinct locations. For example, a
customers table and a borrowers table could both have columns
storing credit card numbers, and both should probably be labeled as
CCN.
What are data labels used for?
Once a data location has a data label, you can add it to a policy so that you can:
- control access to it according to your policy
- let users request access via the Cyral chatbot
- log its data activity
How do I apply data labels to data locations?
You can apply data labels to data locations by writing a Data Map or by having Cyral's Repo Crawler inspect your repositories and suggest data labels to be added to your Data Map.
tip
Cyral can automatically watch for database columns and other locations that contain data that you might want to protect. See Automatic Data Map.
Limits on how you apply and use data labels
When creating and using a data label, please observe these limits:
- A data label can refer to one or many attributes (for example, tables, fields, or columns) in one or many repositories.
- A given repository location (a table, collection, field, column, or bucket) must be included in only one data label.
- Each data label must be used in only one policy per repository. You may use the data label in one or many rules in the policy.
If your data labels, Data Maps, or policies violate any of these limits, the policy update will fail.
Tags to group data labels
You have the option to group or categorize sets of data labels by applying tags to them. Once you've established a tag in your Data Map, you can use the tag in your policy in a way that's analogous to labels.
Using tags allows you to write a policy that covers a set or sets of data labels. When you use a tag name in a policy rule, it means that the policy rule will apply to all the data labels grouped under that tag.
To achieve this grouping, a tag is not directly assigned to a data location, but to one or more data labels. Think of a tag as a categorization for a particular kind of information. A given data label may have more than one tag, and a given tag may be applied to multiple data labels.
As an example, the data label CCN might have the tags PII (personally
identifiable information), FSI (financially sensitive information),
and PCI (payment card-relevant information). As a result, your
policies protecting PII, FSI, and PCI will all capture your
CCN data locations.
Likewise, a single tag can group many data labels. For example, the tag
PII might be applied to your data labels, Name, Address, SSN, and
DOB. As a result, your policies for PII will protect all the
locations that you've labeled as containing these types of personal
information.
caution
All label names and tag names are case sensitive; when you write your policy, take care to write them exactly as you have declared them in your Data Map.