# üß™ Finance ABAC Demo - Step 3: Setup Governed Tags

## üìã Overview
This notebook creates the tag policies defining the necessary governed tags and their allowed values

### What This Notebook Does:
1. **Creates Tag policy**: Uses REST API to create tag policies defining governed tags and their allowed values
2. **Demonstrates Usage**: Shows how to apply tags to relevant columns in the finance datasets

## üéì How to Use This Notebook
1. **Ensure Steps 1-2 Complete**: All functions, tables, and data must exist
2. **Run All Cells**: Execute sequentially to see all test results
3. **Verify Expectations**: Check that tags have been applied through the catalog explorer

## ‚öôÔ∏è Prerequisites
- ‚úÖ **Step 1 completed**: All functions created
- ‚úÖ **Step 2 completed**: Core tables with data
- ‚úÖ APPLY TAG permission on all tables

## üìä Expected Results
After running this notebook:
- ‚úÖ Tag policies are created
- ‚úÖ Governed tags assigned
- ‚úÖ Prepared for creating ABAC policies
---


In [0]:
pip install pyyaml

In [0]:
# üìã Load Configuration from config.yaml
import yaml
from pathlib import Path
import requests
import os
from databricks.sdk import WorkspaceClient

config_file = Path('config.yaml')
if config_file.exists():
    with open(config_file) as f:
        config = yaml.safe_load(f)
    CATALOG = config['catalog']
    SCHEMA = config['schema']
    print(f'‚úÖ Configuration loaded from config.yaml')
    print(f'   üìä Catalog: {CATALOG}')
    print(f'   üìÅ Schema: {SCHEMA}')
else:
    # Fallback defaults
    CATALOG = 'your_catalog_name'
    SCHEMA = 'finance'
    print(f'‚ö†Ô∏è  config.yaml not found - using defaults')
    print(f'   üìä Catalog: {CATALOG}')
    print(f'   üìÅ Schema: {SCHEMA}')

# Set catalog and schema to use for the cells below
spark.sql(f"USE CATALOG {CATALOG}")
spark.sql(f"CREATE SCHEMA IF NOT EXISTS {SCHEMA}")
spark.sql(f"USE SCHEMA {SCHEMA}")

client = WorkspaceClient()
workspace_url = client.config.host

In [0]:
%sql
SELECT 'üéØ Target: ' || current_catalog() || '.' || current_schema() AS status;

###Define Governed Tags + Allowed Values
https://docs.databricks.com/api/workspace/tagpolicies/createtagpolicy

In [0]:
def get_token():
    ctx = dbutils.notebook.entry_point.getDbutils().notebook().getContext()
    return getattr(ctx, "apiToken")().get()


def create_tag_policy(payload):
    data = requests.post(
        f"{workspace_url}/api/2.1/tag-policies",
        headers={"Authorization": f"Bearer {get_token()}"},
        json=payload,
    )

    return data

In [0]:
pii_payload = {
    "description": "PII field types for finance industry",
    "tag_key": "pii_type_finance",
    "values": [
        {"name": "ssn"},
        {"name": "email"},
        {"name": "location"},
        {"name": "phone"},
        {"name": "income"},
        {"name": "account"},
        {"name": "routing_number"},
        {"name": "ip_address"},
        {"name": "credit_card"},
        {"name": "transaction_amount"},
        {"name": "transaction_id"},
        {"name": "id"}
    ]
}
print(create_tag_policy(pii_payload).json())


pci_payload = {
    "description": "PCI-DSS compliance requirement for finance",
    "tag_key": "pci_compliance_finance",
    "values": [
        {"name": "Required"},
        {"name": "Not_Required"}
    ]
}
print(create_tag_policy(pci_payload).json())


classification_payload = {
    "description": "Data classification level for finance",
    "tag_key": "data_classification_finance",
    "values": [
        {"name": "Confidential"},
        {"name": "Internal"},
        {"name": "Public"}
    ]
}
print(create_tag_policy(classification_payload).json())


fraud_payload = {
    "description": "Identify fraud detection flag for finance",
    "tag_key": "fraud_detection_finance",
    "values": [
        {"name": "true"},
        {"name": "false"}
    ]
}
print(create_tag_policy(fraud_payload).json())

In [0]:
%sql
-- =============================================
-- TAGS FOR: customers (PII data)
-- =============================================
ALTER TABLE customers ALTER COLUMN ssn SET TAGS ('pii_type_finance' = 'ssn', 'pci_compliance_finance' = 'Required');
ALTER TABLE customers ALTER COLUMN email SET TAGS ('pii_type_finance' = 'email');
ALTER TABLE customers ALTER COLUMN phone SET TAGS ('pii_type_finance' = 'phone');
ALTER TABLE customers ALTER COLUMN state SET TAGS ('pii_type_finance' = 'location');
ALTER TABLE customers ALTER COLUMN annual_income SET TAGS ('pii_type_finance' = 'income', 'data_classification_finance' = 'Confidential');
ALTER TABLE customers ALTER COLUMN customer_id SET TAGS ('pii_type_finance' = 'id');

In [0]:
%sql
-- =============================================
-- TAGS FOR: accounts (Account numbers)
-- =============================================
ALTER TABLE accounts ALTER COLUMN account_number SET TAGS ('pii_type_finance' = 'account', 'data_classification_finance' = 'Confidential');
ALTER TABLE accounts ALTER COLUMN routing_number SET TAGS ('pii_type_finance' = 'routing_number', 'data_classification_finance' = 'Confidential');
ALTER TABLE accounts ALTER COLUMN customer_id SET TAGS ('pii_type_finance' = 'id');

In [0]:
%sql
-- =============================================
-- TAGS FOR: credit_cards (PCI-DSS data)
-- =============================================
ALTER TABLE credit_cards ALTER COLUMN card_number SET TAGS ('pii_type_finance' = 'credit_card', 'pci_compliance_finance' = 'Required');
ALTER TABLE credit_cards ALTER COLUMN customer_id SET TAGS ('pii_type_finance' = 'id');

In [0]:
%sql
-- =============================================
-- TAGS FOR: transactions (Transaction data)
-- =============================================
ALTER TABLE transactions ALTER COLUMN ip_address SET TAGS ('pii_type_finance' = 'ip_address');
ALTER TABLE transactions ALTER COLUMN amount SET TAGS ('pii_type_finance' = 'transaction_amount');
ALTER TABLE transactions ALTER COLUMN customer_id SET TAGS ('pii_type_finance' = 'id');
ALTER TABLE transactions ALTER COLUMN transaction_id SET TAGS ('pii_type_finance' = 'transaction_id');
ALTER TABLE transactions ALTER COLUMN fraud_flag SET TAGS ('fraud_detection_finance' = 'true');

In [0]:
%sql
SELECT '‚úÖ Tags applied successfully to finance tables!' AS status;

## ‚úÖ Success!

Tag policies have been created successfully and governed tags have been assigned!

### What You Just Created:
- ‚úÖ Governed tags for capturing data sensitivity 
- ‚úÖ Tag assignment to tables

### üéØ Next Step:

Continue to **`4_Test_ABAC_Policies.ipynb`** to define ABAC policies using governed tags and test them on each dataset in the finance schema

---