# Subscription Policies Advanced DSL Guide

This page details how users can create more complex policies using functions and variables in the Advanced DSL policy builder than the subscription policy builder allows.

## Permissions

`GOVERNANCE` Immuta permission or `Manage Policies` domain permission

## Build the policy

1. Click the <i class="fa-shield">:shield:</i> **Policies** icon in the navigation menu.
2. Select the **Subscription Policies** tab.
3. Click **New subscription policy** and complete the **Policy name** field.
4. Select the type of subscription policy:
   1. **Grant policy**: Subscribe users to the data source if they meet the conditions of the policy.
   2. [**Guardrail policy**](#user-content-fn-1)[^1]: Prevent users from subscribing unless they meet the conditions of the policy. Some subscription levels listed below are unavailable for this policy type.
5. Select the access type you want to control:
   * **Read Access**: Control who can view the data source.
   * **Write Access**: Control who can view and modify data in the data source.
6. Select **Allow users with specific groups/attributes,** and then select **Create using Advanced DSL**.
7. Select the rules for your policy from the Advanced DSL options. For example, creating a @hasTagsAsAttribute('Department', 'dataSource') would subscribe all users who have an attribute that matches a tag on a data source to that data source. So users with the attribute `Department.Marketing` would be subscribed to data sources with the tag Marketing.
8. Check the **Require Manual Subscription** checkbox to turn off automatic subscription. Enabling this feature will require users to manually subscribe to the data source if they meet the policy.
9. If you would like to make your data source visible in the list of all data sources in the UI to all users, click the **Allow Data Source Discovery** checkbox. Otherwise, this data source will not be discoverable by users who do not meet the criteria established in the policy.
10. If you would like users to have the ability to request approval to the data source, even if they do not have the required attributes or traits, check the **Request Approval to Access** checkbox. This will require an approver with permissions to be set.
11. Select where this policy should be applied: [**On data sources**](#user-content-fn-2)[^2], **When selected by data owners**, or **On all data sources**.
12. Click **Activate Policy** or **Stage Policy**.

[^1]: This policy type is unavailable when authoring a local policy.

[^2]: If a user selects **On data sources**, options include **with columns tagged**, **with columns spelled like**, **in server**, and **created between**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/SaaS/govern/secure-your-data/authoring-policies-in-secure/section-contents/how-to-guides/advanced-dsl-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.