Create a Data Policy
Last updated
Last updated
/api/v2/policyRequired Immuta permission: GOVERNANCE
This simple masking policy masks all columns with no tags using a hash function.
dryRun boolean
If true, no updates will actually be made.
Optional
false
reCertify boolean
If true (and if the certification has changed), someone will need to re-certify this policy on all impacted data sources.
Optional
false
The body of the request contains the details of the policy you want to create. The following table describes the attributes you can include in the body.
policyKey string
A key/name to uniquely identify this policy.
Required
-
-
name string
The name of the policy that will be displayed in the Immuta UI.
Required
-
-
type string
The type of policy.
Required
-
subscription
data
The actual rules for this policy.
Required
-
-
When and where the policy should get applied.
Optional
-
-
circumstanceOperator string
Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).
Optional
any
all
any
staged boolean
If true, this global policy is in a staged status.
Optional
false
true
false
Certification information for the global policy.
Optional
-
-
actions arrayThe actions array contains one or more rules arrays that describe the rules of the policy. Each rules array can have its own configuration and exceptions.
rules array
Details about the rules of the policy.
Required
-
rules.type string
The type of data policy.
Required
Masking
Minimization
Purpose Restriction
Time Restriction
Row Restriction By User Entitlements
Row Restriction by Custom Where Clause
Details about the configuration of the policy.
Required
-
rules.inclusions object
Optional
-
rules.inclusions.groups array[string]
Group names. Users in these groups will be affected by the rules in this rules array.
Required for rules.inclusions
-
These are the users the policy is not meant to target.
Optional
-
config objectThe config object contains the details of the policy configuration. This includes the fields the policy will be applied to and the masking configuration.
Details about the fields where the policy should be applied.
Required
-
The details of the masking policy.
Required if rules.type is Masking
-
conditionalPredicate string
Optional
-
operator string
Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).
Optional
any
purposes array[string]
Purpose names. Restriction to the data will be applied to everyone except users acting under these purposes.
Required if rules.type is Purpose Restriction
-
percent integer
Specifies the percentage of the data to show.
Required if rules.type is Minimization
-
isOlderOrNewer string
Specifies if the policy should be applied to columns older or newer than the provided time.
Required if rules.type is Time Restriction
newer
older
time integer
The time (in seconds) that the row must be older or newer than to be visible.
Required if rules.type is Time Restriction
-
predicate string
Required if rules.type is Row Restriction by Custom Where Clause
-
matches object
The user entitlements that must match the value in the specified column for the row to show.
Required if rules.type is Row Restriction By User Entitlements
-
matches.type string
The type of user entitlements to base the policy on.
Required if rules.type is Row Restriction By User Entitlements
Group
Attribute
Purpose
matches.tag string
The tag of the column that's data must match the user's entitlement.
Required if rules.type is Row Restriction By User Entitlements
-
fields arrayThe fields array specifies which columns the policy will be applied to. You can specify columns by tags, regex, or all columns.
type string
The type of Immuta source to build the policy off of.
Required
columnTags
noTags
columnRegex
allColumns
columnTag string
The column tag to determine which column the policy is applied to.
Required if type is columnTags
-
regex string
The regex to match against column names and apply the policy when found.
Required if type is columnRegex
-
caseInsensitive boolean
If true, the regex is case insensitive. Use with columnRegex type.
Optional
true
false
maskingConfig objectThe maskingConfig object contains the details of the masking policy. You can specify the type of masking, the constant value to use, or a regular expression to match against.
type string
The type of masking policy to apply.
Required if rules.type is Masking
Hash
Null
Constant
Format Preserving Masking
Randomized Response
Regular Expression
Reversible
Grouping
constant string
Specifies the string that will replace the value in the column.
Required if type is Constant
-
regex string
The regular expression that identifies the portion of the value to mask.
Required if type is Regular Expression
-
replacement string
The string that will replace the portion of the value identified by the regular expression to mask.
Required if type is Regular Expression
-
caseInsensitive boolean
If true, the regex is case insensitive. Use with Regular Expression type.
Optional
true
false
timePrecision string
Specifies where Immuta will round the time to.
Requires timePrecision or bucketSize if type is Grouping
HOUR
DAY
MONTH
QUARTER
YEAR
bucketSize integer
The bucket size to round to.
Requires timePrecision or bucketSize if type is Grouping
-
exceptions objectThe exceptions object specifies the users that will not be affected by the policy. You can specify exceptions based on purposes or attributes.
operator string
Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).
Optional
all
any
purposes array[string]
Purpose names. Users acting under these purposes will not be affected by this policy.
Requires either purposes or attributes
-
attributes array[object]
Attribute names and values. Users with these attributes will not be affected by this policy.
Requires either purposes or attributes
-
attributes.name string
An attribute name.
Required if attributes is used
-
attributes.value string
An attribute value.
Required if attributes is used
-
circumstances arrayThe circumstances array dictates what data sources the policy will be applied to. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period.
type string
Specifies how to determine whether or not to apply the policy to the data source.
Optional
Defaults to all data sources
tags: Apply the policy when the data source has these tags.
columnRegex: Apply the policy when the data source has column names that match the regex.
columnTags: Apply the policy when the data source has columns with these tags.
domains: Apply the policy to data sources in these domains.
null: Apply the policy to data sources when it is selected by data owners.
server: Apply the policy to data sources in this server.
time: Apply the policy to data sources created in a specific time period.
tag string
The tag to dictate when the policy is applied.
Required if type is tags
-
-
columnTag string
The column tag to dictate when the policy is applied.
Required if type is columnTags
-
-
regex string
The regex to match against column names and apply the policy when found.
Required if type is columnRegex
-
-
caseInsensitive boolean
If true, the regex is case insensitive. Use with columnRegex type.
Optional
-
true
false
server string
Specifies the server that contains the data sources the policy should be applied to.
Required if type is server
-
-
startDate string
Specifies to apply policies to data sources created on or after this date and before the endDate.
Required if type is time
-
-
endDate string
Specifies to apply policies to data sources created before this date and after the startDate.
Optional
-
-
domains array[object]
Specifies to apply policies to data sources in the listed domains.
Required if type is domains
-
-
domains.id string
The unique ID of the domain.
Requires either domains.id or domains.name if type is domains
-
-
domains.name string
The name of the domain.
Requires either domains.id or domains.name if type is domains
-
-
certification objectThe certification object contains the details of the certification for the policy.
text string
The text that appears when a data owner attempts to certify a policy.
Required
-
-
label string
The label that appears when the policy has been certified.
Required
-
-
tags array[string]
Tags that impact the certification.
Optional
-
-
recertify boolean
When true, data owners must re-certify all data sources this policy applies to.
Optional
false
true
false
array
array
object
object
The specific users this policy is meant to affect. If you use inclusions, you must add a second rules array for the other users. .
object
array
object
to dictate where the policy is applied.
to dictate what rows are visible.