# Author an ABAC Subscription Policy This guide demonstrates how to build [attribute-based access control (ABAC)](https://www.immuta.com/blog/attribute-based-access-control/) subscription policies using the policy builder in the Immuta UI. To build more complex policies than the builder allows, follow the [Advanced rules DSL](/2024.3/secure-your-data/authoring-policies-in-secure/section-contents/how-to-guides/advanced-dsl-policies.md) policy guide. 1. Determine your policy scope: * [**Global policy**](/2024.3/secure-your-data/authoring-policies-in-secure/policies-explained.md): Click the **Policies page** icon in the left sidebar and select the **Subscription Policies** tab. Click **Add Subscription Policy** and complete the **Enter Name** field. * [**Local policy**](/2024.3/secure-your-data/authoring-policies-in-secure/policies-explained.md): Navigate to a specific data source and click the **Policies** tab. Click **Add Subscription Policy** and select **New Local Subscription Policy**. 2. Select **Allow users with specific groups/attributes**. 3. Choose the condition that will drive the policy: when user **is a member of a group** or **possesses attribute**. 4. Use the subsequent dropdown to choose the group or attribute for your condition. You can add more than one condition by selecting **+ Add Another Condition**. The dropdown menu in the subscription policy builder contains conjunctions for your policy. If you select **or**, only one of your conditions must apply to a user for them to see the data. If you select **and**, all of the conditions must apply. 5. Check the **Require Manual Subscription** checkbox to turn off automatic subscription. Enabling this feature will require users to manually subscribe to the data source if they meet the policy. 6. If you would like to make your data source visible in the list of all data sources in the UI to all users, click the **Allow Data Source Discovery** checkbox. Otherwise, this data source will not be discoverable by users who do not meet the criteria established in the policy. 7. If you would like users to have the ability to request approval to the data source, even if they do not have the required attributes or traits, check the **Request Approval to Access** checkbox. This will require an approver with permissions to be set. 8. For global policies: Select how you want Immuta to merge multiple global subscription policies that apply to a single data source. * **Always Required**: Users must meet all the conditions outlined in each policy to get access (i.e., the conditions of the policies are combined with `AND`). * **Share Responsibility**: Users need to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined with `OR`). *Note: To make this option selected by default, see* [*the app settings page*](/2024.3/application-settings/how-to-guides/config-builder-guide.md#default-subscription-merge-options)*.* 9. For global policies: Click the dropdown menu beneath **Where should this policy be applied** and select **When selected by data owners**, **On all data sources**, or **On data sources**. If you selected **On data sources**, finish the condition in one of the following ways: * **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu. * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields. * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string. * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus. 10. Click **Create Policy**. If creating a global policy, you then need to click **Activate Policy** or **Stage Policy**. ## Additional global ABAC subscription policies When you have multiple global ABAC subscription policies to enforce, create separate global ABAC subscription policies, and then Immuta will [use boolean logic to merge all the relevant policies on the tables they map to](/2024.3/secure-your-data/authoring-policies-in-secure/section-contents/reference-guides/subscription-policies.md#merging-abac-global-subscription-policies). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.immuta.com/2024.3/secure-your-data/authoring-policies-in-secure/section-contents/how-to-guides/abac-subscription-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.