> For the complete documentation index, see [llms.txt](https://documentation.immuta.com/latest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.immuta.com/latest/developer-guides/api-intro/immuta-v1-api/manage-data-access/policy.md). # Manage Data and Subscription Policies The `policy` endpoint allows you to manage and review policies in Immuta. This page outlines the endpoint and its request and response parameters. {% hint style="info" %} Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented. {% endhint %} ## Policy workflow 1. [Create and manage policies](#create-and-manage-policies). 2. [Search for, review, and compare policies](#review-policies). 3. [Delete global policies](#delete-a-global-policy). ## Create and manage policies | Method | Path | Purpose | | ----------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | POST | `/policy/global` | [Create a global policy](#create-a-global-policy). | | POST or PUT | `/policy/handler/{dataSourceId}` | [Create (POST) or update (PUT) a policy for the specified data source](#create-or-update-a-policy-for-a-specific-data-source). | | POST | `/policy/global/applyPolicy` | [Apply a global policy to a data source](#apply-a-global-policy-to-a-data-source). | | PUT | `/policy/global/{policyId}` | [Update the specified global policy](#update-a-global-policy). | ### Create a global policy `POST` `/policy/global` Create a global subscription or data policy. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Body parameters {% tabs %} {% tab title="Subscription policy" %}
AttributeDescriptionRequired
typestring The type of policy. Accepted values are subscription or data.Yes
namestring The name of the policy that will be displayed in the Immuta UI.Yes
templateboolean Specifies whether or not this policy should be available as a template.No
actions.typestring The type of policy. Accepted value is subscription.Yes
actions.subscriptionTypestring The type of subscription policy. Accepted values are approval, automatic, manual, or policy.Required when type is subscription.
actions.descriptionstring The description of the policy.No
actions.shareResponsibilityboolean When true the subscription policy will merge with other subscription policies on the data source with OR.No
actions.allowDiscoveryboolean When true, users can see the data source in the Immuta UI, even if they do not have the attributes and groups specified by the policy.No
actions.accessGrantstring The type of access the user is granted. Accepted values are READ or WRITE.No
actions.exceptions.operatorstring Specifies how to combine the conditions of the policy. Accepted values are AND or OR.No
actions.exceptions.conditions.typestring Specifies the type of entitlement to include in the exception. Accepted values are groups or authorizations.No
actions.exceptions.conditions.type.groupstring The group to allow to subscribe to the data source.Required when actions.exceptions.conditions.type is groups.
actions.exceptions.conditions.type.authorization.authstring The attribute key to allow to subscribe to the data source.Required when actions.exceptions.conditions.type is authorizations.
actions.exceptions.conditions.type.authorization.valuestring The attribute value to allow to subscribe to the data source.Required when actions.exceptions.conditions.type is authorizations.
actions.automaticSubscriptionboolean When true, users will be automatically subscribed to the data source without having to take action.Yes
stagedboolean When true, the policy is not active or enforced on any data sources.No
circumstances.typestring Specifies how to determine whether or not to apply the policy to the data source. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period. Accepted values are columnRegex, columnTags, domains, null, server, tags, or time.No
circumstances.columnRegex.regexstring The regular expression that identifies how column names are spelled.Required when circumstances.type is columnRegex.
circumstances.columnRegex.caseInsensitiveboolean When true, the regex will ignore the casing of column names.No
circumstances.serverstring Specifies the server that contains the data sources the policy should be applied to.Required when circumstances.type is server.
circumstances.startDatestring Specifies to apply policies to data sources created on or after this date and before the endDate.Required when circumstances.type is time.
circumstances.endDatestring Specifies to apply policies to data sources created before this date and after the startDate.No
circumstances.tag.namestring The name of the tag on the data source.Required when circumstances.type is tags.
circumstances.tag.displayNamestring The display name of the tag on the data source.No
circumstances.tag.hasLeafNodesboolean When true, indicates the tag on the data source has child tags.No
circumstances.columnTag.namestring The name of the tag.Required when circumstances.type is columnTags.
circumstances.columnTag.displayNamestring The display name of the tag.No
circumstances.columnTag.hasLeafNodesboolean When true, indicates the tag has child tags.No
circumstances.domains.idstring The unique identifier of the domain.Required when circumstances.type is domains and circumstances.domains.name is not provided.
circumstances.domains.namestring The name of the domain.Required when circumstances.type is domains and circumstances.domains.id is not provided.
circumstances.operatorstring Specifies how multiple circumstances of the policy will be combined with each other. When circumstances.type is domains, this value must be AND.Yes
{% endtab %} {% tab title="Data policy" %} | Attribute | Description | Required | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | **type** | `string` The type of policy. Accepted values are `subscription` or `data`. | **Yes** | | **name** | `string` The name of the policy that will be displayed in the Immuta UI. | **Yes** | | **template** | `boolean` Specifies whether or not this policy should be available as a template. | No | | certification**.text** | `string` The text that appears when a data owner attempts to certify a policy. | No | | certification.**label** | `string` The label that appears when the policy has been certified. | No | | certification.**tags** | `array[string]` Tags that impact the certification. | No | | certification.**recertify** | `boolean` When `true`, data owners must re-certify all data sources this policy applies to. | No | | actions.**type** | `string` The type of policy. Accepted values are `masking`, `minimization`, `prerequisite`, `rowOrObjectRestriction`, or `time`. | **Yes** | | actions.**rules** | `object` The policy rules to enforce. See the [Rules object section](#rules-object) for details. | **Yes** | | actions.**description** | `string` An explanation of the purpose of the policy. | No | | **staged** | `boolean` When `true`, the policy is not enforced on any data sources. | No | | circumstances.**type** | `string` Specifies how to determine whether or not to apply the policy to the data source. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period. Accepted values are `columnRegex`, `columnTags`, `domains`, [`null`](#user-content-fn-5)[^5], `server`, `tags`, or `time`. | No[^6] | | circumstances.columnRegex.**regex** | `string` The regular expression that identifies how column names are spelled. | Required when **circumstances.type** is `columnRegex`. | | circumstances.columnRegex.**caseInsensitive** | `boolean` When `true`, the regex will ignore the casing of column names. | No | | circumstances.**server** | `string` Specifies the server that includes the data sources to apply the policy to. | Required when **circumstances.type** is `server`. | | circumstances.**startDate** | `string` Specifies to apply policies to data sources created on or after this date and before the `endDate`. | Required when **circumstances.type** is `time`. | | circumstances.**endDate** | `string` Specifies to apply policies to data sources created before this data and after the `startDate`. | No | | circumstances.tag**.name** | `string` The name of the tag on the data source. | Required when **circumstances.type** is `tags`. | | circumstances.tag.**displayName** | `string` The display name of the tag on the data source. | No | | circumstances.tag.**hasLeafNodes** | `boolean` When `true`, indicates the tag on the data source has child tags. | No | | circumstances.columnTag.**name** | `string` The name of the tag. | Required when **circumstances.type** is `columnTags`. | | circumstances.columnTag.**displayName** | `string` The display name of the tag. | No | | circumstances.columnTag.**hasLeafNodes** | `boolean` When `true`, indicates the tag has child tags. | No | | circumstances.domains.**id** | `string` The unique identifier of the domain. | Required when **circumstances.type** is `domains` and **circumstances.domains.name** is not provided**.** | | circumstances.domains.**name** | `string` The name of the domain. | Required when **circumstances.type** is `domains` and **circumstances.domains.id** is not provided**.** | | circumstances.**operator** | `string` Specifies how multiple circumstances of the policy will be combined with each other. When **circumstances.type** is `domains`, this value must be `AND`. | **Yes** | **Rules object** The **rules** object configures the type of data policy to enforce. The table below outlines its child attributes. | Attribute | Description | | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **type** | `string` The type of policy. Accepted values are `masking`, `minimization`, `prerequisite`, `time`, or [`visibility`](#user-content-fn-7)[^7]. | | config.fields.**name** | `string` The name of the tag on the column that should be masked. Required when **type** is `masking`. | | config.fields.**displayName** | `string` The display name of the tag on the column that should be masked. | | config.fields.**hasLeafNodes** | `boolean` When `true`, indicates that the tag on the column to be masked has child tags. | | config.maskingConfig**.type** | `string` Specifies the type of masking to apply to the data. Accepted values are [`Consistent Value`,](#user-content-fn-8)[^8] `Format Preserving Masking`, [`Grouping`](#user-content-fn-9)[^9], `Regular Expression`, or `Reversible.` | | config.maskingConfig.metadata.**constant** | `string` Specifies the string that will replace the value in the column. Use this attribute when **config.maskingConfig.type** is `Consistent Value` and you want to specify the constant used to replace the value. | | config.maskingConfig.metadata.**bucketSize** | `integer` The bucket size to round to. Use this value when config.maskingConfig.type is `Grouping` and you want to mask a numeric value. | | config.maskingConfig.metadata.**timePrecision** | `string` Specifies where Immuta will round the time to. Accepted values are `HOUR`, `DAY`, `MONTH`, `QUARTER`, or `YEAR`. Use this when config.maskingConfig.type is `Grouping` and you want to mask a time value. | | config.maskingConfig.metadata.**regex** | `string` The regular expression that identifies the portion of the value to mask. | | config.maskingConfig.metadata.**replacement** | `string` The string that will replace the portion of the value identified by the regular expression to mask. | | config.**percent** | `integer` Specifies the percentage of the data to show. Required when **type** is `minimization`. | | exceptions.**operator** | `string` Specifies the combination of entitlements the user must have to be exempt from the policy. Accepted values are `AND` or `OR`. | | exceptions.conditions.**type** | `string` Specifies the types of entitlements to exempt from the policy. Accepted values are `groups` or `authorizations`. | | exceptions.conditions.type.**group** | `string` The group to exempt from the data policy. | | exceptions.conditions.type.authorization.**auth** | `string` The attribute key to exempt from the data policy. | | exceptions.conditions.type.authorization.**value** | `string` The attribute value to exempt from the data policy. | | inclusions.**operator** | `string` Specifies the combination of entitlements the user must have for the policy to apply to them. Accepted values are `AND` or `OR`. | | inclusions.conditions.**type** | `string` Specifies the types of entitlements to include in the policy. Accepted values are `groups` or `authorizations`. | | inclusions.conditions.type.**group** | `string` The group to include in the data policy. | | inclusions.conditions.type.authorization.**auth** | `string` The attribute key to include in the policy. | | inclusions.conditions.type.authorization.**value** | `string` The attribute value to include in the policy. | | {% endtab %} | | | {% endtabs %} | | #### Request example This example request creates a global policy (saved in the `example-payload.json` file) in the Immuta tenant. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/global ``` **Request payload example** ```json { "type": "subscription", "name": "HR data policy", "template": true, "certification": null, "actions": [ { "type": "subscription", "subscriptionType": "policy", "description": null, "shareResponsibility": true, "allowDiscovery": false, "accessGrant": "READ", "exceptions": { "operator": "and", "conditions": [ { "type": "groups", "group": { "name": "HR" } } ] }, "automaticSubscription": true } ], "staged": false, "circumstances": null } ``` #### Response example ```json { "policyKey": "HR data policy", "name": "HR data policy", "type": "subscription", "template": true, "staged": false, "systemGenerated": false, "deleted": false, "certification": null, "actions": [ { "type": "subscription", "exceptions": { "operator": "and", "conditions": [ { "type": "groups", "group": { "name": "HR" } } ] }, "accessGrant": "READ", "description": null, "allowDiscovery": false, "subscriptionType": "policy", "shareResponsibility": true, "automaticSubscription": true } ], "circumstances": null, "metadata": null, "clonedFrom": null, "createdBy": 2, "protected": false, "id": 24, "createdAt": "2025-04-21T19:09:17.884Z", "updatedAt": "2025-04-21T19:09:17.884Z", "createdByName": "Taylor", "ownerRestrictions": null } ``` ### Create or update a policy for a specific data source `POST` or `PUT` `/policy/handler/{dataSourceId}` Create (POST) or update (PUT) a policy for the specified data source. #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Body parameter | Attribute | Description | Required | | ------------ | ----------------------------------------------- | -------- | | jsonPolicies | `array[object]` An array of JSON rules objects. | **Yes** | #### Response parameters | Attribute | Description | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | id | `integer` The policy handler ID. | | url | `string` The URL of the Immuta tenant. | | dataSourceId | `integer` The ID of the data source the policy is applied to. | | createdBy | `integer` The ID of the user who created the policy. | | ca | `string` The certificate authority. | | jsonPolicies | `array[object]` Policy metadata, including the policy `type` (`visibility`, `masking`, `time`, `minimization`, `external`, `prerequisite`, `customWhere`, `showRowsNever`, or `rowOrObjectRestriction`), `rules`, and `description`. | | rules | `object` The conditions of the policy. | | createdAt | `timestamp` The date the policy was created. | | updatedAt | `timestamp` The date the policy was modified. | #### Request example This example request applies the policy specified in the payload to the data source with the ID `2`. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/handler/2 ``` **Request payload example** ```json { "jsonPolicies": [{ "type": "masking", "rules": [{ "type": "masking", "config": { "fields": ["amount"], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null }], "createdAt": "2021-09-20T20:03:18.001Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [{ "type": "masking", "config": { "fields": ["geo_latitude"], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null }], "createdAt": "2021-09-20T20:02:02.213Z", "createdBy": 2, "description": null }, { "type": "prerequisite", "rules": [{ "type": "prerequisite", "exceptions": null, "config": { "qualifications": { "operator": "and", "conditions": [{ "type": "purposes", "value": "Re-identification Prohibited" }] } } }], "description": "" }], "dataSourcePolicyHandler": { "handlerId": 26, "visibilitySchema": { "fields": [] } } } ``` #### Response example ```json { "id": 42, "dataSourceId": 2, "createdBy": 2, "ca": ["-----BEGIN CERTIFICATE-----\ncertificatedata\n-----END CERTIFICATE-----"], "jsonPolicies": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "amount" ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "createdAt": "2021-09-20T20:03:18.001Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "geo_latitude" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "createdAt": "2021-09-20T20:02:02.213Z", "createdBy": 2, "description": null }, { "type": "prerequisite", "rules": [ { "type": "prerequisite", "config": { "qualifications": { "operator": "and", "conditions": [ { "type": "purposes", "value": "Re-identification Prohibited" } ] } }, "exceptions": null } ], "createdAt": "2021-09-20T20:05:35.925Z", "createdBy": 2, "description": null } ], "createdAt": "2021-09-21T18:49:34.021Z", "updatedAt": "2021-09-21T18:49:34.021Z" } ``` ### Apply a global policy to a data source *Note: Global policies that contain the condition "with columns tagged" or "on all data sources" will automatically apply to relevant data sources when the policy is created. The endpoint detailed below can be used to apply global policies that contain the condition "when selected by data owners," as these policies are not automatically applied to data sources.* `POST` `/policy/global/applyPolicy` Apply the global policy to the specified data source. #### Body parameters | Attribute | Description | Required | | --------- | -------------------------------------------------------- | -------- | | payload | `array` Contains global policy and data source metadata. | **Yes** | #### Payload parameters | Attribute | Description | Required | | ------------ | ----------------------------------------------------------- | -------- | | policyId | `integer` The ID of the global policy. | **Yes** | | dataSourceID | `integer` The ID of the data source to apply the policy to. | **Yes** | | merged | `boolean` **Default `false`.** | **Yes** | #### Response parameters None. When successful, no message will display. #### Request example This example request applies the specified global policy to the specified data source (saved in the `example-payload.json` file) in the Immuta tenant. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/global/applyPolicy ``` **Request payload example** The following payload will apply the global policy with the ID `1` to the data source with ID `1`. ```json { "policyId": 1, "dataSourceId": 1, "merged": false } ``` ### Update a global policy `PUT` `/policy/global/{policyId}` Update the specified policy. #### Path parameters | Attribute | Description | Required | | --------- | --------------------------------------------------------- | -------- | | policyId | `integer` The ID of the global policy you want to update. | **Yes** | #### Body parameters | Attribute | Description | Required | | --------- | -------------------------------------------- | -------- | | payload | `array` Contains global policy and metadata. | **Yes** | #### Payload parameters See the [Create a global policy section ](#create-a-global-policy)for payload details. #### Response parameters When successful, the response returns the body of the request payload. #### Request example This example request updates the specified global policy (`8`) with changes to the metadata saved in the `example-payload.json` file. ```bash curl \ --request PUT \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/global/8 ``` **Request payload example** In this payload, the user updated the `description` attribute to update the policy. ```json { "id": 8, "policyKey": "Mask Passports", "name": "Mask Passport", "type": "data", "template": false, "staged": false, "systemGenerated": false, "deleted": false, "certification": { "tags": ["Discovered.Passport"], "text": "This certifies that all columns containing passports in this data source have been tagged appropriately.", "label": "Certified" }, "actions": [{ "type": "masking", "rules": [{ "type": "masking", "config": { "fields": [{ "name": "Discovered.Passport", "source": "curated", "hasLeafNodes": false, "displayName": "Discovered > Passport" }], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null }], "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." }], "circumstances": [{ "type": "columnTags", "operator": "or", "columnTag": { "name": "Discovered.Passport", "hasLeafNodes": false, "displayName": "Discovered > Passport" } }], "metadata": null, "clonedFrom": null, "createdBy": 2, "createdAt": "2021-09-21T18:35:48.615Z", "updatedAt": "2021-09-21T18:41:36.054Z", "createdByName": "Katie", "ownerRestrictions": null } ``` #### Response example ```json { "id": 6, "policyKey": "mask-passports", "name": "Mask Passports", "type": "data", "template": false, "createdBy": 2, "createdByName": "Kate", "createdAt": "2021-09-14", "updatedAt": "2021-09-15", "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": null, "config": { "fields": [ { "name": "Discovered.Passport", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } } } ], "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." } ], "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "Discovered.Passport", "hasLeafNodes": false } } ], "clonedFrom": 0, "staged": false, "systemGenerated": false, "deleted": false, "certification": { "label": "string", "text": "string", "tags": [ "string" ], "recertify": false } } ``` ## Review policies | Method | Path | Purpose | | ------ | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | | POST | `/policy/search` | [Search all policies](#search-for-policies). | | GET | `/policy/global/{policyId}` | [Find the policy with the specified ID](#find-policies-by-policy-id). | | GET | `/policy/global` | [Find a list of global policies with the specified `entityType`](#find-policies-by-entity-type). | | GET | `/policy/global/appliedTo/{policyId}` | [Find the number of data sources the specified policy is currently applied to](#find-the-number-of-data-sources-a-specified-policy-applies-to). | | GET | `/policy/dataSourcePolicies/{dataSourceId}` | [Get the policy information for the specified data source](#get-the-policy-information-for-a-specific-data-source). | | GET | `/policy/diff/{dataSourceId}` | [Get the differences between two policy handler versions](#get-the-differences-between-two-policy-versions). | | GET | `/policy/handler/{dataSourceId}` | [Get the policy handler metadata for a specific data source](#get-the-policy-handler-metadata-for-a-specific-data-source). | ### Search for policies `POST` `/policy/search` Searches for specified policies. #### Body parameters | Attribute | Description | Required | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | body | `array[object]` Facets of the policy to search by, including the rule type, where the policy applies, exceptions, and policy circumstances. | No | | type | `string` The type of policy to search for: `data` or `subscription`. | No | | scope | `string` Indicates whether the policy is `global` or `local`. | No | | size | `integer` Pages results by default; `size` is the number of results to return per page. | No | | offset | `integer` Used in combination with `size` to fetch pages. | No | | sortField | `string` Indicates which field to sort the policies by: `name`, `createdBy`, `createdAt`, `state`, `isNotApplied`, or `scope`. | No | | sortOrder | `string` Indicates whether to sort policies in ascending or descending order: `asc` or `desc`. | No | | searchText | `string` Searches text; this will filter policies by name. | No | | countOnly | `boolean` When `true`, will only return the number of policies found in the search. | No | | mode | `string` Attribute options include `similarPolicies`, `impactedUsers`, or `impactedDataSources`. | No | | excludedPolicies | `array[integer]` Global policy IDs to exclude. | No | #### Response parameters | Attribute | Description | | --------- | ----------------------------------------------------------------------------------------- | | count | `integer` The number of policies found that match the search criteria. | | hits | `array` Policy metadata, including the name, scope, type, and data sources it applies to. | #### Request example This example request searches for a global policy that contains the text `mask` in Immuta. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/search?scope=global&searchText=mask ``` #### Response example ```json { "count": 1, "hits": [{ "name": "Mask Passports", "createdBy": "Katie", "state": "active", "isNotApplied": false, "scope": "global", "type": "data", "globalPolicyId": 8, "policyId": null, "dataSourceId": null, "createdAt": "2021-09-21T18:35:48.615Z", "detailLabels": { "ruleType": ["masking"], "tags": ["Discovered.Passport"] }, "enforcedOn": { "count": 1, "hits": [{ "id": 1, "name": "Public Credit Accounts" }] } }] } ``` ### Find policies by policy ID `GET` `/policy/global/{policyId}` Find the policy with the specified ID. #### Path parameter | Attribute | Description | Required | | --------- | -------------------------------------- | -------- | | policyId | `integer` The ID of the global policy. | **Yes** | #### Response parameters The response returns a policy object. See the [Create a global policy section ](#create-a-global-policy)for descriptions. #### Request example This example request returns the global policy with the ID `1`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global/1 ``` #### Response example ```json { "id": 1, "policyKey": "New Column Added", "name": "New Column Added", "type": "data", "template": false, "staged": false, "systemGenerated": true, "deleted": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ { "name": "New", "source": "curated", "hasLeafNodes": false } ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "description": null } ], "circumstances": [ { "type": "columnTags", "operator": "or", "columnTag": { "name": "New", "hasLeafNodes": false } } ], "metadata": null, "clonedFrom": null, "createdBy": 1, "createdAt": "2021-09-09T13:47:03.448Z", "updatedAt": "2021-09-16T14:10:05.694Z", "syncStatuses": true, "createdByName": "Immuta System Account", "ownerRestrictions": null } ``` ### Find policies by entity type `GET` `/policy/global` Find the policy with the specified entity type. #### Query parameters | Attribute | Description | Required | | ---------- | -------------------------------------------------------------------------------------------------------------------- | -------- | | offset | `integer` Used in combination with `size` to fetch pages. | No | | size | `integer` Pages results by default; `size` is the number of results to return per page. | No | | sortField | `string` Indicates which field to sort the policies by: `name` or `createdAt`. **Default `createdAt`**. | No | | sortOrder | `string` Indicates whether to sort policies in ascending or descending order: `asc` or `desc`. **Default `desc`**. | No | | searchText | `string` Searches text; this will filter policies by `name`. | No | | type | `string` The type of policy to search for: `data` or `subscription`. | No | | scope | `string` Indicates whether the policy is `global` or `local`. | No | | nameOnly | `boolean` When `true`, only returns the policy name, type, and ID. | No | | templates | `boolean` When `true`, returns templates only. When `false`, returns non-templates only. When omitted, returns both. | No | #### Response parameters | Attribute | Description | | --------- | ------------------------------------------------------------------------------------------------ | | name | `string` The name of the policy. | | id | `integer` The policy ID. | | type | `string` The type of policy: `data` or `subscription`. | | hits | `array` Policy metadata, including the `name`, `scope`, `type`, and `dataSources` it applies to. | #### Request example This example request returns the name, type, and ID of all policies. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global?nameOnly=true ``` #### Response example ```json [ { "name": "Mask Passports", "id": 6, "type": "data" }, { "name": "New Column Added", "id": 1, "type": "data" } ] ``` ### Find the number of data sources a specified policy applies to `GET` `/policy/global/appliedTo/{policyId}` Find the number of data sources the specified policy applies to. #### Path parameter | Attribute | Description | Required | | --------- | -------------------------------------- | -------- | | policyId | `integer` The ID of the global policy. | **Yes** | #### Response parameters | Attribute | Description | | --------- | ----------------------------------------------------------- | | count | `integer` The number of data sources the policy applies to. | #### Request example This example request returns the number of data sources the global policy with the ID `6` applies to. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global/appliedTo/6 ``` #### Response example ```json { "count": 1 } ``` ### Get the policy information for a specific data source `GET` `/policy/dataSourcePolicies/{dataSourceId}` Get the policy information for the specified data source. #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Query parameters | Attribute | Description | Required | | ------------- | -------------------------------------------------------------------------------- | -------- | | retrieveAll | `boolean` When `false`, filters out any custom domain-specific language rules. | No | | excludeGlobal | `boolean` When `true`, filters out any policy actions driven by a global policy. | No | #### Response parameters | Attribute | Description | | --------- | ----------------------------------------------------------------------------------------------------------- | | body | `array` Contains policy metadata, including the policy `type`, `rules`, `exceptions`, and date of creation. | #### Request example This example request returns the information of policies applied to the data source with the ID `2`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/dataSourcePolicies/2 ``` #### Response example ```json [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "amount" ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "createdAt": "2021-09-20T20:03:18.001Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "geo_latitude" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "createdAt": "2021-09-20T20:02:02.213Z", "createdBy": 2, "description": null }, { "type": "prerequisite", "rules": [ { "type": "prerequisite", "config": { "qualifications": { "operator": "and", "conditions": [ { "type": "purposes", "value": "Re-identification Prohibited" } ] } }, "exceptions": null } ], "createdAt": "2021-09-20T20:05:35.925Z", "createdBy": 2, "description": null } ] ``` ### Get the differences between two policy versions `GET` `/policy/diff/{dataSourceId}` Get the differences between two policy handler versions. #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Query parameters | Attribute | Description | Required | | ----------------- | ---------------------------------------- | -------- | | previousHandlerId | `integer` The ID of the previous policy. | No | | currentHandlerId | `integer` The ID of the current policy. | No | #### Response parameters | Attribute | Description | | ---------- | ---------------------------------------------------------------------------------------------------------------------------------- | | current | `array` Contains policy metadata of the current policy, including the policy `type`, `rules`, `exceptions`, and date of creation. | | previous | `array` Contains policy metadata of the previous policy, including the policy `type`, `rules`, `exceptions`, and date of creation. | | hasChanges | `boolean` When `true`, indicates the policy was changed. | #### Request example This example request returns the information of policies applied to the data source with the ID `3`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/diff/3?currentHandlerId=47&previousHandlerId=46 ``` #### Response example ```json { "current": [{ "type": "rowOrObjectRestriction", "rules": [{ "type": "visibility", "config": { "predicate": "(`city` in (@groups()))", "qualifications": { "operator": "and", "conditions": [{ "type": "groups", "field": "city" }] } }, "exceptions": null }], "createdAt": "2021-09-28T18:46:00.868Z", "createdBy": 2, "description": null }], "previous": [{ "type": "rowOrObjectRestriction", "rules": [{ "type": "visibility", "config": { "predicate": "(`city` in (@groups()))", "qualifications": { "operator": "and", "conditions": [{ "type": "groups", "field": "city" }] } }, "exceptions": null }], "createdAt": "2021-09-28T18:46:00.868Z", "createdBy": 2, "description": null }], "hasChanges": false } ``` ### Get the policy handler metadata for a specific data source `GET` `/policy/handler/{dataSourceId}` Get the policy handler metadata for a specific data source. #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Response parameters | Attribute | Description | | --------- | ----------------------------------------------------------------------------------- | | hits | `array` Policy metadata, including the `name`, `scope`, `rules`, and policy `type`. | #### Request example This example request returns the policy handler metadata for policies applied to the data source with the ID `1`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/handler/1 ``` #### Response example ```json { "id": 44, "dataSourceId": 1, "rules": "rule masking_0_0 { when { model_0_0 : MaskingModel ; } then { Masked(model_0_0, 0, 0) } } rule masking_5_0 { when { model_5_0 : MaskingModel ; } then { Masked(model_5_0, 5, 0) } } rule masking_6_0 { when { model_6_0 : MaskingModel ; } then { Masked(model_6_0, 6, 0) } }", "jsonPolicies": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "email" ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "createdAt": "2021-09-21T19:27:27.589Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "email" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 0, "tag": "Discovered.Passport", "name": "string", "reason": "test", "staged": false, "deleted": false, "conflict": "existingMasking", "disabled": true, "metadata": { "HEDReportVersion": "string", "certificationExpirationInterval": "string" }, "template": false, "createdAt": "2021-09-14T00:00:00.000Z", "createdBy": "Katie", "policyKey": "string", "updatedAt": "2021-09-14T00:00:00.000Z", "clonedFrom": 0, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "last_name" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 0, "tag": "Discovered.Passport", "name": "string", "reason": "test", "staged": false, "deleted": false, "conflict": null, "disabled": true, "metadata": { "HEDReportVersion": "string", "certificationExpirationInterval": "string" }, "template": false, "createdAt": "2021-09-14T00:00:00.000Z", "createdBy": "Katie", "policyKey": "string", "updatedAt": "2021-09-14T00:00:00.000Z", "clonedFrom": 0, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "ssn" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 0, "tag": "Discovered.Passport", "name": "string", "reason": "test", "staged": false, "deleted": false, "conflict": null, "disabled": true, "metadata": { "HEDReportVersion": "string", "certificationExpirationInterval": "string" }, "template": false, "createdAt": "2021-09-14T00:00:00.000Z", "createdBy": "Katie", "policyKey": "string", "updatedAt": "2021-09-14T00:00:00.000Z", "clonedFrom": 0, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "email" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 8, "tag": "Discovered.Passport", "name": "Mask Passports", "reason": null, "staged": false, "deleted": false, "conflict": "existingMasking", "disabled": true, "metadata": null, "template": false, "createdAt": "2021-09-21T18:35:48.615Z", "createdBy": "Katie", "policyKey": "Mask Passport", "updatedAt": "2021-09-21T18:41:54.299Z", "clonedFrom": null, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "last_name" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 8, "tag": "Discovered.Passport", "name": "Mask Passport", "reason": null, "staged": false, "deleted": false, "conflict": null, "disabled": false, "metadata": null, "template": false, "createdAt": "2021-09-21T18:35:48.615Z", "createdBy": "Katie", "policyKey": "Mask Passport", "updatedAt": "2021-09-21T18:41:54.299Z", "clonedFrom": null, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "ssn" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 8, "tag": "Discovered.Passport", "name": "Mask Passport", "reason": null, "staged": false, "deleted": false, "conflict": null, "disabled": false, "metadata": null, "template": false, "createdAt": "2021-09-21T18:35:48.615Z", "createdBy": "Katie", "policyKey": "Mask Passports", "updatedAt": "2021-09-21T18:41:54.299Z", "clonedFrom": null, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." } ], "createdAt": "2021-09-21T19:27:27.977Z", "updatedAt": "2021-09-21T19:27:27.977Z" } ``` ## Delete a global policy `DELETE` `/policy/global/{policyId}` Delete the specified global policy. #### Path parameter | Attribute | Description | Required | | --------- | ------------------------------- | -------- | | policyId | `integer` The ID of the policy. | **Yes** | #### Response parameters The response returns a policy object of the policy that was deleted. See the [Create a global policy section ](#create-a-global-policy)for descriptions. ### Request example The following request deletes the global policy with ID `6`. ```bash curl \ --request DELETE \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global/6 ``` ### Response example ```json { "id": 6, "policyKey": "mask-passports", "name": "Mask Passports", "type": "data", "template": false, "staged": false, "systemGenerated": false, "deleted": false, "certification": { "tags": [ "string" ], "text": "string", "label": "string" }, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ { "name": "Discovered.Passport", "source": "curated", "hasLeafNodes": false } ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." } ], "circumstances": [ { "type": "columnTags", "operator": "or", "columnTag": { "name": "Discovered.Passport", "hasLeafNodes": false } } ], "metadata": null, "clonedFrom": 0, "createdBy": 2, "createdAt": "2021-09-14T00:00:00.000Z", "updatedAt": "2021-09-15T18:46:17.661Z", "createdByName": "Katie", "ownerRestrictions": null } ``` [^1]: Users are granted access when approved by a specified user. [^2]: Anyone is granted access. [^3]: Individually selected users are granted access. [^4]: Users with specified entitlements are granted access. [^5]: Setting circumstances.**type** to `null` only applies the policy to data sources when it is selected by data owners. \ Omitting circumstances.**type** applies the policy to all data sources. [^6]: Omitting circumstances.**type** only applies the policy to data sources when it is selected by data owners. [^7]: This type redacts rows (corresponds with the `rowOrObjectRestriction` actions.type). [^8]: Used for hashing, making column values null, or masking with a constant. [^9]: Used for rounding numeric and time values. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://documentation.immuta.com/latest/developer-guides/api-intro/immuta-v1-api/manage-data-access/policy.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.