Purpose-based access control makes access decisions based on the purpose for which a given user or tool intends to use the data. This method of data access also provides flexibility for you to override policies and grant access to unmasked data to an individual for a very specific reason. Immuta recommends using to create exceptions to global data policies.

There is some up-front work that needs to occur to make this possible.

1. A user with the GOVERNANCE Immuta permission for access to different data types unmasked. As part of creating the purposes, they may want to the user must agree to when acting under that purpose.

2. A data owner or governor updates the masking or row-level policies to .

3. Users and connect the project to both the policy and the purpose by

   • with the policies they want users to be excluded from and

   • to the project

4. However, that project does nothing until the purpose is .

5. Once that approval is complete, the user wanting the exception must .

6. Using the Immuta UI, the . Once switched to that project, the approved exceptions occur for the user.

These exceptions can be made temporary by deleting the project once access is no longer needed or un-approving the purpose for the project after the need for access is gone.