Skip to content

Data Classification Verification Algorithms

You can use verification algorithms in a Data Classification policy object of type Regular Expression to filter the regular expression results. This will enforce additional restrictions and validations on matched phrases. The verification algorithm will take as an input each one of the data classification policy objects’ regular expression match result strings, and will remove results that do not meet the criteria defined within the algorithm.

Data Access Security comes with a set of verification algorithms out of the box for standard verifications, such as Luhn, for credit card numbers or SSN algorithms. In addition, you can write a verification algorithm, upload it to the Data Access Security website, and use it in data classification policy objects.

Out of the Box Verification Algorithm

Verification algorithms for common rules are pre-loaded:

  • Luhn (Credit Card Number)
  • US SSN
  • Netherlands BSN
  • Israeli ID
  • IBAN
  • South African ID

The dropdown list of verification algorithms in the Rule Criteria screen includes out of the box algorithms, as well as algorithms uploaded by the user.

Creating a Verification Algorithm

Guidelines

  • The assembly must target .NET Standard 2.1 or .NET 6.0. These will be referred to as the supported .NET platforms.
  • You may write only one implementation class of the IDataClassificationVerifier interface per assembly.

  • It is only possible to upload one assembly per verification algorithm. In case your code requires usage of additional referenced assemblies, you must pack them all into one assembly.

    Note

    Verification algorithm assemblies written in previous versions of Data Access Security (in .NET Framework 4.5) must be removed, and re-written to target one of the supported .NET platforms as mentioned above and uploaded again.

Walkthrough

  1. Create a new .NET Framework Class Library targeting a supported .NET platform.
  2. In your project, add a reference to the assembly FAM.DataClassification.Verifiers.dll. This assembly is provided by SailPoint, and contains the IDataClassificationVerifier interface. This assembly can be downloaded from Compass.
  3. Create a new class that implements the IDataClassificationVerifier interface.
  4. This class must provide an implementation of the only public method defined in the interface named “Verify.” This method takes as an argument a match result string and returns a boolean that denotes if the verification passed or failed.
  5. Build your project and upload the output assembly as described in Verification Algorithms screen.
  6. This uploaded verification algorithm will now be available in the verification algorithm dropdown list of the Policy Object screen alongside the other built in or uploaded algorithms.

Examples

Code Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
using FAM.DataClassification.Verifiers;
namespace VerificationAlgorithmExample
{
  public class EvenNumberVerificationAlgorithm : IDataClassificationVerifier
  {
    /// <summary>
     /// Example for a custom verifier that verifies that the input is an even number
    /// </summary>
    /// <param name=“value”>A regular expression match result</param>
    /// <returns>True if passed verification, False if failed</returns>
    public bool Verify(string value)
    {
        if (long.TryParse(value, out long parsedLong))
        {
            return parsedLong % 2 == 0;
        }
        return false;
    }
  }
}

Verification Algorithms Screen

The Verification Algorithms table shows the custom verification algorithms uploaded by the users or as part of a policy upload from another Data Access Security system. This table does not contain the standard out of the box verification algorithms.

To access the table, navigate to Compliance > Data Classification > Verification Algorithms. By default, this page is only accessible to Administrators.

  • Name - Verification algorithm name. This name will also appear in the dropdown list of verifications along with the existing, out of the box verification algorithms.
  • Description - Added when the verification algorithm is uploaded.
  • File Name - The verification algorithm dll file created by the user and uploaded to Data Access Security.
  • In use - This flag indicates whether this algorithm is part of a policy object, that is used in an active policy.
  • Created By - The user uploading the algorithm. Verification algorithms that are uploaded to the system using the policy upload tool will be listed in the verification algorithms list as Created By “Conversion.”

See Transferring Data Classification Policies Between Systems for further details on imported policies.

This screen can be used to view custom built verification algorithms or upload new verification algorithms. It can also be used to edit or delete existing algorithms.

On this screen, a user is able to see whether an algorithm is in use or not.

Uploading a New Verification Algorithm

A new verification algorithm must follow the guidelines below:

  • Extension: .dll
  • File size: Up to 5 MB

  • The verifier name must be unique in the list of verification algorithms

  • Open the Verification Algorithms panel.

  • Click + New Verification Algorithm.
  • Select File.
  • Select a .dll file from your computer.
  • Enter the name and description of the verification algorithm (see description above)
  • Select Save or Cancel to continue.

Deleting a Custom Verification Algorithm

  1. Open the Verification Algorithms panel.
  2. To open the action menu, select the menu icon on the row of the verification algorithm you want to delete.

  3. Select Delete.

    Note

    If the algorithm is currently part of a policy object that is used in an active policy, a popup message will warn the user before deleting.