The Immuta Policy Builder allows you to use custom functions that reference important Immuta metadata from within your where clause. These custom functions can be seen as utilities that help you create policies easier. Using the Immuta Policy Builder, you can include these functions in your policy queries by choosing where in the sub-action drop-down menu.
@attributeValuesContains()
FunctionThis function returns true
for a given row if the provided column evaluates to an attribute value for which the querying user has a corresponding attribute value. This function requires two arguments and accepts no more than three arguments.
1
Attribute Name
String
Required
The name of the attribute to retrieve values for
2
Column Name/SQL Expression
String
Required
The column that contains the value to match the attribute key against
3
Placeholder
String
Optional
A placeholder in case the list of values is empty
@columnTagged()
FunctionThis function returns the column name with the specified tag.
If this function is used in a Global Policy and the tag doesn't exist on a data source, the policy will not be applied.
1
Tag Name
String
Required
The name of the tag
@groupsContains()
FunctionThis function returns true
for a given row if the provided column evaluates to a group to which the querying user belongs. This function requires at least one argument.
1
Column Name/SQL Expression
String
Required
The column that contains the value to match the group against
2
Placeholder
String
Optional
A placeholder in case the list of values is empty
@hasAttribute()
FunctionThis function returns a boolean indicating if the current user has the specified attribute name and value combination. If the specified attribute name or attribute value has a single quote, you will need to escape it using a \'\'
expression within a custom WHERE
policy.
1
Attribute Name
String
Required
The name of the attribute
2
Attribute Value
String
Required
The value to correspond with the attribute name
@iam
FunctionThis function returns the IAM ID for the current user.
None.
@isInGroups()
FunctionThis function returns a boolean indicating if the current user is a member of all of the specified groups. If any of the specified groups has a single quote, you will need to escape it using a \'\'
expression within a custom WHERE
policy.
1
Group names
Array (String)
Required
A list of group names, e.g. groups('group_a', 'group_b', 'group_c')
@isUsingPurpose()
FunctionThis function returns a boolean indicating if the current user is using the specified purpose. If the specified purpose has a single quote, you will need to escape it using a \'\'
expression within a custom WHERE
policy.
1
Purpose
String
Required
The name of the purpose to check the user against
@purposesContains()
FunctionThis function returns true
for a given row if the provided column evaluates to a purpose under which the querying user is currently acting. This function requires at least one argument and accepts no more than two arguments.
1
Column Name/SQL Expression
String/Expression
Required
The column that contains the value to match the purpose against
2
Placeholder
String
Optional
A placeholder in case the list of values is empty
@username
FunctionThis function returns the current user's user name.
None.