Skip to content

You are viewing documentation for Immuta version 2024.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Write Policies API Endpoint Reference Guide

The policies resource allows you to manage and apply policies to your data sources. The endpoints and examples provided in this guide are specific to creating global write policies.

Endpoints

Method
Endpoint
Description
POST /dataSource/{dataSourceId}/access Manually grants write access to a user
POST /policy/global Creates a global write access policy
DELETE /policy/global/{policyId} Deletes the specified global write access policy
GET /policy/global/{policyId} Gets the global policy with the given policy ID
PUT /policy/global/{policyId} Updates the specified global policy

POST /dataSource/{dataSourceId}/access

Manually grants write access to a user.

curl -X 'POST' \
    'https://www.organization.immuta.com/dataSource/6/access' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \
    -d '{
    "profileId": 3,
    "state": "subscribed",
    "accessGrant": "WRITE"
    }'

Request parameter

Parameter Description
dataSourceId integer The unique identifier of the data source.

Body parameters

The request accepts a JSON or YAML payload. See the write access manual grant payload description for parameter details.

Response

The response returns the following JSON object. See the payload reference guide for details about the response schema.

{
  "isSubscriptionOverride": true,
  "id": 23,
  "modelId": "6",
  "modelType": "datasource",
  "state": "subscribed",
  "metadata": {},
  "admin": 2,
  "denialReasoning": null,
  "profile": 3,
  "group": null,
  "policy": false,
  "expiration": null,
  "acknowledgeRequired": false,
  "createdAt": "2023-10-11T14:43:00.726Z",
  "updatedAt": "2023-10-11T14:43:00.726Z",
  "accessGrant": "WRITE",
  "approved": true
}

POST /policy/global

Creates a global policy.

The example below grants write access to users with the attribute has.write and applies the global policy to all data sources.

curl -X 'POST' \
    'https://www.organization.immuta.com/policy/global' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \
    -d '{
    "type": "subscription",
    "name": "Allow users with specific entitlements to have write access",
    "actions": [{
      "type": "subscription",
      "subscriptionType": "policy",
      "accessGrant": "WRITE",
      "exceptions": {
        "operator": "and",
        "conditions": [{
          "type": "authorizations",
          "authorization": {
            "auth": "has",
            "value": "write"
          }
      }]
    },
    }],
    "staged": false
    }'

The example below grants users write access when they are individually selected by data owners and applies the policy to data sources with columns tagged Discovered.PII.

curl -X 'POST' \
    'https://www.organization.immuta.com/policy/global' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \
    -d '{
    "type": "subscription",
    "name": "Data owners grant specific users write access",
    "actions": [{
      "type": "subscription",
      "subscriptionType": "manual",
      "accessGrant": "WRITE"
    }],
    "staged": false,
    "circumstances": [{
    "type": "columnTags",
    "columnTag": {
      "name": "Discovered.PII",
      "displayName": "Discovered . PII",
      "hasLeafNodes": false
      }
    }]
    }'

Body parameters

The request accepts a JSON or YAML payload. See the global policy payload description for parameter details.

Response

The response returns the global policy configuration. See the payload reference guide for details about the response schema.

{
  "policyKey": "Manual global write policy",
  "name": "Manual global write policy",
  "type": "subscription",
  "template": true,
  "staged": false,
  "systemGenerated": false,
  "deleted": false,
  "certification": null,
  "actions": [
    {
      "type": "subscription",
      "accessGrant": "WRITE",
      "description": null,
      "allowDiscovery": false,
      "subscriptionType": "manual",
      "shareResponsibility": false,
      "automaticSubscription": false
    }
  ],
  "circumstances": null,
  "metadata": null,
  "clonedFrom": null,
  "createdBy": 2,
  "id": 4,
  "createdAt": "2023-10-10T13:18:37.270Z",
  "updatedAt": "2023-10-10T13:18:37.270Z",
  "createdByName": "Taylor",
  "ownerRestrictions": null
}
{
  "policyKey": "Manual global write policy",
  "name": "Manual global write policy",
  "type": "subscription",
  "template": true,
  "staged": false,
  "systemGenerated": false,
  "deleted": false,
  "certification": null,
  "actions": [
    {
      "type": "subscription",
      "accessGrant": "WRITE",
      "description": null,
      "allowDiscovery": false,
      "subscriptionType": "manual",
      "shareResponsibility": false,
      "automaticSubscription": false
    }
  ],
  "circumstances": [{
    "type": "columnTags",
    "columnTag": {
      "name": "Discovered.PII",
      "displayName": "Discovered . PII",
      "hasLeafNodes": false
      }
    }],
  "metadata": null,
  "clonedFrom": null,
  "createdBy": 2,
  "id": 4,
  "createdAt": "2023-10-10T13:18:37.270Z",
  "updatedAt": "2023-10-10T13:18:37.270Z",
  "createdByName": "Taylor",
  "ownerRestrictions": null
}

DELETE /policy/global/{policyId}

Deletes the specified policy.

curl -X 'DELETE' \
    'https://www.organization.immuta.com/policy/global/4' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f'

Request parameter

Parameter Description
policyId integer The unique identifier of the policy.

Response

The response returns the deleted global policy configuration. See the payload reference guide for details about the response schema.

GET /policy/global/{policyId}

Gets the specified policy.

curl -X 'GET' \
    'https://www.organization.immuta.com/policy/global/4' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f'

Request parameter

Parameter Description
policyId integer The unique identifier of the policy.

Response

The response returns the global policy configuration. See the payload reference guide for details about the response schema.

PUT /policy/global/{policyId}

Updates the specified policy.

curl -X 'PUT' \
    'https://www.organization.immuta.com/policy/global/4' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \
    -d '{
    "type": "subscription",
    "name": "Manual global write policy",
    "template": true,
    "actions": [{
      "type": "subscription",
      "subscriptionType": "manual",
      "description": "This updated policy only applies to data sources tagged Discovered.PHI.",
      "accessGrant": "WRITE"
    }],
    "staged": false,
    "circumstances": [{
      "operator": "or",
      "type": "columnTags",
      "columnTag": {
        "name": "Discovered.PHI",
        "displayName": "Discovered . PHI",
        "hasLeafNodes": false
      }
    }]
    }'

Body parameters

The request accepts a JSON or YAML payload. See the global policy payload description for parameter details.

Response

The response returns the updated global policy configuration. See the payload reference guide for details about the response schema.