search
Book a demo

Create a Subscription Policy

hashtag
POST /api/v2/policy

Required Immuta permission: GOVERNANCE

Create an Anyone can subscribe subscription policy.

name: Anyone
policyKey: subscription anyone
type: subscription
actions:
  type: anyone
  automaticSubscription: false
  description: Rationale
circumstances:
  - type: tags
    tag: Discovered

hashtag
Path parameters

Parameter
Description
Required or optional
Default value

dryRun boolean

If true, no updates will actually be made.

Optional

false

reCertify boolean

If true (and if the certification has changed), someone will need to re-certify this policy on all impacted data sources.

Optional

false

hashtag
Body parameters

The body of the request contains the details of the policy you want to create. The following table describes the attributes you can include in the body.

Attribute
Description
Required or optional
Default value
Accepted values

policyKey string

A key/name to uniquely identify this policy.

Required

-

-

name string

The name of the policy that will be displayed in the Immuta UI.

Required

-

-

type string

The type of policy.

Required

-

  • subscription

  • data

actions object

The actual rules for this policy.

Required

-

-

circumstances array

When and where the policy should get applied.

Optional

-

-

circumstanceOperator string

Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).

Optional

any

  • all

  • any

staged boolean

If true, this global policy is in a staged status.

Optional

false

  • true

  • false

certification object

Certification information for the global policy.

Optional

-

-

hashtag
actions object

The actions object describes the rules of the policy.

Attribute
Description
Required or optional
Default value
Accepted values

type string

The type of subscription policy.

Required

-

  • anyone: Anyone can subscribe

  • approval: Anyone can request approval and will be subscribed when it is approved

  • entitlements: Users with the listed attributes or groups will be subscribed

  • manual: Users must be manually added to be subscribed

automaticSubscription boolean

When true, users will be automatically subscribed to the data source without having to take action.

Optional

false

  • true

  • false

allowDiscovery boolean

When true, users can see the data source in the Immuta UI, even if they do not have the attributes and groups specified by the policy.

Optional

false

  • true

  • false

advanced string

An advanced function to use as the subscription policy. See the Advanced use of special functions guide for details about the functions Immuta supports.

Optional

-

-

description string

The rationale for your policy.

Optional

-

-

approvals array

Details about the user(s) that will approve subscription requests.

Required if type is approval

-

-

entitlements object

Details about the entitlements required for users to subscribe to the data sources.

Required if type is entitlements

-

-

hashtag
approvals array

This array is required if the policy type is approval in the actions object. It allows you to define the users who can approve subscription requests.

Attribute
Description
Required or optional
Default value
Accepted values

specificApproverRequired boolean

If true, the user to approve the request will be selected by the user requesting access. If false, any user with the required permission can approve the request.

Required

-

  • true

  • false

requiredPermissions string

The required permissions for the user approving the subscription request.

Required

-

  • USER_ADMIN

  • GOVERNANCE

  • AUDIT

hashtag
entitlements object

This object is required if the policy type is entitlements in the actions object. It allows you to define the groups or attributes that users must have to subscribe to the project.

Attribute
Description
Required or optional
Default value
Accepted values

operator string

Specifies whether users must have all or any of the entitlements to be eligible to subscribe to the data source.

Required

-

  • all

  • any

groups array[string]

The names of the groups the user must be a member of to subscribe to the data source.

Requires either groups or attributes

-

-

attributes array[object]

Details about attributes the user must have to subscribe to the data source.

Requires either groups or attributes

-

-

attributes.name string

The name of the attribute the user must have to subscribe to the data source. This is commonly referred to as a key.

Required if using attributes

-

-

attributes.value string

The value of the attribute the user must have to subscribe to the data source.

Required if using attributes

-

-

hashtag
circumstances array

The circumstances array dictates what data sources the policy will be applied to. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period.

Attribute
Description
Required or optional
Default value
Accepted values

type string

Specifies how to determine whether or not to apply the policy to the data source.

Optional

Defaults to all data sources

  • tags: Apply the policy when the data source has these tags.

  • columnRegex: Apply the policy when the data source has column names that match the regex.

  • columnTags: Apply the policy when the data source has columns with these tags.

  • domains: Apply the policy to data sources in these domains.

  • null: Apply the policy to data sources when it is selected by data owners.

  • server: Apply the policy to data sources in this server.

  • time: Apply the policy to data sources created in a specific time period.

tag string

The tag to dictate when the policy is applied.

Required if type is tags.

-

-

columnTag string

The column tag to dictate when the policy is applied.

Required if type is columnTags.

-

-

regex string

The regex to match against column names and apply the policy when found.

Required if type is columnRegex.

-

-

caseInsensitive boolean

If true, the regex is case insensitive. Use with type columnRegex.

Optional

-

  • true

  • false

server string

Specifies the server that contains the data sources the policy should be applied to.

Required if type is server

-

-

startDate string

Specifies to apply policies to data sources created on or after this date and before the endDate.

Required if type is time

-

-

endDate string

Specifies to apply policies to data sources created before this date and after the startDate.

Optional

-

-

domains array[object]

Specifies to apply policies to data sources in the listed domains.

Required if type is domains.

-

-

domains.id string

The unique ID of the domain.

Requires either domains.id or domains.name if type is domains.

-

-

domains.name string

The name of the domain.

Requires either domains.id or domains.name if type is domains.

-

-

hashtag
certification object

The certification object contains the details of the certification for the policy.

Attribute
Description
Required or optional
Default value
Accepted values

text string

The text that appears when a data owner attempts to certify a policy.

Required

-

-

label string

The label that appears when the policy has been certified.

Required

-

-

tags array[string]

Tags that impact the certification.

Optional

-

-

recertify boolean

When true, data owners must re-certify all data sources this policy applies to.

Optional

false

  • true

  • false

Last updated

Was this helpful?