# Create Policies API Examples ## Subscription Policies ### Anyone Can Subscribe ```yaml name: Anyone policyKey: subscription anyone type: subscription actions: type: anyone automaticSubscription: false description: Rationale circumstances: - type: tags tag: Discovered ``` ### Anyone Can Subscribe When Approved ```yaml name: Approval policyKey: subscription approval type: subscription actions: type: approval approvals: - specificApproverRequired: false requiredPermission: OWNER - specificApproverRequired: true requiredPermission: GOVERNANCE description: Rationale circumstances: - type: columnTags columnTag: Discovered ``` ### Users with Specific Groups or Attributes ```yaml name: Entitlement policyKey: subscription entitlements type: subscription actions: type: entitlements entitlements: operator: any groups: - Employee attributes: - name: auth1 value: SOMETHING_ELSE automaticSubscription: true allowDiscovery: false description: Some description here circumstances: - type: columnRegex regex: ssn caseInsensitive: false staged: false ``` ### Users with Specific Groups or Attributes (Advanced) ```yaml name: Advanced Entitlement policyKey: subscription entitlements advanced boolean type: subscription actions: type: entitlements advanced: "@isInGroups('Engineers', 'Founders'') AND @hasAttribute('Auth1', 'Super Secret')" automaticSubscription: true allowDiscovery: false description: Some description here circumstances: - type: columnRegex regex: ssn caseInsensitive: false staged: false ``` ### Individual Users You Select ```yaml name: Manual policyKey: subscription manual type: subscription actions: type: manual description: Rationale ``` ## Data Policies ### Data Owner Restrictions ```yaml name: Owner Restricted Policy policyKey: data owner restriction type: data ownerRestrictions: users: - iamid: bim username: user@example.com groups: - engineers actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.PII maskingConfig: type: Hash circumstances: - type: columnTags columnTag: Discovered.PII ``` ### Masking Policies #### Conditional Masking ```yaml name: Conditional Masking policyKey: data conditional masking type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.PII conditionalPredicate: "@columnTagged('Discovered.Country') = 'USA'" maskingConfig: type: Hash circumstanceOperator: all circumstances: - type: columnTags columnTag: Discovered.PII - type: columnTags columnTag: Discovered.Country ``` #### Conditional Masking (Using Otherwise Clause) ```yaml name: Conditional policyKey: data mask otherwise type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.Country maskingConfig: type: "Null" inclusions: groups: - Employee - type: Masking exceptions: purposes: - Re-identification Prohibited config: fields: - type: columnTags columnTag: Discovered.Country maskingConfig: type: Hash circumstances: - type: columnTags columnTag: Discovered.Country ``` #### With a Constant ```yaml name: Mask with Constant policyKey: data mask constant type: data actions: - rules: - type: Masking exceptions: operator: any attributes: - name: auth value: SOMETHING_ELSE - name: auth1 value: super secret config: fields: - type: columnTags columnTag: Discovered.Country - type: columnTags columnTag: Discovered.PII maskingConfig: type: Constant constant: REDACTED circumstanceOperator: any circumstances: - type: columnTags columnTag: Discovered.Country - type: columnTags columnTag: Discovered.PII ``` #### Format Preserving Masking ```yaml name: Format Preserving Masking policyKey: data mask fpe type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered maskingConfig: type: Format Preserving Masking circumstances: - type: columnTags columnTag: Discovered ``` #### With Hashing (No Tags) ```yaml name: Hashing policyKey: data mask hashing type: data actions: - rules: - type: Masking config: fields: - type: noTags maskingConfig: type: Hash circumstances: - type: noTags ``` #### K-Anonymization (Using Fingerprint) **Sample data is processed during computation of k-anonymization policies** When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database. The location of the metadata database depends on your deployment: * Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed. * SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta. To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant. To enable k-anonymization for your account, see the [k-anonymization section on the app settings how-to guide](https://documentation.immuta.com/2024.2/application-settings/how-to-guides/config-builder-guide#k-anonymization). ```yaml name: K-Anonymization Using Fingerprint on any tags policyKey: masking kanon using fingerprint type: data actions: - rules: - type: Masking config: fields: - type: anyTag maskingConfig: type: K-Anonymization circumstances: - type: anyTag ``` #### K-Anonymization (by Specifying K) **Sample data is processed during computation of k-anonymization policies** When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database. The location of the metadata database depends on your deployment: * Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed. * SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta. To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant. To enable k-anonymization for your account, see the [k-anonymization section on the app settings how-to guide](https://documentation.immuta.com/2024.2/application-settings/how-to-guides/config-builder-guide#k-anonymization). ```yaml name: K-Anonymization using kLevel policyKey: data mask kanon specifying k type: data actions: - rules: - type: Masking config: fields: - type: anyTag maskingConfig: type: K-Anonymization kLevel: 5 circumstances: - type: anyTag ``` #### K-Anonymization (by Specifying Re-identification Probability) **Sample data is processed during computation of k-anonymization policies** When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database. The location of the metadata database depends on your deployment: * Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed. * SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta. To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant. To enable k-anonymization for your account, see the [k-anonymization section on the app settings how-to guide](https://documentation.immuta.com/2024.2/application-settings/how-to-guides/config-builder-guide#k-anonymization). ```yaml name: K-Anonymization using reIdProbability policyKey: data mask kanon specifying re-id type: data actions: - rules: - type: Masking config: fields: - type: anyTag maskingConfig: type: K-Anonymization reIdProbability: 15 circumstances: - type: anyTag ``` #### Make Null Using Column Regex ```yaml name: Null using column regex policyKey: data mask null type: data actions: - rules: - type: Masking config: fields: - type: columnRegex regex: ssn caseInsensitive: true maskingConfig: type: "Null" circumstances: - type: columnRegex regex: ssn caseInsensitive: true ``` #### Randomized Response ```yaml name: Random Categorical policyKey: data mask random response type: data actions: - rules: - type: Masking config: fields: - type: allColumns maskingConfig: type: Randomized Response replacementRatePercent: 10 ``` #### Randomized Response (by Specifying Standard Deviation) ```yaml name: Random Numeric policyKey: data mask random response specifying stddev type: data actions: - rules: - type: Masking config: fields: - type: allColumns maskingConfig: type: Randomized Response stddev: 2 clip: false ``` #### Using a Regex ```yaml name: Regex policyKey: data mask regex type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.Entity.Postal Code maskingConfig: type: Regular Expression regex: "(\\d{4})(\\d)" replacement: "$1X" caseInsensitive: true global: true circumstances: - type: columnTags columnTag: Discovered.Entity.Postal Code ``` #### With Reversibility ```yaml name: Mask using Reversible policyKey: data mask reversible type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.Entity.Social Security Number maskingConfig: type: Reversible exceptions: groups: - founders circumstances: - type: columnTags columnTag: Discovered.Entity.Social Security Number ``` #### Using Rounding (Date) ```yaml name: RoundingDate policyKey: data mask rounding by date type: data actions: - rules: - type: Masking exceptions: config: fields: - type: columnTags columnTag: Discovered.Entity.Date maskingConfig: type: Grouping timePrecision: MONTH circumstances: - type: columnTags columnTag: Discovered.Entity.Date ``` #### Using Rounding (Using Fingerprint) ```yaml name: RoundingFingerprint policyKey: data mask round using fingerprint type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.Entity.Date maskingConfig: type: Grouping circumstances: - type: columnTags columnTag: Discovered.Entity.Date ``` #### Using Rounding (Numeric) ```yaml name: RoundingNumeric policyKey: data mask round numeric type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.Entity.Date maskingConfig: type: Grouping bucketSize: 10 circumstances: - type: columnTags columnTag: Discovered.Entity.Date ``` ## Minimize Data Created Between ```yaml name: Minimize policyKey: data minimize type: data actions: - rules: - type: Minimization config: percent: 15 circumstances: - type: time startDate: '2020-12-01T16:23:54.734Z' endDate: '2020-12-31T16:23:54.745Z' ``` ## Purpose Restrictions ### Any Purpose ```yaml name: Purpose policyKey: data purpose restriction type: data actions: - rules: - type: Purpose Restriction config: operator: any purposes: - "" ``` ### Purpose in Server ```yaml name: Purpose in a specific server policyKey: data server circumstance type: data actions: - rules: - type: Purpose Restriction config: purposes: - Re-identification Prohibited circumstances: - type: server server: your@server.example.com:5432/tpc ``` ### Row-level Policy #### By Time ```yaml name: Row Level By Time policyKey: data row-level type: data actions: - rules: - type: Time Restriction config: isOlderOrNewer: newer time: 2592000 circumstances: - type: tags tag: Discovered.PCI ``` #### Where User ```yaml name: Row Level Where User policyKey: data where user type: data actions: - rules: - type: Row Restriction By User Entitlements config: operator: all matches: type: group tag: Discovered.Entity circumstanceOperator: ANY circumstances: - type: columnTags columnTag: Discovered.Entity ``` #### Custom Where Clause ```yaml name: Row Level Where policyKey: data custom where type: data actions: - rules: - type: Row Restriction by Custom Where Clause config: predicate: "@columnTagged('Discovered.Country') in ('USA', 'CANADA', 'MEXICO')" circumstances: - type: tags tag: Discovered.Country ``` ## Multiple Policies ```yaml name: Multiple policyKey: data multiple type: data actions: - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.PII maskingConfig: type: Hash description: 'PII Rule' - rules: - type: Minimization config: percent: 25 description: 'PII Rule, also' - rules: - type: Masking config: fields: - type: columnTags columnTag: Discovered.PHI maskingConfig: type: "Null" description: 'PHI Rule' circumstanceOperator: any circumstances: - type: columnTags columnTag: Discovered.PII - type: columnTags columnTag: Discovered.PHI ```