Working with governed data in IBM Match 360
You can associate your IBM Match 360 service instance with a governed data catalog that uses data protection rules. When you associate a governed catalog with the service, IBM Match 360 seamlessly enforces data protection rules.
Data protection rules are created and managed at the Cloud Pak for Data platform level by IBM Knowledge Catalog. After the rules are created, they are available across the platform and applied to all governed catalogs and projects. For more information, see Data protection rules.
You can associate a governed catalog either during the initial setup of your service instance or later from the master data home Manage tab. After you associate a governed catalog with IBM Match 360, you cannot later modify or remove it or its connected governance assets from the IBM Match 360 service instance.
Data masking
IBM Match 360 fulfills data protection rules by masking data. Masking is used to hide sensitive data while still allowing users to work with their master data assets. Depending on the specific data protection rules in place, data can be masked in different ways:
- Redaction - The masked data is replaced with ten X characters.
- Substitution - The masked data is replaced with randomly generated values to preserve referential integrity.
- Obfuscation - The masked data is replaced with values that preserve referential integrity and the original data format.
For more information about the different methods of masking data, see Masking data (IBM Knowledge Catalog).
When you are working with governed data in the master data explorer, a shield icon 
next
to an attribute name indicates that its values are masked by a data protection rule. Governed data is also masked on the pair review screens.
When you export master data that is covered by a data governance rule, the exported file includes masked values for governed data.
Governed data and user permissions
Data governance rules do not apply to users who have manager permissions in IBM Match 360, such as data engineers and administrators.
The following table shows the difference between the actions that a non-manager can complete in the master data explorer compared to a manager.
| Master data explorer action | Users without manager role (data steward or entity viewer) | Users with manager role (data engineer or admin) |
|---|---|---|
| Simple search | No restrictions | No restrictions |
| View simple search results | Masked fields are excluded from results | No restrictions |
| Advanced search | Cannot create search rules that use governed attributes | No restrictions |
| View advanced search results | Governed data is masked | No restrictions |
| Add record | Cannot add records with governed attributes | No restrictions |
| Edit record | Cannot edit records with governed attributes | No restrictions |
| Delete record | Cannot delete records with governed attributes | No restrictions |
| Export data | Governed data is masked | No restrictions |
IBM Match 360 applies governance to search results equally, regardless of whether you search for records or entities.
Learn more
Parent topic: Managing master data by using IBM Match 360