# Authoring Policies in Secure

Immuta allows you to define policies at different levels of your data stack.

First are [subscription policies](/2024.2/secure-your-data/authoring-policies-in-secure/section-contents/reference-guides/subscription-policies.md), which are commonly termed table access grants or table-level access. Subscription policies control access to your tables. Immuta calls them subscription policies because they are not always an access grant but could also be the result of a data consumer finding the data, requesting access, and then being subscribed to it via Immuta policy you have in place.

Second are [data policies](/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/data-policy-overview.md), which control access more granularly inside a table. For example, Immuta can help you build policies to [redact rows](/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/data-policies.md#row-level-security-policies), [mask columns](/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/data-policies.md#masking-policies), or even [mask cells](/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/masking-matrix-functions.md#cell-level-masking).

<figure><img src="/files/wN7PsQZtdt9ZZz7aaql9" alt=""><figcaption></figcaption></figure>

## Authoring policy at scale

While it is possible to build policies one table at a time using Immuta, there isn't much value in doing so. These are termed local policies in Immuta.

To build policy at scale, you must use [global policies](/2024.2/secure-your-data/authoring-policies-in-secure/policies-explained.md). Global policies allow you to build policies that reference tags rather than physical tables or columns. So instead of building a policy like this `mask column name in table customers`, you can instead build a policy such as `mask columns tagged name anywhere you see the name tag`.

These global policies will then seek out the name tag, wherever found, and apply the policy, no matter the physical location of the tables that contain names. It's important to understand that Immuta supports tag-based global policies for more than just masking. Both subscription and row-level policies can be authored as global policies targeting tags instead of physical tables and columns.

How you get the tags on the tables and columns is outlined in the [Automate data access control decisions](/2024.2/secure-your-data/getting-started-with-secure/compliantly-open-more-sensitive-data-for-ml-and-analytics/open-managing-user-metadata.md) use case.

## Section contents

There are many guides found in this section, but an efficient approach to learning how to author secure policy would be to first read the two Immuta use cases specific to secure:

1. [Automate data access control decisions](/2024.2/secure-your-data/getting-started-with-secure/automate-data-access-control-decisions.md)
2. [Compliantly open more sensitive data for ML and analytics](/2024.2/secure-your-data/getting-started-with-secure/compliantly-open-more-sensitive-data-for-ml-and-analytics.md)

And then to focus on the complex topics around how applying policy at scale is managed in Immuta, specifically

* Overview on how to [author policies at scale](/2024.2/secure-your-data/authoring-policies-in-secure/policies-explained.md)
* Overview of [subscription policies](/2024.2/secure-your-data/authoring-policies-in-secure/section-contents/reference-guides/subscription-policies.md) and [data policies](/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/data-policy-overview.md)
* Full [reference guide](/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/data-policies.md) for all data policies
* Details on how to [minimize policy downtime](/2024.2/secure-your-data/authoring-policies-in-secure/dbt-transform-workflow.md) if there's a large amount of change due to data engineering in your data platform(s)
* Details on how [subscription policy conflicts](/2024.2/secure-your-data/authoring-policies-in-secure/section-contents/reference-guides/subscription-policies.md#merging-abac-global-subscription-policies) and [data policy conflicts](/2024.2/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/data-policy-conflicts.md) are managed


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/2024.2/secure-your-data/authoring-policies-in-secure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.