Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This section of API documentation is specific to searching for data and audit logs, managing policies and access requests, and auditing user activity.
Policies can also be created and managed using the V2 API.
Data and subscription policies: Manage and review data and subscription policies in Immuta.
Write access policies: Author policies to manage write access to data sources.
Domains reference guide: Create and manage a domain.
Manage access requests: View and manage data source and project access requests.
Policy handler object: View examples of policy handler objects.
Search audit logs: Search Immuta audit logs.
Search connection strings: Search by connection string.
Search for organizations: Search by organization.
Search schemas: Search by schema.
Subscription API reference guide
This page describes the subscription
endpoint, which allows you to view and manage access requests.
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
GET
/subscription/getPendingRequestsForUser
Get pending access requests the calling user can approve.
The following request gets pending access requests the calling user can approve.
GET
/subscription/requestInfo/{modelType}/{modelId}
Get pending request information for specified model and requesting user (or specified entity).
The following request gets pending access requests for the data source with the ID 6
for the current user.
POST
/subscription/approve
Approve specified access requests.
The following request approves the subscription request.
POST
/subscription/approve/bulk
Bulk approve access requests.
The following request approves all of the subscription requests.
POST
/subscription/deny
Deny specified access requests.
The following request denies the subscription request.
POST
/subscription/deny/bulk
Bulk deny access requests.
The following request with the payload below denies the subscription requests with the IDs 40
and 41
.
Policy API reference guide
The policy
endpoint allows you to manage and review policies in Immuta. This page outlines the endpoint and its request and response parameters.
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
POST
/policy/global
Create a Global Policy with a given entityType
.
See the Policy Handler Objects tutorial for payload examples and details.
When successful, the response returns the body of the request payload.
This example request creates a Global Policy (saved in the example-payload.json
file) in the Immuta tenant.
Request payload example
POST
or PUT
/policy/handler/{dataSourceId}
Create (POST) or update (PUT) a policy for the specified data source.
This example request applies the policy specified in the payload to the data source with the ID 2
.
Request payload example
Note: Global policies that contain the condition "with columns tagged" or "on all data sources" will automatically apply to relevant data sources when the policy is created. The endpoint detailed below can be used to apply Global Policies that contain the condition "when selected by data owners," as these policies are not automatically applied to data sources.
POST
/policy/global/applyPolicy
Apply the Global Policy to the specified data source.
None. When successful, no message will display.
This example request applies the specified Global Policy to the specified data source (saved in the example-payload.json
file) in the Immuta tenant.
Request payload example
The following payload will apply the Global Policy with the ID 1
to the data source with ID 1
.
PUT
/policy/global/{policyId}
Update the specified policy.
See the Policy Handler Objects tutorial for payload examples and details.
When successful, the response returns the body of the request payload.
This example request updates the specified Global Policy (8
) with changes to the metadata saved in the example-payload.json
file.
Request payload example
In this payload, the user updated the description
attribute to update the policy.
POST
/policy/search
Searches for specified policies.
This example request searches for a Global Policy that contains the text mask
in Immuta.
GET
/policy/global/{policyId}
Find the policy with the specified ID.
The response returns a policy object.
This example request returns the Global Policy with the ID 1
.
GET
/policy/global
Find the policy with the specified entity type.
This example request returns the name, type, and ID of all policies.
GET
/policy/global/appliedTo/{policyId}
Find the number of data sources the specified policy applies to.
This example request returns the number of data sources the Global Policy with the ID 6
applies to.
GET
/policy/dataSourcePolicies/{dataSourceId}
Get the policy information for the specified data source.
This example request returns the information of policies applied to the data source with the ID 2
.
GET
/policy/diff/{dataSourceId}
Get the differences between two policy handler versions.
This example request returns the information of policies applied to the data source with the ID 3
.
GET
/policy/handler/{dataSourceId}
Get the policy handler metadata for a specific data source.
This example request returns the policy handler metadata for policies applied to the data source with the ID 1
.
DELETE
/policy/global/{policyId}
Delete the specified Global Policy.
The response returns a policy object of the policy that was deleted.
The following request deletes the Global Policy with ID 6
.
Write policies API endpoint reference guide
POST
/dataSource/{dataSourceId}/access
Manually grants write access to a user.
POST
/policy/global
Creates a global policy.
The example below grants write access to users with the attribute has.write
and applies the global policy to all data sources.
The example below grants users write access when they are individually selected by data owners and applies the policy to data sources with columns tagged Discovered.Person Name
.
DELETE
/policy/global/{policyId}
Deletes the specified policy.
GET
/policy/global/{policyId}
Gets the specified policy.
PUT
/policy/global/{policyId}
Updates the specified policy.
Domains API reference guide
The collections object represents a domain you've created that contains data sources and assigned permissions. Currently, the only collection type available is a domain, so collections and domains are referred to interchangeably throughout this page.
POST
/collection
GET
/collection
Retrieve domains created in Immuta. These results can be filtered by permission or by name.
The following table describes optional query parameters for retrieving domains.
GET
/collection/{collectionId}
Retrieve a domain with the given collectionId
to view the data sources, description, and assigned permissions associated with the domain.
GET
/collection/{collectionType}/{collectionName}
Retrieve a domain with the given collectionName
to view the data sources, description, and assigned permissions associated with the domain.
PUT
/collection/{collectionId}
Change the domain name or description. You must have the global GOVERNANCE
permission to update the domain.
Path parameter
Body parameters
DELETE
/collection/{collectionId}
Delete a domain. The domain must have zero data sources for a user with the global GOVERNANCE
permission to delete the domain.
Path parameter
Query parameter
Returns a 204 code when the domain is successfully deleted. Additional responses are provided below:
400: An invalid ID was provided.
404: The domain was not found.
POST
/collection/{collectionId}/datasources
Add existing data sources to a domain. You must have the GOVERNANCE
permission.
Path parameter
Body parameter
Returns a unique identifier of the background job that adds the data sources to the domain.
GET
/collection/{collectionId}/datasources
Retrieve the data sources within a domain.
Path parameter
Query parameters
Returns a data property that contains an array of up to size
data sources. Each entry in the array is a separate data source. If there are no data sources in the domain, the array will be empty.
DELETE
/collection/{collectionId}/datasources/{dataSourceId}
Remove data sources from a domain. To remove data sources from a domain, you must have the global CREATE_DATA_SOURCE
permission.
Returns a 204 code when the data source is successfully removed from the domain. Additional responses are included below:
403: Requesting user does not have permission to remove the data source.
404: The specified collection or data source was not found.
POST
/collection/{collectionId}/permissions
Assign domain permissions to a specific user. You must have the global USER_ADMIN
permission to assign domain permissions to users.
Path parameter
Body parameters
GET
/collection/{collectionId}/permissions/{memberType}
Retrieve a list of permissions associated with the domain.
Path parameters
Query parameters
Returns a data property that contains an array of users or groups who have been assigned that permission in the domain.
GET
/collection/permissions/{memberType}/{memberId}
Retrieve a list of permissions for the specified user or group across all domains they are a member of.
Returns a data property that contains an array of permissions that have been assigned to the user or group in all the domains they are a member of.
DELETE
/collection/{collectionId}/permissions/{permissionId}
Remove a domain permission from a specific user or group. You must have the global USER_ADMIN
permission to remove domain permissions from users and groups.
Returns a 204 code when the permission is successfully removed from the user. Additional responses are provided below:
400: Invalid permission
404: Collection or permission not found
DELETE
/collection/{collectionId}/permissions/{memberType}/{memberId}/{permissionType}
Remove a domain permission based on the permission type. You must have the global USER_ADMIN
permission to remove domain permissions from users and groups.
Returns a 204 code when the permission is successfully removed. Additional responses are provided below:
400: Invalid permission
404: Collection or permission not found
The parameters for manually granting write access to a data source without using a policy are outlined in the table below.
The parameters for creating a global write policy are outlined in the table below.
The actions array specifies the policy access type and restriction level. Its child parameters are outlined in the table below.
The circumstances object specifies the conditions under which the policy applies to a data source. Its child parameters are outlined in the table below.
This page describes how to update policies using the Policy Handler API.
dataSourceId
(integer): ID of the data source the policy will be applied to.
Example: 1
jsonRules
(array[object]): Array of JSON rules objects.
The jsonRules
array contains rules objects. The following types of policy rules are supported:
Not all combination of policy rules are valid. The examples below are supported policy rule combinations:
Prerequisite, Visibility, Masking
Prerequisite, Masking, Minimization
Prerequisite policies are used to limit usage to one or more purposes.
type
(string): Policy rule type. Must be prerequisite
for prerequisite policy rules.
Example: "prerequisite"
operator
(string): Operator to be applied on conditions. Possible values: and, or.
Example: "or"
conditions
(array[object]): Conditions to be applied for the rule. Multiple values will be evaluated according to the operator.
Example:
In this example, users will only have access to data from this data source when they are acting under the purpose
named Purpose Name
.
Visibility policies are used to enforce row-level security.
type
(string): Policy rule type. Must be visibility
for row-level security policy rules.
Example: "visibility"
operator
(string): Operator to be applied on conditions. Possible values: and, or.
Example: "or"
conditions
(array[object]): Conditions to be applied for the rule. Multiple values will be evaluated according to the operator.
Note: When adding conditions to a visibility policy rule, the field
is required, and the condition value
should be left empty. For example, for a group policy condition, the group name is not specified.
The user must possess the group, attribute, or purpose that matches the value stored in the field
.
Example:
In this example, users will only see rows when they have an authorization
that matches the value in the field department
and they belong to a group
that matches the value in the field organization
.
Masking policy rules will mask the value in one or more columns.
type
(string): Policy rule type. Must be masking
for masking policy rules.
Example: "masking"
fields
(array[string]): Fields that will be masked when a user does not fulfill policy conditions.
Example: ["email", "location"]
operator
(string): Operator to be applied on conditions. Possible values: and, or.
Example: "or"
conditions
(array[object]): Conditions to be applied for the rule. Multiple values will be evaluated according to the operator.
Note: When adding conditions to a masking policy rule, the field
will be left blank, and the condition value
should be populated.
name
(string): Name of the field being masked.
Example: "social"
type
(string): Type of masking to apply. Supported values are "Consistent Value"
, "Grouping"
, "Regular Expression"
Example: "Consistent Value"
metadata
(object): Extra metadata used when masking the value.
Consistent value
constant
(string|null): Constant value to mask to. If this field is not defined, the value will be hashed.
Example: "REDACTED"
Regular expression
regex
(string): Regex to match against when masking columns.
Example: "[0-9]{3}-[0-9]{2}"
replacement
(string): String used to replace the matched regex.
Example: "xxx-xx"
Grouping
bucketSize
(integer): For number fields. Size of buckets to round numbers to.
Example: 100
timePrecision
(string): For time fields. Time precision to round to. Possible values: "MIN"
, "HOUR"
, "DAY"
, "WEEK"
, "MONTH"
, "YEAR"
Example: "HOUR"
Example policy handler update with masking configuration metadata:
Example:
In this example, the fields email
and location
will be masked unless the user belongs to the group admins
.
Minimization policy rules will show a limited percentage of the data, based on a high cardinality column, for everyone unless the user fulfills the policy conditions.
type
(string): Policy rule type. Must be additional
for minimization policy rules.
Example: "additional"
name
(string): Name of additional policy. Must be minimization
for minimization policy rules.
Example: "minimization"
operator
(string): Operator to be applied on conditions. Possible values: and, or.
Example: "or"
conditions
(array[object]): Conditions to be applied for the rule. Multiple values will be evaluated according to the operator.
Note: When adding conditions to a minimization policy rule the field
will be left blank.
percent
(integer): Percentage of the data to show to the users. This percentage will be based off of unique values in the hashPhrase
column.
Example: 50
hashPhrase
(string): Column to base the percentage off of. This should be a high cardinality column in the data source.
Example: "name"
Example policy handler rule:
In this example, 50 percent of the data, based on the name
field, will be visible to users unless they fulfill the policy conditions.
Example data source update (partial):
Time-based rules will make a limited portion of the data available based on event time. The data source must contain an event time column in order for this policy type to be valid. For instance, users who do not fulfill the policy conditions will only see data from within the defined time window.
type
(string): Policy rule type. Must be additional
for minimization policy rules.
Example: "additional"
name
(string): Name of additional policy. Must be time
for time based policy rules.
Example: "time"
operator
(string): Operator to be applied on conditions. Possible values: and, or.
Example: "or"
conditions
(array[object]): Conditions to be applied for the rule. Multiple values will be evaluated according to the operator.
Note: When adding conditions to a time based policy rule the field
will be left blank.
time
(integer): Age in seconds of the oldest data a user will be allowed to see. This counts backward from the present.
Example: 14400
Example policy handler rule:
In this example, only data from the last 4 hours will be visible to users unless they fulfill the policy conditions.
Example data source update (partial):
There are three types of policy conditions:
The group policy condition restricts access to the condition when a user is a member of a group.
type
(string): Type of policy condition. Must be "groups"
for the group policy condition.
Example: "groups"
group
(object): Object describing group user must belong to in order to satisfy the policy condition.
field
(string): Data field to match group name against when checking policy.
Example: "department"
Example:
name
(string): Name of group user must belong to in order to satisfy the policy condition.
Example: "users"
iam
(string): ID of the IAM containing the group.
Example: "active_directory"
The attribute policy condition restricts access to the condition when a user possesses an attribute.
type
(string): Type of policy condition. Must be "authorizations"
for the attribute policy condition.
Example: "authorizations"
authorization
(object): Object describing attribute user must possess in order to satisfy the policy condition.
field
(string): Data field to match attribute value against when checking policy.
Example: "department"
Example:
auth
(string): Name of attribute to check for attribute value.
Example: "accesses"
value
(string): Value of attribute user must possess in order to satisfy the policy condition.
Example: "PII"
iam
(string): ID of the IAM user must receive the attribute from.
Example: "active_directory"
The purpose policy condition restricts access to the condition when a user is acting under a purpose.
type
(string): Type of policy condition. Must be "purposes"
for the purpose policy condition.
Example: "purpopses"
value
(string): Purpose name user must be acting under in order to satisfy the policy condition.
Example: "Purpose"
field
(string): Data field to match purpose name against when checking policy.
Example: "department"
Example:
Connection strings API reference guide
This page describes the connectionStrings
endpoint.
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
GET
/connectionStrings
Search across all connection strings in the handler table.
The following request searches across all connection strings in the handler table.
Audit API reference guide
This page describes the audit
endpoint API. The audit API allows users to programmatically search for audit records in Immuta.
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
GET
/audit
Search for audit records.
The following request searches for all audit records.
GET
/audit/{recordId}
Retrieve a specific audit record.
The following request retrieves a specific audit record.
GET
/audit/apikey/activity
Queries for the recent activity using the API key.
The following request queries for the recent activity using the API key.
GET
/audit/queries/dataSource/{dataSourceId}/mine
Returns the list of the current user's distinct queries for the specified data source.
The following request returns the list of the current user's distinct queries.
Organizations API reference guide
This page describes the organizations
endpoint.
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
GET
/organizations
Search for organizations.
The following request searches for organizations that contain Immuta
in their name.
Schemas API reference guide
This page describes the schemas
endpoint of the Immuta API and its request and response parameters.
Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.
GET
/schemas
Search across all schemas in the handler table.
This example request gets all of the schemas with the string "medical" in their name.
Method | Path | Purpose |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Method | Path | Purpose |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Method | Path | Purpose |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Method | Path | Purpose |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description | Required |
---|---|---|
Method | Path | Purpose |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
Attribute | Description |
---|---|
Attribute | Description | Required |
---|---|---|
The policies resource allows you to manage and apply policies to your data sources. The endpoints and examples provided in this guide are specific to creating .
Method | Endpoint | Description |
---|
Parameter | Description |
---|
The request accepts a JSON or YAML payload. See the for parameter details.
The response returns the following JSON object. See the for details about the response schema.
The request accepts a JSON or YAML payload. See the for parameter details.
The response returns the global policy configuration. See the for details about the response schema.
Parameter | Description |
---|
The response returns the deleted global policy configuration. See the for details about the response schema.
Parameter | Description |
---|
The response returns the global policy configuration. See the for details about the response schema.
The request accepts a JSON or YAML payload. See the for parameter details.
The response returns the updated global policy configuration. See the for details about the response schema.
Attribute | Description |
---|
Method | Endpoint | Description |
---|
Create a new domain. You must have the global GOVERNANCE
permission to create a domain. You can after creating the domain.
Parameter | Description | Required or Optional | Default values | Accepted values |
---|
Returns a .
Parameter | Description | Accepted values |
---|
Returns a data property that contains an array of up to size
. If no domains exist, the array will be empty.
Parameter | Description |
---|
Returns a .
Parameter | Description |
---|
Returns a .
Parameter | Description |
---|
Parameter | Description | Required or Optional | Default values | Accepted values |
---|
Returns a with the new name or description.
Parameter | Description |
---|
Parameter | Description |
---|
Parameter | Description |
---|
Parameter | Description | Required or Optional | Default values | Accepted values |
---|
Parameter | Description |
---|
Parameter | Description | Accepted values |
---|
Parameter | Description |
---|
Attribute | Description |
---|
Parameter | Description |
---|
Parameter | Description | Required or Optional | Default values | Accepted values |
---|
Returns an array of that represent a permission in a domain assigned to a specific user. If the permission had already been assigned to the user for that domain, the response will include an error for the permissions that were not assigned to that user because the permission already existed.
Parameter | Description |
---|
Parameter | Description | Accepted values |
---|
Parameter | Description |
---|
Parameter | Description | Accepted values |
---|
Parameter | Description |
---|
Parameter | Description |
---|
Parameter | Description | Required or optional | Default values | Accepted values |
---|
Parameter | Description | Required or optional | Default values | Accepted values |
---|
Parameter | Description | Required or optional | Default values | Accepted values |
---|
Parameter | Description | Required or optional | Default values | Accepted values |
---|
Parameter | Description |
---|
Parameter | Description |
---|
Method | Path | Successful Status Code |
---|
The create policy handler endpoint must be a .
Method | Path | Successful Status Code |
---|
The update policy handler endpoint must be a .
Example: See
Example: See
Example: See
Example: See
When using a masking rule, there is an additional field that needs to be sent in the in the policyHandler.maskingConfiguration
array field.
Example: See
Example: See
When using a minimization rule, there is an additional field that needs to be sent in the in the policyHandler.additionalFilters.minimization
field.
Example: See
When using a time based rule, there is an additional field that needs to be sent in the in the policyHandler.additionalFilters
field.
Example: See
Example: See
Attribute | Description | Required |
---|
Attribute | Description |
---|
This endpoint has been deprecated and replaced by .
.
.
.
.
Attribute | Description | Required |
---|
Attribute | Description |
---|
Attribute | Description | Required |
---|
Attribute | Description |
---|
Attribute | Description | Required |
---|
Attribute | Description |
---|
Attribute | Description | Required |
---|
Attribute | Description |
---|
Attribute | Description | Required |
---|
Attribute | Description |
---|
Attribute | Description | Required |
---|
Attribute | Description |
---|
GET
Get pending access requests the calling user can approve.
GET
Get pending request information for specified model and requesting user (or specified entity).
groupByEntity
boolean
If true
, group request results by user/group.
No
profileId
integer
Match against profile ID.
No
groupId
integer
Match against group ID.
No
name
string
A partial name to match against user or group names.
No
string
A partial email address to match against user or group email addresses.
No
modelName
string
A partial name to match against model names.
No
modelTypes
array[string]
Model types to include.
No
size
integer
The max number of matches to return. Default 15.
No
sortField
string
The field to sort results on. Defaults to name.
No
sortOrder
string
The order that the results will be sorted in. Default asc
.
No
offset
integer
Offset to start returning values.
No
hits
array
Metadata details regarding the access requests.
count
integer
The number of access requests.
modelType
string
The model that a pending request is out for. Options are datasource
or project
.
Yes
modelId
integer
The data source or project ID.
Yes
profileId
integer
A user ID if you want to get pending requests for another user.
No
groupId
integer
A group ID if you want to get pending requests for a whole group.
No
records
array
Details about each of the pending access requests, including subscriptionId
, requiredPermission
, state
, approverId
, ownerModelId
, approver
, and ownerModelName
.
POST
Approve specified access requests.
POST
Bulk approve access requests.
id
integer
The subscription ID of the request to approve.
Yes
expiration
date
The date to expire this user's access.
No
id
integer
If the request fails, the response includes the ID of the access request.
model
array[object]
If the request fails, the response includes details about the data source or project.
entity
array[object]
If the request fails, the response includes details about the user making the subscription request.
requestIds
integer
A list of the access request IDs to be approved. If requestIds
is provided, jobs will only be created for the IDs listed. Otherwise, the id
and type
values will be used to find and create jobs for all approval requests.
Yes
id
integer
The ID for the type
. If requestIds
is provided, jobs will only be created for the IDs listed. Otherwise, the id
and type
values will be used to find and create jobs for all approval requests.
Yes
type
string
The type of ID: profile
. If requestIds
is provided, jobs will only be created for the IDs listed. Otherwise, the id
and type
values will be used to find and create jobs for all approval requests.
Yes
success
boolean
If true
, all of the access requests have been successfully approved.
POST
Deny specified access requests.
POST
Bulk deny access requests.
id
integer
The subscription ID of the request to deny.
Yes
denialReasoning
string
The reason the user is denied access to the data source or project.
Yes
id
integer
If the request fails, the response includes the ID of the access request.
model
array[object]
If the request fails, the response includes details about the data source or project.
entity
array[object]
If the request fails, the response includes details about the user making the subscription request.
requestIds
integer
A list of the access request IDs to be approved. If requestIds
is provided, jobs will only be created for the IDs listed. Otherwise, the id
and type
values will be used to find and create jobs for all denial requests.
Yes
id
integer
The ID for the type
you select. If requestIds
is provided, jobs will only be created for the IDs listed. Otherwise, the id
and type
values will be used to find and create jobs for all denial requests.
Yes
type
string
The type of ID: profile
. If requestIds
is provided, jobs will only be created for the IDs listed. Otherwise, the id
and type
values will be used to find and create jobs for all denial requests.
Yes
denialReasoning
string
The reason that you are denying the access requests.
Yes
success
boolean
If true
, all of the access requests have been successfully denied.
POST
/policy/global
POST or PUT
/policy/handler/{dataSourceId}
POST
/policy/global/applyPolicy
PUT
/policy/global/{policyId}
body
array
Contains Global Policy metadata.
Yes
dataSourceId
integer
The ID of the data source.
Yes
jsonPolicies
array[object]
An array of JSON rules objects.
Yes
id
integer
The policy handler ID.
url
string
The URL of the Immuta tenant.
dataSourceId
integer
The ID of the data source the policy is applied to.
createdBy
integer
The ID of the user who created the policy.
ca
string
The certificate authority.
jsonPolicies
array[object]
Policy metadata, including the policy type
(visibility
, masking
, time
, minimization
, exemption
, external
, prerequisite
, customWhere
, showRowsNever
, or rowOrObjectRestriction
), rules
, and description
.
rules
string
The conditions of the policy.
createdAt
timestamp
The date the policy was created.
updatedAt
timestamp
The date the policy was modified.
payload
array
Contains Global Policy and data source metadata.
Yes
policyID
integer
The ID of the Global Policy.
Yes
dataSourceID
integer
The ID of the data source to apply the policy to.
Yes
merged
boolean
Default false
.
Yes
policyID
integer
The ID of the Global Policy you want to update.
Yes
payload
array
Contains Global Policy and metadata.
Yes
POST
/policy/search
GET
/policy/global/{policyId}
GET
/policy/global
GET
/policy/global/appliedTo/{policyId}
GET
/policy/dataSourcePolicies/{dataSourceId}
GET
/policy/diff/{dataSourceId}
GET
/policy/handler/{dataSourceId}
body
array[object]
Facets of the policy to search by, including the rule type, where the policy applies, exceptions, and policy circumstances.
No
type
string
The type of policy to search for: data
or subscription
.
No
scope
string
Indicates whether the policy is global
or local
.
No
size
integer
Pages results by default; size
is the number of results to return per page.
No
offset
integer
Used in combination with size
to fetch pages.
No
sortField
string
Indicates which field to sort the policies by: name
, createdBy
, createdAt
, state
, isNotApplied
, or scope
.
No
sortOrder
string
Indicates whether to sort policies in ascending or descending order: asc
or desc
.
No
searchText
string
Searches text; this will filter policies by name.
No
countOnly
boolean
When true
, will only return the number of policies found in the search.
No
mode
string
Attribute options include similarPolicies
, impactedUsers
, or impactedDataSources
.
No
excludedPolicies
array[integer]
Global Policy IDs to exclude.
No
Count
integer
The number of policies found that match the search criteria.
Hits
array
Policy metadata, including the name, scope, type, and data sources it applies to.
policyId
integer
The ID of the Global Policy.
Yes
offset
integer
Used in combination with size
to fetch pages.
No
size
integer
Pages results by default; size
is the number of results to return per page.
No
sortField
string
Indicates which field to sort the policies by: name
or createdAt
. Default createdAt
.
No
sortOrder
string
Indicates whether to sort policies in ascending or descending order: asc
or desc
. Default desc
.
No
searchText
string
Searches text; this will filter policies by name
.
No
type
string
The type of policy to search for: data
or subscription
.
No
scope
string
Indicates whether the policy is global
or local
.
No
nameOnly
boolean
When true
, only returns the policy name, type, and ID.
No
templates
boolean
When true
, returns templates only. When false
, returns non-templates only. When omitted, returns both.
No
name
string
The name of the policy.
id
integer
The policy ID.
type
string
The type of policy: data
or subscription
.
hits
array
Policy metadata, including the name
, scope
, type
, and dataSources
it applies to.
policyId
integer
The ID of the Global Policy.
Yes
count
integer
The number of data sources the policy applies to.
dataSourceId
integer
The ID of the data source.
Yes
retrieveAll
boolean
When false
, filters out any custom domain-specific language rules.
No
excludeGlobal
boolean
When true
, filters out any policy actions driven by a Global Policy.
No
body
array
Contains policy metadata, including the policy type
, rules
, exceptions
, and date of creation.
dataSourceId
integer
The ID of the data source.
Yes
previousHandlerId
integer
The ID of the previous policy.
No
currentHandlerId
integer
The ID of the current policy.
No
current
array
Contains policy metadata of the current policy, including the policy type
, rules
, exceptions
, and date of creation.
previous
array
Contains policy metadata of the previous policy, including the policy type
, rules
, exceptions
, and date of creation.
hasChanges
boolean
When true
, indicates the policy was changed.
dataSourceId
integer
The ID of the data source.
Yes
hits
array
Policy metadata, including the name
, scope
, rules
, and policy type
.
policyId
integer
The ID of the policy.
Yes
dataSourceId | The unique identifier of the data source. |
policyId | The unique identifier of the policy. |
policyId | The unique identifier of the policy. |
id | The unique identifier of the domain. |
name | The name of the domain. |
description | The description of the domain that will be displayed for users. |
createdBy | The unique identifier of the user who created the domain. |
profile.name | The name of the user who created the domain. |
createdAt | The date and time the domain was created. |
updatedAt | The date and time the domain was updated. |
type | The type of collection. Value is |
id | The unique identifier of the domain. | Required | - | - |
name | The name of the domain. | Required | - | - |
description | The description of the domain that will be displayed for users. | Optional | - | - |
type | The type of collection. | Required |
|
|
type | The type of collection. |
|
offset | The number of items from the beginning of the response to exclude. You can combine the | Minimum value is |
size | The number of domains to return. | Minimum value is |
searchText | The text to search for in domain names. This will return domains with a name that contains this search text. | - |
withPermissions | Only returns domains that the querying user has been granted the permission in. |
|
collectionId | The unique identifier of the domain. |
collectionType | The type of collection. The accepted value is |
collectionName | The name of the domain. |
collectionId | The unique identifier of the domain. |
name | The name of the domain. | Optional | - | - |
description | The description of the domain that will be displayed for users. | Optional | - | - |
collectionId | The unique identifier of the domain. |
dryRun | If |
collectionId | The unique identifier of the domain. |
dataSourceId | The unique identifier of the data source in Immuta. | Required | - | - |
collectionId | The unique identifier of the domain. |
offset | The number of items from the beginning of the response to exclude. You can combine the | Minimum value is |
size | The number of data sources to return. | Minimum value is |
collectionId | The unique identifier of the domain from which to remove the data source. |
dataSourceId | The unique identifier of the data source to remove. |
id | The unique identifier of the permissions object. |
profileId | The unique identifier of the user the permission is assigned to. |
groupId | The unique identifier of the group the permission is assigned to. |
collectionId | The unique identifier of the domain. |
permission | The permission assigned to the user. Accepted values are |
createdAt | The date and time the permission object was created. |
source | Indicates whether the permission was assigned as a user permission or a group permission. |
collectionId | The unique identifier of the domain. |
groupId | The unique identifier of the group the permission is assigned to. | Optional |
| - |
profileId | The unique identifier of the user in the identity manager. | Optional |
| - |
permission | The domain permission assigned to the user. | Required | - |
|
collectionId | The unique identifier of the domain. |
memberType | The type of member to get a list of permissions for. Possible values include |
type | The permission to return. |
|
offset | The number of items from the beginning of the response to exclude. You can combine the | Minimum value is |
size | The number of users to return. | Minimum value is |
searchText | A string used to filter the results returned by the | - |
sortField | Specifies the field to sort the results by. |
|
sortOrder | Specifies how to sort the results of the request. |
|
memberType | The type of member to get a list of permissions for. Possible values include |
memberId | The unique identifier of the user or group. |
type | The permission to return. |
|
offset | The number of items from the beginning of the response to exclude. You can combine the | Minimum value is |
size | The number of permissions to return. | Minimum value is |
searchText | A string used to filter the results returned by the | - |
sortField | Specifies the field to sort the results by. |
|
sortOrder | Specifies how to sort the results of the request. |
|
collectionId | The unique identifier of the domain. |
permissionId | The unique identifier of the assigned permission. |
collectionId | The unique identifier of the domain. |
memberType | The type of member to remove the permission from. Possible values include |
memberId | The unique identifier of the user or group. |
permissionType | The type of permission to delete. Accepted values are |
profileId | The unique identifier of the user to whom you are granting write access. | Required | - | - |
state | The user's role on the data source. | Required | - |
|
accessGrant | The type of access to grant the user. | Required | - |
|
type | The type of policy. For write access policies, the type is | Required | - |
|
accessGrant | The type of access the user is granted. | Required | - |
|
description | The description of the policy. | Optional |
| - |
subscriptionType | The restriction level of the subscription policy. | Required | - |
|
operator | Specifies how to combine the conditions of the policy. | Required | - |
|
type | The type of condition under which to apply the policy. | Required | - |
|
columnRegex | This object indicates that the policy should apply to data sources with column names that match the regular expression. Its child parameters are outlined below. | Required when type is | - | - |
columnRegex.regex | A regular expression that matches names of columns. | Required when type is | - | - |
columnRegex.caseInsensitive | When | Optional |
|
|
columnTag | This object specifies the column tags required for the policy to apply to the data source. Child parameters are outlined below. | Required if type is | - | - |
columnTag.name | The name of the tag. | Required if type is | - | - |
columnTag.displayName | The display name of the tag. | Optional | - | - |
columnTag.hasLeafNodes | When | Optional | - | - |
server | The server that contains the data sources the policy should be applied to. | Required when type is | - | - |
startDate | Applies the policy to data sources created on or after this startDate and before the endDate (if the endDate is specified). | Required when type is | - | - |
endDate | Applies the policy to data sources created on or before this endDate and after the startDate. | Optional |
| - |
isSubscriptionOverride | When |
id | The unique identifier of the user's subscription to the data source. |
modelId | The unique identifier of the data source. |
modelType | The type of model the subscription policy applies to. For write policies, modelType is |
state | The type of role the user has, such as |
admin | The unique identifier of the user who granted write access to the data source subscriber. |
denialReasoning | If the user was denied access to the data source, this field contains the reason entered by the owner who denied access. |
profile | The unique identifier of the user who has been granted write access. |
group | The name of the group that has been granted write access, when applicable. |
policy | When |
expiration | The date the user's access expires. |
acknowledgeRequired | When |
createdAt | The date and time the user's access to the data source was granted. |
updatedAt | The date and time the user's access to the data source was updated. |
accessGrant | The type of access the user has to the data source: |
approved | When |
POST |
| 200 |
PUT |
| 200 |
searchText |
| No |
values |
|
dataSourceId |
| No |
projectId |
| No |
profileId |
| No |
recordType |
| No |
outcome |
| No |
minDate |
| No |
maxDate |
| No |
blobId |
| No |
offset |
| No |
size |
| No |
sortField |
| No |
sortOrder |
| No |
hits |
|
recordId |
| Yes |
hits |
|
recordId |
| Yes |
value |
|
dataSourceId |
| Yes |
offset |
| No |
size |
| No |
sortField |
| No |
sortOrder |
| No |
auditId |
|
lastRun |
|
timesRun |
|
name |
|
searchText |
| No |
name |
|
searchText |
| No |
values |
|
name |
|
count |
|
POST | Manually grants write access to a user |
POST | Creates a global write access policy |
DELETE | Deletes the specified global write access policy |
GET | Gets the global policy with the given policy ID |
PUT | Updates the specified global policy |
POST | Creates a new domain |
GET | Retrieves all domains |
GET | Retrieves a specific domain |
GET | Retrieves a specific domain by name |
PUT | Updates a domain name or description |
DELETE | Deletes a domain |
POST | Adds data sources to a domain |
GET | Retrieves the data sources in the domain |
DELETE | Deletes a data source from a domain |
POST | Assigns a domain permission to a user |
GET | Retrieves user permissions assigned in the domain |
DELETE | Removes a domain permission from a user by the permission ID |
DELETE | Removes a domain permission from a user by the user ID and permission type. |
type | The type of policy to create. | Required | - |
|
name | The name of the policy. | Required | - | - |
template | Specifies whether or not the policy should be available as a template. | Optional |
|
|
Required | - |
staged | When | Required | - |
|
Optional | By default, the policy applies to all data sources. | - |
policyKey | The unique name of the policy. |
createdBy | The unique identifier of the user who created the policy. |
createdByName | The username of the user who created the policy. |
createdAt | The date the policy was created. |
clonedFrom | The unique identifier of the policy that the new policy was cloned from. |
systemGenerated | Indicates whether or not the policy is system-generated. |
deleted | When |
id | The unique identifier of the policy. |
type | The type of policy. For write access policies, the type is |
name | The name of the policy. |
template | Specifies whether or not the policy is available as a template. |
certification | The certification object only applies to data policies, not write access policies. |
actions | Specifies the policy access type and restriction level. |
actions.type | The type of policy. For write access policies, the type is |
actions.accessGrant | The type of access the user is granted. For write access policies, actions.accessGrant is |
actions.description | The description of the policy. |
actions.allowDiscovery | When |
actions.subscriptionType | The restriction level of the subscription policy. |
actions.shareResponsibility | When |
actions.automaticSubscription | When |
staged | When |
circumstances |
Specifies the policy access type and restriction level. See the for details.
This object specifies the conditions under which the policy applies to a data source. Set the value to null
to enforce the policy only when it is applied by data owners. Do not include this object in your payload to apply the policy to all data sources. See the for additional parameters and details.
Specifies the conditions under which the policy applies to a data source. See the for child parameters.