Create Policies API Examples

Subscription Policies

Anyone Can Subscribe

name: Anyone
policyKey: subscription anyone
type: subscription
actions:
  type: anyone
  automaticSubscription: false
  description: Rationale
circumstances:
- type: tags
  tag: Discovered

Anyone Can Subscribe When Approved

name: Approval
policyKey: subscription approval
type: subscription
actions:
  type: approval
  approvals:
  - specificApproverRequired: false
    requiredPermission: OWNER
  - specificApproverRequired: true
    requiredPermission: GOVERNANCE
  description: Rationale
circumstances:
- type: columnTags
  columnTag: Discovered

Users with Specific Groups or Attributes

name: Entitlement
policyKey: subscription entitlements
type: subscription
actions:
  type: entitlements
  entitlements:
    operator: any
    groups:
    - Employee
    attributes:
    - name: auth1
      value: SOMETHING_ELSE
  automaticSubscription: true
  allowDiscovery: false
  description: Some description here
circumstances:
- type: columnRegex
  regex: ssn
  caseInsensitive: false
staged: false

Users with Specific Groups or Attributes (Advanced)

name: Advanced Entitlement
policyKey: subscription entitlements advanced boolean
type: subscription
actions:
  type: entitlements
  advanced: "@isInGroups('Engineers', 'Founders'') AND @hasAttribute('Auth1', 'Super Secret')"
  automaticSubscription: true
  allowDiscovery: false
  description: Some description here
circumstances:
- type: columnRegex
  regex: ssn
  caseInsensitive: false
staged: false

Individual Users You Select

name: Manual
policyKey: subscription manual
type: subscription
actions:
  type: manual
  description: Rationale

Data Policies

Data Owner Restrictions

name: Owner Restricted Policy
policyKey: data owner restriction
type: data
ownerRestrictions:
  users:
  - iamid: bim
    username: user@example.com
  groups:
  - engineers
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Passport
      maskingConfig:
        type: Hash
circumstances:
- type: columnTags
  columnTag: Discovered.Passport

Masking Policies

Conditional Masking

name: Conditional Masking
policyKey: data conditional masking
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Passport
      conditionalPredicate: "@columnTagged('Discovered.Country') = 'USA'"
      maskingConfig:
        type: Hash
circumstanceOperator: all
circumstances:
- type: columnTags
  columnTag: Discovered.Passport
- type: columnTags
  columnTag: Discovered.Country

Conditional Masking (Using Otherwise Clause)

name: Conditional
policyKey: data mask otherwise
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Country
      maskingConfig:
        type: "Null"
    inclusions:
      groups:
      - Employee
  - type: Masking
    exceptions:
      purposes:
      - Re-identification Prohibited
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Country
      maskingConfig:
        type: Hash
circumstances:
- type: columnTags
  columnTag: Discovered.Country

With a Constant

name: Mask with Constant
policyKey: data mask constant
type: data
actions:
- rules:
  - type: Masking
    exceptions:
      operator: any
      attributes:
      - name: auth
        value: SOMETHING_ELSE
      - name: auth1
        value: super secret
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Country
      - type: columnTags
        columnTag: Discovered.Passport
      maskingConfig:
        type: Constant
        constant: REDACTED
circumstanceOperator: any
circumstances:
- type: columnTags
  columnTag: Discovered.Country
- type: columnTags
  columnTag: Discovered.Passport

Format Preserving Masking

Support limitation: This policy is only supported in Snowflake integrations.

name: Format Preserving Masking
policyKey: data mask fpe
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered
      maskingConfig:
        type: Format Preserving Masking
circumstances:
- type: columnTags
  columnTag: Discovered

With Hashing (No Tags)

name: Hashing
policyKey: data mask hashing
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: noTags
      maskingConfig:
        type: Hash
circumstances:
  - type: noTags

K-Anonymization (Using Fingerprint)

Support limitation: This policy is only supported in Snowflake integrations.

Sample data is processed during computation of k-anonymization policies

When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database.

The location of the metadata database depends on your deployment:

  • Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.

  • SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.

name: K-Anonymization Using Fingerprint on any tags
policyKey: masking kanon using fingerprint
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: anyTag
      maskingConfig:
        type: K-Anonymization
circumstances:
- type: anyTag

K-Anonymization (by Specifying K)

Support limitation: This policy is only supported in Snowflake integrations.

Sample data is processed during computation of k-anonymization policies

When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database.

The location of the metadata database depends on your deployment:

  • Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.

  • SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.

name: K-Anonymization using kLevel
policyKey: data mask kanon specifying k
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: anyTag
      maskingConfig:
        type: K-Anonymization
        kLevel: 5
circumstances:
- type: anyTag

K-Anonymization (by Specifying Re-identification Probability)

Support limitation: This policy is only supported in Snowflake integrations.

Sample data is processed during computation of k-anonymization policies

When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database.

The location of the metadata database depends on your deployment:

  • Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.

  • SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.

name: K-Anonymization using reIdProbability
policyKey: data mask kanon specifying re-id
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: anyTag
      maskingConfig:
        type: K-Anonymization
        reIdProbability: 15
circumstances:
- type: anyTag

Make Null Using Column Regex

name: Null using column regex
policyKey: data mask null
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnRegex
        regex: ssn
        caseInsensitive: true
      maskingConfig:
        type: "Null"
circumstances:
- type: columnRegex
  regex: ssn
  caseInsensitive: true

Randomized Response

Support limitation: This policy is only supported in Snowflake integrations.

Sample data is processed during computation of randomized response policies

When a randomized response policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process. To enforce the policy, Immuta generates and stores predicates and a list of allowed replacement values that may contain data that is subject to regulatory constraints (such as GDPR or HIPAA) in Immuta's metadata database.

The location of the metadata database depends on your deployment:

  • Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.

  • SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.

name: Random Categorical
policyKey: data mask random response
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: allColumns
      maskingConfig:
        type: Randomized Response
        replacementRatePercent: 10

Randomized Response (by Specifying Standard Deviation)

Support limitation: This policy is only supported in Snowflake integrations.

name: Random Numeric
policyKey: data mask random response specifying stddev
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: allColumns
      maskingConfig:
        type: Randomized Response
        stddev: 2
        clip: false

Using a Regex

name: Regex
policyKey: data mask regex
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Postal Code
      maskingConfig:
        type: Regular Expression
        regex: "(\\d{4})(\\d)"
        replacement: "$1X"
        caseInsensitive: true
        global: true
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Postal Code

With Reversibility

Support limitation: This policy is only supported in Snowflake integrations.

name: Mask using Reversible
policyKey: data mask reversible
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Social Security Number
      maskingConfig:
        type: Reversible
    exceptions:
      groups:
      - founders
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Social Security Number

Using Rounding (Date)

name: RoundingDate
policyKey: data mask rounding by date
type: data
actions:
- rules:
  - type: Masking
    exceptions:
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Date
      maskingConfig:
        type: Grouping
        timePrecision: MONTH
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Date

Using Rounding (Using Fingerprint)

Support limitation: Rounding using the fingerprint is only supported in Snowflake integrations.

name: RoundingFingerprint
policyKey: data mask round using fingerprint
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Date
      maskingConfig:
        type: Grouping
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Date

Using Rounding (Numeric)

name: RoundingNumeric
policyKey: data mask round numeric
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Date
      maskingConfig:
        type: Grouping
        bucketSize: 10
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Date

Minimize Data Created Between

name: Minimize
policyKey: data minimize
type: data
actions:
- rules:
  - type: Minimization
    config:
      percent: 15
circumstances:
- type: time
  startDate: '2020-12-01T16:23:54.734Z'
  endDate: '2020-12-31T16:23:54.745Z'

Purpose Restrictions

Any Purpose

name: Purpose
policyKey: data purpose restriction
type: data
actions:
- rules:
  - type: Purpose Restriction
    config:
        operator: any
        purposes:
        - "<ANY PURPOSE>"

Purpose in Server

name: Purpose in a specific server
policyKey: data server circumstance
type: data
actions:
- rules:
  - type: Purpose Restriction
    config:
        purposes:
          - Re-identification Prohibited
circumstances:
- type: server
  server: your@server.example.com:5432/tpc

Row-level Policy

By Time

name: Row Level By Time
policyKey: data row-level
type: data
actions:
- rules:
  - type: Time Restriction
    config:
      isOlderOrNewer: newer
      time: 2592000
circumstances:
- type: tags
  tag: Discovered.PCI

Where User

name: Row Level Where User
policyKey: data where user
type: data
actions:
- rules:
  - type: Row Restriction By User Entitlements
    config:
      operator: all
      matches:
        type: group
        tag: Discovered.Entity
circumstanceOperator: ANY
circumstances:
- type: columnTags
  columnTag: Discovered.Entity

Custom Where Clause

name: Row Level Where
policyKey: data custom where
type: data
actions:
- rules:
  - type: Row Restriction by Custom Where Clause
    config:
      predicate: "@columnTagged('Discovered.Country')  in ('USA', 'CANADA', 'MEXICO')"
circumstances:
- type: tags
  tag: Discovered.Country

Multiple Policies

name: Multiple
policyKey: data multiple
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Passport
      maskingConfig:
        type: Hash
  description: 'Passport Rule'
- rules:
  - type: Minimization
    config:
      percent: 25
  description: 'Passport Rule, also'
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Healthcare NPI
      maskingConfig:
        type: "Null"
  description: 'Healthcare NPI Rule'
circumstanceOperator: any
circumstances:
- type: columnTags
  columnTag: Discovered.Passport
- type: columnTags
  columnTag: Discovered.Person Name
PreviousData Source Request Payload ExamplesNextCreate Projects API Examples

Last updated

Was this helpful?