You can use templates to create and persist configuration information to use with Cloud Data Loss Prevention. Templates are useful for decoupling configuration such as what you inspect for and how you de-identify it from the implementation of your requests. Templates provide a robust way to re-use configuration and enable consistency across users and data sets.
The Cloud DLP supports two types of templates:
- De-identification templates: Templates for saving configuration information for de-identification jobs, including both infoType and record (structured dataset) transformations.
- Inspection templates: Templates for persisting configuration information for inspection scan jobs, including what predefined or custom detectors to use. For more information about inspection templates, see Creating Cloud DLP inspection templates.
For conceptual information about templates in Cloud DLP, see Templates.
The remainder of this topic shows you how to create de-identification templates for use with the Cloud DLP.
Create a de-identification template
It’s useful to note that a de-identification template is simply a reusable
de-identification configuration plus some metadata. In API terms, the
DeidentifyTemplate
object is effectively a
DeidentifyConfig
object that includes a few more fields of metadata, such as a display name and
a description. Therefore, to create a new de-identification template, the basic
steps are:
- Start with a
DeidentifyConfig
object. - Call or POST the
create
method of theprojects.deidentifyTemplates
resource, including in your request aDeidentifyTemplate
object that contains a display name, a description, and thatDeidentifyConfig
object.
The returned DeidentifyTemplate
will be usable immediately. You can
reference it in other calls or jobs by its name
. You can list the existing
templates by calling the *.deidentifyTemplates.list
method. To view a
specific template, call the *.deidentifyTemplates.get
method. Note that the
limit for the number of templates you can create is 1000.
If you've already had some experience de-identifying sensitive data from text,
images, or structured content using Cloud DLP, you've already
created a
DeidentifyConfig
object. One additional step turns it into a
DeidentifyTemplate
object.
REST example
The following JSON is an example of what you could send to the
projects.deidentifyTemplates.create
method. This JSON creates a new template with the given display name and
description, and scans for matches on the infoTypes EMAIL_ADDRESS
and
GENERIC_ID
. When it finds content matching those infoTypes, it will mask the
first three characters with an asterisk (*
) character.
HTTP method and URL:
POST https://dlp.googleapis.com/v2/projects/PROJECT_ID/deidentifyTemplates
Replace PROJECT_ID
with the project ID.
JSON Input:
{
"deidentifyTemplate":{
"displayName":"Email and id masker",
"description":"De-identifies emails and ids with a series of asterisks.",
"deidentifyConfig":{
"infoTypeTransformations":{
"transformations":[
{
"infoTypes":[
{
"name":"GENERIC_ID"
}
],
"primitiveTransformation":{
"replaceWithInfoTypeConfig":{
}
}
},
{
"infoTypes":[
{
"name":"EMAIL_ADDRESS"
}
],
"primitiveTransformation":{
"characterMaskConfig":{
"charactersToIgnore":[
{
"charactersToSkip":"@"
}
],
"maskingCharacter":"*"
}
}
}
]
}
}
}
}
JSON Output:
{ "name":"projects/PROJECT_ID/deidentifyTemplates/JOB-ID", "displayName":"Email and id masker", "description":"De-identifies emails and ids with a series of asterisks.", "createTime":"2018-11-30T07:17:59.536022Z", "updateTime":"2018-11-30T07:17:59.536022Z", "deidentifyConfig":{ "infoTypeTransformations":{ "transformations":[ { "infoTypes":[ { "name":"GENERIC_ID" } ], "primitiveTransformation":{ "replaceWithInfoTypeConfig":{ } } }, { "infoTypes":[ { "name":"EMAIL_ADDRESS" } ], "primitiveTransformation":{ "characterMaskConfig":{ "maskingCharacter":"*", "charactersToIgnore":[ { "charactersToSkip":"@" } ] } } } ] } } }
To quickly try this out, you can use the APIs Explorer that's embedded below. For general information about using JSON to send requests to the DLP API, see the JSON quickstart.
Using de-identification templates
Once you’ve created a new template, you can use its name
identifier anywhere
deidentifyTemplateName
is accepted, such as:
projects.content.deidentify
: De-identifies potentially sensitive data in content using the template as its configuration. Be aware that this method can use either an inspection template or a de-identification template.
Listing de-identification templates
To list all de-identification templates that have been created, use one of the
*.*.list
methods:
Code examples
Following is sample code in several languages that demonstrates how to use Cloud DLP to list inspection templates. The process is identical to the one for listing de-identification templates.
Java
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
Node.js
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
Python
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
Go
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
PHP
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
C#
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
Deleting de-identification templates
To delete a specific de-identification template, use one of the *.*.delete
methods:
With each *.*.delete
method, you include the resource name of the template to
be deleted.
Code examples
Following is sample code in several languages that demonstrates how to use Cloud DLP to delete an inspection template. The process is identical to the one for listing de-identification templates.
Java
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
Node.js
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
Python
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
Go
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
PHP
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.
C#
To learn how to install and use the client library for Cloud DLP, see Cloud DLP client libraries.