# Author a Purpose-Based Restriction Policy **Requirement and prerequisite**: * `CREATE_DATA_SOURCE` or `GOVERNANCE` Immuta permission * A [purpose has been created](https://documentation.immuta.com/2024.3/secure-your-data/projects-and-purpose-based-access-control/projects-and-purpose-controls/how-to-guides/purposes-tutorial) ## Build the policy 1. Determine your policy scope: * [**Global policy**](https://documentation.immuta.com/2024.3/secure-your-data/authoring-policies-in-secure/policies-explained): Click the **Policies page** icon in the left sidebar and select the **Data Policies** tab. Click **Add Policy** and enter a **name** for your policy. * [**Local policy**](https://documentation.immuta.com/2024.3/secure-your-data/authoring-policies-in-secure/policies-explained): Navigate to a specific data source and click the **Policies** tab. Scroll to the **Data Policies** section and click **Add Policy**. 2. Select **Limit usage to purpose(s)** in the first dropdown menu. 3. In the next field, select a **specific purpose** that you would like to restrict usage of this data source to or **ANY PURPOSE**. You can add more than one condition by selecting **+ Add Another Condition**. The dropdown menu in the policy builder contains conjunctions for your policy. If you select **or**, only one of your conditions must apply to a user for them to see the data. If you select **and**, all of the conditions must apply. 4. Select **for everyone** or **for everyone except**. If you select for everyone except, you must select conditions that will drive the policy such as group, purpose, or attribute. 5. Opt to complete the **Enter Rationale for Policy (Optional)** field, and then click **Add**. 6. For global policies: Click the dropdown menu beneath **Where should this policy be applied**, and select **On all data sources**, **On data sources**, or **When selected by data owners**. If you select **On data sources**, finish the condition in one of the following ways: * **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus. 7. Click **Create Policy**. If creating a global policy, you then need to click **Activate Policy** or **Stage Policy**. ## Related guides ### How-to guides * [Create a project](https://documentation.immuta.com/2024.3/secure-your-data/projects-and-purpose-based-access-control/projects-and-purpose-controls/how-to-guides/create-project-tutorial): To restrict access to data and associate your data source with a purpose, create a project and add the purpose and relevant data sources to the project. * [Manage project purposes](https://documentation.immuta.com/2024.3/secure-your-data/projects-and-purpose-based-access-control/projects-and-purpose-controls/how-to-guides/project-management/manage-projects) ### Reference guides * [Projects and purposes](https://documentation.immuta.com/2024.3/secure-your-data/projects-and-purpose-based-access-control/projects-and-purpose-controls/reference-guides/projects) * [Purpose-based policy restrictions](https://documentation.immuta.com/2024.3/secure-your-data/authoring-policies-in-secure/reference-guides/data-policies#limit-to-purpose-policies) ### Conceptual guide [Why use projects?](https://documentation.immuta.com/2024.3/secure-your-data/projects-and-purpose-based-access-control/projects-and-purpose-controls/purposes-explained)