Any data that is brought into Adobe Experience Platform is encapsulated by Experience Data Model (XDM) schemas and may be subject to usage restrictions defined by your organization or by legal regulations.
By executing a CTAS query through Query Service when no schema is specified, an ad hoc schema is automatically generated. It is often necessary to restrict the usage of certain fields, or datasets, of ad hoc schemas to control access to both sensitive personal data and personally identifiable information. Adobe Experience Platform facilitates this access control by allowing you to label schema fields through the Platform UI using the attribute-based access control capability.
Labels can be applied at any time, providing flexibility in how you choose to govern data. Although, it is best practice to label data as soon as it is ingested into Platform, or as soon as the data becomes available for use in Platform.
Schema-based labeling is an important component of attribute-based access control to better manage the access given to users or groups of users. Adobe Experience Platform enables you to restrict access to any field of an ad hoc schema by creating and applying labels.
This document provides a tutorial to manage access to sensitive data by applying labels to data fields of ad hoc schemas generated through Query Service.
This guide requires a working understanding of the following components of Adobe Experience Platform:
Once your query has been executed and results have been generated, an ad hoc schema is automatically generated and added to the schema inventory.
To add a data label, navigate to Schemas dashboard browse tab by selecting Schemas in the left rail of the Platform UI. The schema inventory is displayed.
Ad hoc schemas are not displayed by default in the schema inventory.
To enable the display of ad hoc schemas in the Platform UI, select the filter icon () to the left of the search field, and then select **Show adhoc schemas in the left-rail that appears.
Select the name of the recently created ad hoc schema from the available list. A visualization of the ad hoc schema structure appears.
To edit data labels for your ad hoc schema, select the Labels tab. The labels workspace allows you to apply, create, and edit labels to your ad hoc schema fields and control access permissions through the UI. All fields within the ad hoc schema are represented here.
To edit the labels for the entire schema, select the pencil icon () to the side of the schema’s name under the Labels tab.
To apply a label to an existing field, select one or more fields from the list followed by Edit governance labels in the right sidebar.
The Edit labels popover appears. From this view you can create or edit existing governance labels through the UI.
See the documentation for guidance on how to create or edit labels for the selected schema or field.
Creating a new label or editing an existing label requires admin permissions for your organization. If you do not have admin privileges please contact your system administrator to arrange access.
Labels can also be created using the permissions workspace. See the guide on creating labels in the permissions workspace for instructions.
Once the appropriate level of attribute-based access control has been applied, the following system behavior applies to any query executed via Query Service when a user tries to access non-accessible data:
If a user is declined access to one of the fields within a schema, the user will not be able to read or write on the restricted field. This applies to the following common scenarios:
If a user requests access to a calculated field, the user is required to have access to all the fields used in the composition or the system will deny access to the calculated field.
If an identity or primary identity is set on ad hoc schema, the system automatically honors any associated data hygiene requests and cleans the data in those datasets tied to the identity column.
After reading this document you have a better understanding of how to add data usage labels to ad hoc schemas created through Query Service CTAS queries. If you have not done so already, the following documents are useful to improve your understanding of data governance in Query Service: