Usage rules

Overview

For high-risk data, it is often important that full data are never downloaded to a non-sandbox environment. To handle this use case, Redivis implements the concept of usage rules. Usage rules define what actions a research can take with a dataset once they have data access.

Usage rules can be applied to any organization-owned dataset, either as part of the dataset's access configuration or on a permission group. We currently support restrictions on data exports, which are visible to any user applying for access, and will also be shown in the table export interface.

If a table is derived from multiple datasets, the export restrictions on that table will represent the intersection of the configuration of restrictions from each dataset.

This table is part of a dataset which restricts exports

Data exports

All data export restrictions apply to interactions through the web UI as well as through API calls. They can be configured as to whether they allow researchers to request exceptions.

These restrictions apply to all users of a dataset (expect organization administrators, who may bypass the restrictions to export data).

Export environments

Export of restricted data on Redivis is allowed through export environments. Each environment defines a location or locations to which a user can export data under certain conditions.

Export environments can limit data exports to specific IP addresses, Google Cloud Storage buckets, Google BigQuery projects, or to Google Data Studio.

In addition, organization admins can specify either size limitations (by number of table rows or table gigabytes), or require that every export receives admin approval. If you tries to export a table larger than the size limitation, they have to get admin approval.

You can define export environments used by your organization when configuring access to a dataset or permission group, or in the organization's settings.

IP address

IP address environments limit downloads to only a specific IP address (or a set of addresses) configured by the organization admin.

Google BigQuery

BigQuery environments limit exports to only a specific Google BigQuery project (or set of projects) configured by the organization admin.

Google Cloud Storage

Cloud Storage environments limit exports to only a Google Cloud Storage bucket (or set of buckets) specified by the organization admin.

Google Data Studio

Data Studio environments limit exports to only Google Data Studio.

Custom location

Custom environments limit exports to any user-requested location (either an IP address, BigQuery project, Cloud Storage bucket, or Data Studio), but must always receive admin approval for each user-specified location.

Configuring export restrictions

Configuring export restrictions is only available to organization-owned datasets. Export environments can be added to a dataset through the access configuration interface, or standardized across datasets through a permission group.

Configure export restrictions in the dataset access modal or on a permission group

Requesting export approval

Depending on the configuration of export environments on a dataset with restricted exports, you may have to request admin approval to export data.

If the button (Download, Visualize data, or Export) in the table export modal) to your desired export destination is disabled, you should Request approval from organization admins. Approvals apply only to individual tables — you cannot request blanket exceptions to a dataset.

This workflow is similar to requesting requirement approval, and an administrator will be alerted to your request, which they can either approve or reject.

Request approval to download to a specific IP address

Export approval

When a member of an organization submits an export exception request, it will show up as an alert for that member, directing you to the Export approvals tab. If you open the approval request, you will see details about the table that is being requested, alongside the ability to view that table in the context of the researchers' project. The request can be approved or rejected much the same way as requirements.

Exports are approved on the organization admin panel