Global Policy Builder Tutorial
Audience: Governors
Content Summary: This page outlines step-by-step instructions for creating and staging Global Subscription Policies and Global Data Policies, which are built by Data Governors and apply to all data sources across an organization.
For instructions on writing Local Subscription Policies and Local Data Policies, see the Data Owner Guide. For information on how to create custom policy handlers, see the Advanced Guide.
Subscription Policies
Governors control how subscribers gain access to a data source through Subscription Policies.
These policies comprise four levels of restriction:
- Anyone: Users are automatically granted access.
- Anyone Who Asks (and is Approved): Users must request access and then be approved. This restriction supports multiple approving parties, meaning that Data Owners can allow more than one approver or users with specified permission types to approve other users who subscribe to the data source.
- Users with Specific Groups/Attributes: Only users with the groups/attributes Data Owners specify will be able to see and access the data source.
- Individual Users You Select: Only users Data Owners manually select will be able to see and access the data source.
To manage Subscription Policies,
- Click the Policies icon in the left sidebar and navigate to the Subscription Policies tab.
-
Click Add Policy, complete the Enter Name field, and then select the level of access restriction you would like to apply to your data source.
If you select Allow anyone,
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
- tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
- in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
- created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
If you select Allow anyone who asks (and is approved),
-
Click anyone or an individual selected by user from the first dropdown menu in the Subscription Policy Builder.
Note: If you choose an individual selected by user, when users request access to a data source they will be prompted to identify an approver with the permission specified in the policy and how they plan to use the data.
-
Select the Owner (of the data source), User_Admin, Governance, or Audit permission from the subsequent dropdown menu.
Note: You can add more than one approving party by selecting + Add and repeating steps a and b.
-
From the Where should this policy be applied dropdown menu, select When selected by data owners or On all data sources, or On data sources. If you selected On data sources, finish the condition in one of the following ways:
- tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
- in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
- created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
If you select Allow users with specific groups/attributes,
- Choose the condition that will drive the policy: when user is a member of a group or possesses attribute.
-
Use the subsequent dropdown to choose the group or attribute key / value pair for your condition.
-
If you would like to make your data source visible in the list of all data sources in the UI to all users, click the Allow Discovery checkbox. Otherwise, this data source will not be discoverable by users who do not meet the criteria established in the policy.
Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Subscription Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
-
Select When selected by data owners or On data sources from the Where should this policy be applied? dropdown menu.
Alternatively, you can use the Advanced Rules DSL to create more complex policies than the Subscription Policy Builder allows. To begin,
- Click Advanced Rules DSL in the top right corner of the policy builder.
-
Complete the Enter Rules field with the available functions and variables: @iam, @isInGroups, and @hasAttribute. When you place your cursor in this field, a tooltip appears with the functions and values you can use to build your policy.
-
Select When selected by data owners or On data sources from the Where should this policy be applied? dropdown menu. If you selected On data sources, finish the condition in one of the following ways:
- tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
- in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
- created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
If you select Allow individually selected users,
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
- tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
- with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
- in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
- created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
-
-
Opt to complete the Enter Rationale for Policy (Optional) field, and then click Create or Stage to finish your policy.
Data Policies
Inclusionary Policies
For all policies except purpose-based restriction policies, inclusionary logic allows Governors to vary policy actions with an Otherwise clause.
For example, Governors could mask values using hashing for users acting under a specified purpose while masking those same values by making null for everyone else who accesses the data.
This variation can be created by selecting for everyone who when available from the condition dropdown menus and then completing the Otherwise clause in the bottom half of the Policy Builder. Each section below outlines this process in detail.
Masking
To mask columns that contain sensitive data (i.e. credit card or social security numbers), Governors can create a masking policy:
- Navigate to the Data Policies tab on the Policies page.
- Click Add Policy, enter a name for your policy, and then select Mask from the first dropdown menu.
- Select columns tagged, columns with any tag, columns with no tags, all columns, or columns with names spelled like and select the relevant tag(s) in the subsequent dropdown menu (when applicable).
-
Select a custom masking type from the next dropdown menu: using hashing, with reversibility, by making null, using a constant, using a regex, by rounding, with format preserving masking, or with K-Anonymization.
If you select using a constant as your masking type, enter a constant in the field that appears next to the masking type dropdown:
If you choose by rounding as your masking type,
- Select using fingerprint or specifying the bucket from the subsequent dropdown menu.
-
If specifying the bucket, select the Bucket Type and then enter the bucket size.
If you choose using a regex as your masking type,
- Enter a regular expression and replacement value in the fields that appear next to the masking type dropdown.
- From the next dropdown, choose to make the regex Case Insensitive and/or Global.
Note: If you choose by rounding as your masking type, the statistics of the data fingerprint will autogenerate the bucket size when the policy is applied to a data source.
If you choose with K-Anonymization as your masking type, select either using fingerprint or requiring group size of at least and enter a group size in the subsequent dropdown menu.
-
Use the next dropdown to continue the condition: everyone, everyone except, or everyone who.
-
Use the subsequent dropdown to choose the group, purpose, or attribute key / value pair for your condition.
Notes:
-
If you choose for everyone who as a condition, complete the Otherwise clause before continuing to the next step.
-
You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
-
-
Opt to complete the Enter Rationale for Policy (Optional) field, and then click Add.
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
* **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
-
Click Create or Stage to finish your policy.
Row Redaction
For query-backed data sources, Governors can restrict which rows in the data source tables are visible to which users. This redaction is done by matching values in a specific column against a user's groups, attributes, or purposes.
For similar policy mechanics in object-backed data sources, see Object-level Security.
Note: A data source cannot have more than one row redaction policy applied.
Row Redaction Policy Builder Example
To create a row redaction policy,
- Navigate to the Data Policies tab on the Policies page.
- Click Add Policy, enter a name for your policy, and then select the Only show rows action from the first dropdown.
-
Choose where user, where the value in column tagged, or where from the next dropdown.
If you choose where user,
- Choose the condition that will drive the policy from the next dropdown: is a member of a group or possesses an attribute.
- Use the next field to choose the attribute, group, or purpose that you will match values against.
-
Use the next dropdown menu to choose the tag that will drive this policy.
Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
If you choose, where the value in the column tagged,
- Select the tag from the next dropdown menu.
- From the subsequent dropdown, choose is or is not in the list, and then enter a list of comma-separated values.
If you choose where,
-
Enter a valid SQL WHERE clause in the subsequent field. When you place your cursor in this field, a tool-tip should appear that details valid input and the column names of your data source.
-
Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
-
Use the subsequent dropdown to choose the group, purpose, or attribute key / value pair for your condition.
Note: If you choose for everyone who as a condition, complete the Otherwise clause before continuing to the next step.
-
Opt to complete the Enter Rationale for Policy (Optional) field, and then click Add.
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
* **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
-
Click Create or Stage to finish your policy.
Minimization
Minimization policies hide a specified percentage of query results from a user, based on a column with high cardinality (e.g. an employee ID number or other unique identifier).
Minimization Policy Builder Example
To create a minimization policy,
- Navigate to the Data Policies tab on the Policies page.
- Click Add Policy, enter a name for the policy, and then select the Minimize data source from the first dropdown.
- Complete the enter percentage field to limit the data source.
- Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
-
Use the next field to choose the attribute, group, or purpose that you will match values against.
Notes:
- If you choose for everyone who as a condition, complete the Otherwise clause before continuing to the next step.
- You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
-
Opt to complete the Enter Rationale for Policy (Optional), and then click Add.
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
* **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
-
Click Create or Stage to finish your policy.
Time-based Restrictions
If a data source has time-based restriction policies, queries run against the data source by a user will only
return rows/blobs with a date in its event-time
column/attribute from within a certain range.
This type of policy can be used for both object-backed and query-backed data sources.
Time-based Restrictions Policy Builder Example
To create a time-based restrictions policy,
- Navigate to the Data Policies tab on the Policies page.
- Click Add Policy, enter a name for the policy, and select Only show data by time from the first dropdown.
- Select where data is more recent than or older than from the next dropdown, and then enter the number of minutes, hours, days, or years that you would like to restrict the data source to. Note that unlike many other policies, there is no field to select a column to drive the policy. This type of policy will be driven by the data sources event-time column, which is selected at data source creation.
- Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
-
Use the next field to choose the attribute, group, or purpose that you will match values against.
Notes:
- If you choose for everyone who as a condition, you will need to complete the Otherwise clause before continuing to the next step.
- You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
-
Opt to complete the Enter Rationale for Policy (Optional) field, and then click Add.
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
* **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
-
Click Create or Stage to finish your policy.
Purpose-based Restrictions
Governors in Immuta can restrict usage of any data source to one or more purposes. If a user wishes to run SQL queries against a purpose-restricted data source, they must use the SQL credentials provided by a project containing that purpose.
Purpose-based Restrictions Policy Builder Example
To create a purpose-based restriction policy,
- Navigate to the Data Policies tab on the Policies page.
- Click Add Policy, enter a name for the policy, and then select Limit usage to purpose(s) in the first dropdown menu.
-
In the next field, select ANY PURPOSE or the specific purpose that you would like to restrict usage of this data source to.
Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
-
From the next dropdown, select for everyone or for everyone except. If you select for everyone except, you must select conditions that will drive the policy.
-
Opt to complete the Enter Rationale for Policy (Optional) field, and then click Add.
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
* **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
-
Click Create or Stage to finish your policy.
Differential Privacy
Data sources with Differential Privacy policies will only return results for a certain type of SQL query:
aggregates, such as the COUNT
and SUM
functions. Users must avoid aggregate
queries that are too specific; Immuta will only return differentially private results for broad aggregate queries.
Note: Differential Privacy is only available for data sources with a configured High Cardinality Column. For guidance on choosing a High Cardinality Column, see the Query-backed Data Source Tutorial.
Differential Privacy Policy Builder Example
To create a differential privacy policy,
- Navigate to the Data Policies tab on the Policies page.
- Click Add Policy, enter a name for the policy, and then select Make differentially private in the first dropdown menu.
- Select the noise level you would like to apply to your data: small, medium, or large; these values correspond to epsilon-differential privacy, where epsilon (privacy loss) has values of 3, 2.1, and 1.4, respectively.
- Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
-
Use the next field to choose the attribute, group, or purpose that you will match values against.
Notes:
- If you choose for everyone who as a condition, you will need to complete the Otherwise clause by following steps 5 through 7 again before continuing to step 8.
- You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
-
Opt to complete the Enter Rationale for Policy (Optional) field, and then click Add.
-
Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
* **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
-
Click Create or Stage to finish your policy.
Activating and Staging Existing Global Policies
To activate an existing Staged Global Policy,
- Click the Policies icon in the left sidebar and navigate to the Data Policies or Subscription Policies tab.
-
Click the dropdown menu in the Action column of the policy you would like to activate and select Activate.
The policy is now enforced on relevant data sources.
To stage an active Global Policy,
-
Click the dropdown menu in the Action column of the policy you would like to stage and select Stage.
-
Click Confirm in the dialog that appears.
The policy is now removed from data sources.