Templates

You can use templates to create and persist configuration information to use with Cloud Data Loss Prevention (DLP). Templates are useful for decoupling configuration information such as what you inspect for and how you de-identify it from the implementation of your requests. Templates provide a robust way to manage large scale rollouts of Cloud DLP capabilities.

Cloud DLP supports two types of templates:

  • Inspection templates: Templates for saving configuration information for inspection scan jobs, including what predefined or custom detectors to use.
  • De-identification templates: Templates for saving configuration information for de-identification jobs, including both infoType and structured dataset transformations.

Advantages of templates

Templates enable you to use a single source for your job configuration information. Consider a typical inspection scan request to Cloud DLP. Whether you're inspecting text, an image, or structured data in a Google Cloud Platform storage repository, your inspection request will include two basic pieces of information:

  • The data to scan: Either the data itself or information about the location of the data.
  • What to scan for: The predefined or custom infoTypes to turn on, likelihood limits, and so on.

Say you scheduled several storage inspection jobs to run, all of which scanned a GCP storage repository for phone numbers and then created a report of the findings. The following are conceptual summary descriptions of these jobs. Note that "inspectJob" represents the data to scan, and "inspectConfig" represents what to scan for.

Inspection job #1:

  • "inspectJob": Q2 2017 marketing database.
  • "inspectConfig": PHONE_NUMBER infoType.

Inspection job #2:

  • "inspectJob": Customer alert contact database.
  • "inspectConfig": PHONE_NUMBER infoType.

Inspection job #3:

  • "inspectJob": Top secret VIP partner strategy database.
  • "inspectConfig": PHONE_NUMBER infoType.

Inspection job #4:

  • "inspectJob": Government contract database.
  • "inspectConfig": PHONE_NUMBER infoType.

Each job's data source is different, but its instructions for what to scan for is identical. Now suppose that we want to also scan for email addresses. In this case, you would have to edit each job's configuration and add email addresses to "inspectConfig". If instead you had used a template to configure what to scan for, you would only have to edit one configuration—that of the template. The next time any of these jobs ran, it would know to scan for both phone numbers and email addresses, because the "inspectConfig" had been set to a template.

The InspectTemplate and DeidentifyTemplate objects

Templates are represented in Cloud DLP by the InspectTemplate and DeidentifyTemplate objects. Both template objects contain a configuration—a set of infoType detectors—to be used anywhere you otherwise would normally specify the InspectConfig or DeidentifyConfig objects.

Template configuration fields

Each template object contains the configuration object that the template implements, plus several additional configuration fields:

  • The template's name and display name, and a description.
  • The InspectConfig or DeidentifyConfig object: The configuration information for the inspection or de-identification job.
  • Read-only timestamps for creation time ("createTime") and a last updated time ("updateTime").

Template methods

Each template object also includes several built-in management methods. These enable you to maintain the template without having to update every request or integration. Each management method is linked in the following table, and is organized by whether the template applies organization-wide or project-wide, and whether the template is a de-identification template or an inspection template:


organization. project.
deidentify
Templates.
inspect
Templates.
deidentify
Templates.
inspect
Templates.
Create a new template create create create create
Update an existing template patch patch patch patch
Delete an existing template delete delete delete delete
Retrieve an existing template, including its configuration and status get get get get
List all existing job templates list list list list

Using templates

Templates are available for both inspection and de-identification configuration information, and can be used in both content API calls (text and images) Cloud DLP jobs (storage repositories).

Templates have powerful Cloud Identity and Access Management (IAM) controls so you can restrict management of them to only approved users. For more information, see:

Resources

To learn how to create and use templates with Cloud DLP, see:

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Data Loss Prevention