Skip to content

abcxyz/pmap-template

BranchesTags

Repository files navigation

pmap-template

This is not an official Google product.

This template is for creating an PMAP(privacy data mapping) repository to do privacy data management, see more details here.

How PMAP works

Please refer to the high level flow here.

Prerequisites

The central privacy/compliance eng team need to complete the steps below:

  1. Create an pmap-template repository using this template, only copy main branch is required.

  2. Set up Workload Identity Federation, and a service account with adequate condition and permission, see details here.

  3. Follow steps here to set the repository variables for WORKLOAD_IDENTITY_PROVIDER and SERVICE_ACCOUNT with outputs from step 2 and set the repository variables for GCS_BUCKET with the output from PMAP Terraform modules if you are following the instructions to create the infrastructure needed by PMAP instance.

  4. It is critical to enable the following repo settings:

    • Disable forking
    • Set up CODEOWNERS with the group to approve requests
    • Branch protection on the main (default) branch
      • Require a pull request before merging
        • Require approvals
        • Dismiss stale pull request approvals when new commits are pushed
        • Require review from Code Owners
        • Require approval of the most recent reviewable push
      • Require status checks to pass before merging
      • Require signed commits
      • Disallow force pushes

End User Workflows

Policy/Control Owner

  • Create a policy/control (e.g. a wipeout plan) by opening a PR and add a yaml file under the sub folder where stores all the policies/controls. See example here.

Data Owner

  • Register and annotate resources to associate the resources to its specific policies/controls by opening a PR and add a mapping yaml file under the sub folder where stores all the data mappings. The association of the resource to the corresponding policies/controls is achieved via annotations field. See example here.

    NOTE: The central privacy/compliance eng team has the flexibility to determine how to group mappings, they don’t have to follow the group mappings in the above example(Product at level 1 and Resource at level 2).

Data Governor

  • Approve the registered policy/control and resources by approving the related opening PRs created by policy/control owners and data owners.
  • Query the policy/control and resources stored in BigQuery, see details here.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

12 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •