BigID integration

Starting from release 1.10, Synthesized TDK is able to enrich its transformation process with insights loaded from a BigID instance. Once you have BigID-enabled distribution, it is only a matter of a few lines of additional configuration to enable this functionality.

BigID support is currently available for TDK CLI only.


Obtain BigID API authentication token

A BigID refresh token is required to enable interaction with a BigID instance. Follow the instructions at the BigID developer portal to obtain one.

Configure BigID sensitivity classification

Since many classifiers in BigID are regex-based and TDK produces synthetic data that is extremely close in shape and format to the original data, the BigID sensitivity classification mechanism can produce false positives, wrongly marking synthetic data as sensitive. To avoid that, TDK output data can be excluded from sensitivity classification by adjusting sensitivity definition to exclude objects with certain tags. The tag name and value being applied can be set in TDK configuration. Consult your BigID user guide for details on how to do adjust sensitivity settings to take the tag into account.

Configure TDK

By default, the TDK configuration is read from a file named bigid.yaml in the current directory. The default location can be overridden with BIGID_CONFIG_FILE environment variable which can contain an absolute or a relative path. Example:

BIGID_CONFIG_FILE=/home/johndoe/configs/custom_bigid_config.yaml tdk --help

The configuration file supports a number of settings which are explained in the table below.

BigID-specific TDK configuration
Setting Meaning Default value


Name of the environment variable to take BigID API auth token from.



Base BigID API URL.All API calls are relative to this URL.



Name of the input BigID data source which is used to retrieve input tables metadata.



Multi-level mapping of sensitivity group → sensitivity level → classifier → transformation params



Name of the output datasource where output tables metadata will reside.



Name of the tag to apply to the output tables.



Value of the tag to apply to the output tables.



Maximum time, in seconds, that the output datasource scan can take.



Whether to use regular expressions from classifiers if transformations parameters are not specified explicitly in the classifier mapping



Imagine there is an instance of configuration saved in a bigid-example.yaml file in the current directory with the following content:

  auth_token_env: MY_BIGID_AUTH_TOKEN
  base_url: https://my-bigid-host/api/v1
  input_data_source: my_input
            type: formatted_string_generator
            pattern: '\w+@\w{5,}\.(com|org|net)'
    data_source: my_output
    tag_name: synthetic
    tag_value: true
    scan_max_time_secs: 30

Invocation of the TDK CLI tool may look like shown below:

MY_BIGID_AUTH_TOKEN=<your refresh token here> \
BIGID_CONFIG_FILE=bigid-example.yaml \
tdk <CLI options>

With the configuration above, TDK will fetch metadata from a BigID instance via the API endpoint https://my-bigid-host/api/v1. For authentication, it will use refresh token stored in an environment variable named MY_BIGID_AUTH_TOKEN.

TDK will look for classifier metadata using my_input data source under the specified BigID instance. Any table having High sensitivity level under Default sensitivity group will be scanned for the presence of Email classifiers. Any column having the Email classifier will be processed with a formatted string generator, with output strings formatted according to the \w+@\w{5,}\.(com|org|net) regex.

Upon the TDK run completion, the data source named my_output will be rescanned for the resulting table to appear. After that, tag synthetic: true will be applied to the output table object.