Create Policies API Examples
Subscription Policies
Anyone Can Subscribe
name: Anyone
policyKey: subscription anyone
type: subscription
actions:
type: anyone
automaticSubscription: false
description: Rationale
circumstances:
- type: tags
tag: DiscoveredAnyone Can Subscribe When Approved
name: Approval
policyKey: subscription approval
type: subscription
actions:
type: approval
approvals:
- specificApproverRequired: false
requiredPermission: OWNER
- specificApproverRequired: true
requiredPermission: GOVERNANCE
description: Rationale
circumstances:
- type: columnTags
columnTag: DiscoveredUsers with Specific Groups or Attributes
name: Entitlement
policyKey: subscription entitlements
type: subscription
actions:
type: entitlements
entitlements:
operator: any
groups:
- Employee
attributes:
- name: auth1
value: SOMETHING_ELSE
automaticSubscription: true
allowDiscovery: false
description: Some description here
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: false
staged: falseUsers with Specific Groups or Attributes (Advanced)
name: Advanced Entitlement
policyKey: subscription entitlements advanced boolean
type: subscription
actions:
type: entitlements
advanced: "@isInGroups('Engineers', 'Founders'') AND @hasAttribute('Auth1', 'Super Secret')"
automaticSubscription: true
allowDiscovery: false
description: Some description here
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: false
staged: falseIndividual Users You Select
name: Manual
policyKey: subscription manual
type: subscription
actions:
type: manual
description: RationaleData Policies
Data Owner Restrictions
name: Owner Restricted Policy
policyKey: data owner restriction
type: data
ownerRestrictions:
users:
- iamid: bim
username: user@example.com
groups:
- engineers
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Passport
maskingConfig:
type: Hash
circumstances:
- type: columnTags
columnTag: Discovered.PassportMasking Policies
Conditional Masking
name: Conditional Masking
policyKey: data conditional masking
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Passport
conditionalPredicate: "@columnTagged('Discovered.Country') = 'USA'"
maskingConfig:
type: Hash
circumstanceOperator: all
circumstances:
- type: columnTags
columnTag: Discovered.Passport
- type: columnTags
columnTag: Discovered.CountryConditional Masking (Using Otherwise Clause)
name: Conditional
policyKey: data mask otherwise
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Country
maskingConfig:
type: "Null"
inclusions:
groups:
- Employee
- type: Masking
exceptions:
purposes:
- Re-identification Prohibited
config:
fields:
- type: columnTags
columnTag: Discovered.Country
maskingConfig:
type: Hash
circumstances:
- type: columnTags
columnTag: Discovered.CountryWith a Constant
name: Mask with Constant
policyKey: data mask constant
type: data
actions:
- rules:
- type: Masking
exceptions:
operator: any
attributes:
- name: auth
value: SOMETHING_ELSE
- name: auth1
value: super secret
config:
fields:
- type: columnTags
columnTag: Discovered.Country
- type: columnTags
columnTag: Discovered.Passport
maskingConfig:
type: Constant
constant: REDACTED
circumstanceOperator: any
circumstances:
- type: columnTags
columnTag: Discovered.Country
- type: columnTags
columnTag: Discovered.PassportFormat Preserving Masking
Support limitation: This policy is only supported in Snowflake integrations.
name: Format Preserving Masking
policyKey: data mask fpe
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered
maskingConfig:
type: Format Preserving Masking
circumstances:
- type: columnTags
columnTag: DiscoveredWith Hashing (No Tags)
name: Hashing
policyKey: data mask hashing
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: noTags
maskingConfig:
type: Hash
circumstances:
- type: noTagsMake Null Using Column Regex
name: Null using column regex
policyKey: data mask null
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnRegex
regex: ssn
caseInsensitive: true
maskingConfig:
type: "Null"
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: trueRandomized Response
Support limitation: This policy is only supported in Snowflake integrations.
name: Random Categorical
policyKey: data mask random response
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: allColumns
maskingConfig:
type: Randomized Response
replacementRatePercent: 10Randomized Response (by Specifying Standard Deviation)
Support limitation: This policy is only supported in Snowflake integrations.
Sample data is processed during computation of randomized response policies When a randomized response policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process. To enforce the policy, Immuta generates and stores predicates and a list of allowed replacement values that may contain data that is subject to regulatory constraints (such as GDPR or HIPAA) in Immuta's metadata database. The location of the metadata database depends on your deployment:
Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.
name: Random Numeric
policyKey: data mask random response specifying stddev
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: allColumns
maskingConfig:
type: Randomized Response
stddev: 2
clip: falseUsing a Regex
name: Regex
policyKey: data mask regex
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Postal Code
maskingConfig:
type: Regular Expression
regex: "(\\d{4})(\\d)"
replacement: "$1X"
caseInsensitive: true
global: true
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Postal CodeWith Reversibility
Support limitation: This policy is only supported in Snowflake integrations.
name: Mask using Reversible
policyKey: data mask reversible
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Social Security Number
maskingConfig:
type: Reversible
exceptions:
groups:
- founders
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Social Security NumberUsing Rounding (Date)
name: RoundingDate
policyKey: data mask rounding by date
type: data
actions:
- rules:
- type: Masking
exceptions:
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
timePrecision: MONTH
circumstances:
- type: columnTags
columnTag: Discovered.Entity.DateUsing Rounding (Using Fingerprint)
Support limitation: This policy is only supported in Snowflake integrations.
name: RoundingFingerprint
policyKey: data mask round using fingerprint
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
circumstances:
- type: columnTags
columnTag: Discovered.Entity.DateUsing Rounding (Numeric)
name: RoundingNumeric
policyKey: data mask round numeric
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
bucketSize: 10
circumstances:
- type: columnTags
columnTag: Discovered.Entity.DateMinimize Data Created Between
name: Minimize
policyKey: data minimize
type: data
actions:
- rules:
- type: Minimization
config:
percent: 15
circumstances:
- type: time
startDate: '2020-12-01T16:23:54.734Z'
endDate: '2020-12-31T16:23:54.745Z'Purpose Restrictions
Any Purpose
name: Purpose
policyKey: data purpose restriction
type: data
actions:
- rules:
- type: Purpose Restriction
config:
operator: any
purposes:
- "<ANY PURPOSE>"Purpose in Server
name: Purpose in a specific server
policyKey: data server circumstance
type: data
actions:
- rules:
- type: Purpose Restriction
config:
purposes:
- Re-identification Prohibited
circumstances:
- type: server
server: your@server.example.com:5432/tpcRow-level Policy
By Time
name: Row Level By Time
policyKey: data row-level
type: data
actions:
- rules:
- type: Time Restriction
config:
isOlderOrNewer: newer
time: 2592000
circumstances:
- type: tags
tag: Discovered.PCIWhere User
name: Row Level Where User
policyKey: data where user
type: data
actions:
- rules:
- type: Row Restriction By User Entitlements
config:
operator: all
matches:
type: group
tag: Discovered.Entity
circumstanceOperator: ANY
circumstances:
- type: columnTags
columnTag: Discovered.EntityCustom Where Clause
name: Row Level Where
policyKey: data custom where
type: data
actions:
- rules:
- type: Row Restriction by Custom Where Clause
config:
predicate: "@columnTagged('Discovered.Country') in ('USA', 'CANADA', 'MEXICO')"
circumstances:
- type: tags
tag: Discovered.CountryMultiple Policies
name: Multiple
policyKey: data multiple
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Passport
maskingConfig:
type: Hash
description: 'Passport Rule'
- rules:
- type: Minimization
config:
percent: 25
description: 'Passport Rule, also'
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Healthcare NPI
maskingConfig:
type: "Null"
description: 'Healthcare NPI Rule'
circumstanceOperator: any
circumstances:
- type: columnTags
columnTag: Discovered.Passport
- type: columnTags
columnTag: Discovered.Person NameLast updated