| CPC G06F 21/6218 (2013.01) | 20 Claims |
|
1. A system comprising:
a processor; and
memory coupled to the processor, the memory comprising computer executable instructions that, when executed by the processor, performs operations comprising:
receiving, by a storage application programming interface (API) of a computing environment, a data read request from a caller, the data read request comprising one or more data properties of a data item and a call context, wherein the call context indicates at least one of an identifier of the caller or a type of the caller;
processing the data read request, wherein the processing comprises:
retrieving, by the storage API, the one or more data properties from a tenant data storage system of the computing environment;
identifying, by the storage API, classification data for each of the one or more data properties, wherein the classification data is identified in a data provenance provider of the computing environment;
retrieving, by the storage API, a provenance record associated with the one or more data properties from the data provenance provider, wherein the provenance record indicates an origin location of the one or more data properties;
accessing a policy governor comprising a tenant rule instance repository and a computing environment rule instance repository, wherein:
the tenant rule instance repository comprises rules for transferring data items by a tenant environment within the computing environment; and
the computing environment rule instance repository comprises rules for transferring data items across or within boundaries of the computing environment; and
based on the call context, retrieving:
a first rule relevant to the data read request from at least one of the tenant rule instance repository or the computing environment rule instance repository; and
a second rule relevant to the data read request from at least one decentralized rules repository external to the system, wherein relevancy of the retrieved rules are based on whether the retrieved rules are to govern data transfers relating to at least one of the identifier of the caller or the type of the caller;
evaluating, by the storage API, the one or more data properties, the provenance record, and the classification data using the retrieved rules;
based on evaluating the one or more data properties, the provenance record, and the classification data, determining, by the storage API, that at least one of the retrieved rules, the provenance record, or the classification data prohibit a first data property in the one or more data properties from being transferred to the caller;
creating, by the storage API, an ineligibility indication specifying that the first data property is prohibited from being transferred to the caller;
generating, by the storage API and in response to the data read request, a payload:
comprising the provenance record, the classification data, the ineligibility indication, and a second data property in the one or more data properties, wherein the retrieved rules do not prohibit the second data property from being transferred to the caller; and
not comprising the first data property; and
providing, by the storage API, the payload to the caller in response to the data read request.
|