Skip to main content
Version: v4.8

Data Labels and Tags

A data label is the primary classification in Cyral for the data locations (like tables, collections, or S3 buckets) that you want to protect. Think of it as the real-world category of the data stored in a location. As examples, you can think of data labels such as CCN (credit card number), SSN (social security number), DOB (date of birth), Name, Address, and so on.

In the example below, we use the label CCN to label two data locations in separate repositories:

Data LabelData location
CCNLocation finance.customers.bank_card in the claims database
CCNLocation applications.borrowers.credit_card_number in the loans database

When you write a policy rule, you'll use data labels rather than specific table and column names to specify which data the rule protects.

A single data label can refer to many locations in many repositories. You'll use Data Maps to associate each data label with one or more specific locations (for example, tables, columns, or buckets) in your repositories.

When adding a data location to the Data Map, you must give it a single data label. Note that while a location can only have one data label, the same data label can be used for multiple, distinct locations. For example, a customers table and a borrowers table could both have columns storing credit card numbers, and both should probably be labeled as CCN.

What are data labels used for?

Once a data location has a data label, you can add it to a policy so that you can:

How do I apply data labels to data locations?

You can apply data labels to data locations by writing a Data Map or by having Cyral's Repo Crawler inspect your repositories and suggest data labels to be added to your Data Map.

tip

Cyral can automatically watch for database columns and other locations that contain data that you might want to protect. See Automatic Data Map.

Limits on how you apply and use data labels

When creating and using a data label, please observe these limits:

  • A data label can refer to one or many attributes (for example, tables, fields, or columns) in one or many repositories.
  • A given repository location (a table, collection, field, column, or bucket) must be included in only one data label.
  • Each data label must be used in only one policy per repository. You may use the data label in one or many rules in the policy.

If your data labels, Data Maps, or policies violate any of these limits, the policy update will fail.

Tags to group data labels

You have the option to group or categorize sets of data labels by applying tags to them. Once you've established a tag in your Data Map, you can use the tag in your policy in a way that's analogous to labels.

Using tags allows you to write a policy that covers a set or sets of data labels. When you use a tag name in a policy rule, it means that the policy rule will apply to all the data labels grouped under that tag.

To achieve this grouping, a tag is not directly assigned to a data location, but to one or more data labels. Think of a tag as a categorization for a particular kind of information. A given data label may have more than one tag, and a given tag may be applied to multiple data labels.

As an example, the data label CCN might have the tags PII (personally identifiable information), FSI (financially sensitive information), and PCI (payment card-relevant information). As a result, your policies protecting PII, FSI, and PCI will all capture your CCN data locations.

Likewise, a single tag can group many data labels. For example, the tag PII might be applied to your data labels, Name, Address, SSN, and DOB. As a result, your policies for PII will protect all the locations that you've labeled as containing these types of personal information.

caution

All label names and tag names are case sensitive; when you write your policy, take care to write them exactly as you have declared them in your Data Map.