Writing Global Policies for Compliance
When used with sensitive data discovery and Discovered tags, global policies are enforced on data sources as they are created.
For example, if an organization's compliance requirements state that access to personal information is restricted to users within the corresponding country or geographic region, they could write a global policy in Immuta that enforces that requirement before users have begun connecting data:
Only show rows where user possesses an attribute in
OfficeLocationthat matches the value in the column tagged
Discovered . Countryfor everyone.
Best practices for writing global policies
The best practices outlined below will also appear in callouts within relevant tutorials.
- Use schema monitoring to assess changes to data sources.
- Activate the new column added templated global policy to protect potentially sensitive data before data owners can review new columns that have been added.
- Write global policies using Discovered tags and attributes before connecting data.
- Use global policies instead of local policies to manage data access.
- In most cases, the goal is to share as much data as possible while still being compliant with privacy regulations. Immuta recommends a scale of wide subscription policies and specific data policies to give as much access as possible.
- Use the minimum amount of policies possible to achieve the data privacy needed.
This section includes conceptual, reference, and how-to guides for creating policies. Some of these guides are provided below. See the left navigation for a complete list of resources.
- Data policies
- Subscription policies
- Custom WHERE clause functions
- External masking interface (deprecated)
- Write a global subscription policy
- Write a global masking policy
- Write a row redaction policy
- Write a purpose-based restriction policy
- Clone, activate, or stage a global policy
Advanced how-to guides: