# Manage Data and Subscription Policies The `policy` endpoint allows you to manage and review policies in Immuta. This page outlines the endpoint and its request and response parameters. {% hint style="info" %} Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented. {% endhint %} ## Policy workflow 1. [Create and manage policies](#create-and-manage-policies). 2. [Search for, review, and compare policies](#review-policies). 3. [Delete global policies](#delete-a-global-policy). ## Create and manage policies | Method | Path | Purpose | | ----------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | POST | `/policy/global` | [Create a global policy](#create-a-global-policy). | | POST or PUT | `/policy/handler/{dataSourceId}` | [Create (POST) or update (PUT) a policy for the specified data source](#create-or-update-a-policy-for-a-specific-data-source). | | POST | `/policy/global/applyPolicy` | [Apply a global policy to a data source](#apply-a-global-policy-to-a-data-source). | | PUT | `/policy/global/{policyId}` | [Update the specified global policy](#update-a-global-policy). | ### Create a global policy `POST` `/policy/global` Create a global subscription or data policy. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Body parameters {% tabs %} {% tab title="Subscription policy" %} {% hint style="warning" %} **Deprecation notice** Support for `automatic` (Anyone) and `approval` (Anyone who asks and is approved) subscription policy types has been deprecated. See the [Deprecations page](https://documentation.immuta.com/saas/releases/deprecations) for EOL dates. {% endhint %}
AttributeDescriptionRequired
typestring The type of policy. For subscription policies, this value must be subscription.Yes
namestring The name of the policy that will be displayed in the Immuta UI.Yes
templateboolean Specifies whether or not this policy should be available as a template.No
actions.typestring The type of policy. Accepted value is subscription.Yes
actions.subscriptionTypestring The type of subscription policy. Accepted values are approval, automatic, manual, policy, or guardrail.Required when type is subscription.
actions.descriptionstring The description of the policy.No
actions.shareResponsibility

boolean When true the subscription policy will merge with other subscription policies on the data source with OR.

When guardrail policies are enabled, this value is set by the subscriptionType, and user-provided values for this attribute will be ignored.

No
actions.allowDiscoveryboolean When true, users can see the data source in the Immuta UI, even if they do not have the attributes and groups specified by the policy.No
actions.accessGrantstring The type of access the user is granted. Accepted values are READ or WRITE.No
actions.exceptions.operatorstring Specifies how to combine the conditions of the policy. Accepted values are AND or OR.No
actions.exceptions.conditions.typestring Specifies the type of entitlement to include in the exception. Accepted values are groups or authorizations.No
actions.exceptions.conditions.type.groupstring The group to allow to subscribe to the data source.Required when actions.exceptions.conditions.type is groups.
actions.exceptions.conditions.type.authorization.authstring The attribute key to allow to subscribe to the data source.Required when actions.exceptions.conditions.type is authorizations.
actions.exceptions.conditions.type.authorization.valuestring The attribute value to allow to subscribe to the data source.Required when actions.exceptions.conditions.type is authorizations.
actions.automaticSubscriptionboolean When true, users will be automatically subscribed to the data source without having to take action.Yes
stagedboolean When true, the policy is not active or enforced on any data sources.No
circumstances.typestring Specifies how to determine whether or not to apply the policy to the data source. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period. Accepted values are columnRegex, columnTags, domains, null, server, tags, or time.No
circumstances.columnRegex.regexstring The regular expression that identifies how column names are spelled.Required when circumstances.type is columnRegex.
circumstances.columnRegex.caseInsensitiveboolean When true, the regex will ignore the casing of column names.No
circumstances.serverstring Specifies the server that contains the data sources the policy should be applied to.Required when circumstances.type is server.
circumstances.startDatestring Specifies to apply policies to data sources created on or after this date and before the endDate.Required when circumstances.type is time.
circumstances.endDatestring Specifies to apply policies to data sources created before this date and after the startDate.No
circumstances.tag.namestring The name of the tag on the data source.Required when circumstances.type is tags.
circumstances.tag.displayNamestring The display name of the tag on the data source.No
circumstances.tag.hasLeafNodesboolean When true, indicates the tag on the data source has child tags.No
circumstances.columnTag.namestring The name of the tag.Required when circumstances.type is columnTags.
circumstances.columnTag.displayNamestring The display name of the tag.No
circumstances.columnTag.hasLeafNodesboolean When true, indicates the tag has child tags.No
circumstances.domains.idstring The unique identifier of the domain.Required when circumstances.type is domains and circumstances.domains.name is not provided.
circumstances.domains.namestring The name of the domain.Required when circumstances.type is domains and circumstances.domains.id is not provided.
circumstances.operatorstring Specifies how multiple circumstances of the policy will be combined with each other. When circumstances.type is domains, this value must be AND.Yes
{% endtab %} {% tab title="Protect data policy" %} | Attribute | Description | Required | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | **type** | `string` The type of policy. For protect data policies, this value must be `data`. | **Yes** | | **name** | `string` The name of the policy that will be displayed in the Immuta UI. | **Yes** | | **template** | `boolean` Specifies whether or not this policy should be available as a template. | No | | certification**.text** | `string` The text that appears when a data owner attempts to certify a policy. | No | | certification.**label** | `string` The label that appears when the policy has been certified. | No | | certification.**tags** | `array[string]` Tags that impact the certification. | No | | certification.**recertify** | `boolean` When `true`, data owners must re-certify all data sources this policy applies to. | No | | actions.**type** | `string` The type of policy. Accepted values are `masking`, `minimization`, `prerequisite`, `rowOrObjectRestriction`, or `time`. | **Yes** | | actions.**rules** | `array` The policy rules to enforce. See the [Rules array section](#rules-array) for details. | **Yes** | | actions.**description** | `string` An explanation of the purpose of the policy. | No | | **staged** | `boolean` When `true`, the policy is not enforced on any data sources. | No | | circumstances.**type** | `string` Specifies how to determine whether or not to apply the policy to the data source. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period. Accepted values are `columnRegex`, `columnTags`, `domains`, [`null`](#user-content-fn-7)[^7], `server`, `tags`, or `time`. | No[^8] | | circumstances.columnRegex.**regex** | `string` The regular expression that identifies how column names are spelled. | Required when **circumstances.type** is `columnRegex`. | | circumstances.columnRegex.**caseInsensitive** | `boolean` When `true`, the regex will ignore the casing of column names. | No | | circumstances.**server** | `string` Specifies the server that includes the data sources to apply the policy to. | Required when **circumstances.type** is `server`. | | circumstances.**startDate** | `string` Specifies to apply policies to data sources created on or after this date and before the `endDate`. | Required when **circumstances.type** is `time`. | | circumstances.**endDate** | `string` Specifies to apply policies to data sources created before this date and after the `startDate`. | No | | circumstances.tag**.name** | `string` The name of the tag on the data source. | Required when **circumstances.type** is `tags`. | | circumstances.tag.**displayName** | `string` The display name of the tag on the data source. | No | | circumstances.tag.**hasLeafNodes** | `boolean` When `true`, indicates the tag on the data source has child tags. | No | | circumstances.columnTag.**name** | `string` The name of the tag. | Required when **circumstances.type** is `columnTags`. | | circumstances.columnTag.**displayName** | `string` The display name of the tag. | No | | circumstances.columnTag.**hasLeafNodes** | `boolean` When `true`, indicates the tag has child tags. | No | | circumstances.domains.**id** | `string` The unique identifier of the domain. | Required when **circumstances.type** is `domains` and **circumstances.domains.name** is not provided**.** | | circumstances.domains.**name** | `string` The name of the domain. | Required when **circumstances.type** is `domains` and **circumstances.domains.id** is not provided**.** | | circumstances.**operator** | `string` Specifies how multiple circumstances of the policy will be combined with each other. When **circumstances.type** is `domains`, this value must be `AND`. | **Yes** | #### **Rules array** The **rules** array configures the type of data policy to enforce. The table below outlines its child attributes. | Attribute | Description | | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **type** | `string` The type of policy. Accepted values are `masking`, `minimization`, `prerequisite`, `time`, or [`visibility`](#user-content-fn-9)[^9]. | | config.fields.**name** | `string` The name of the tag on the column that should be masked. Required when **type** is `masking`. | | config.fields.**displayName** | `string` The display name of the tag on the column that should be masked. | | config.fields.**hasLeafNodes** | `boolean` When `true`, indicates that the tag on the column to be masked has child tags. | | config.maskingConfig**.type** | `string` Specifies the type of masking to apply to the data. Accepted values are [`Consistent Value`,](#user-content-fn-10)[^10] `Format Preserving Masking`, [`Grouping`](#user-content-fn-11)[^11], `Regular Expression`, or `Reversible.` | | config.maskingConfig.metadata.**constant** | `string` Specifies the string that will replace the value in the column. Use this attribute when **config.maskingConfig.type** is `Consistent Value` and you want to specify the constant used to replace the value. | | config.maskingConfig.metadata.**bucketSize** | `integer` The bucket size to round to. Use this value when config.maskingConfig.type is `Grouping` and you want to mask a numeric value. | | config.maskingConfig.metadata.**timePrecision** | `string` Specifies where Immuta will round the time to. Accepted values are `HOUR`, `DAY`, `MONTH`, `QUARTER`, or `YEAR`. Use this when config.maskingConfig.type is `Grouping` and you want to mask a time value. | | config.maskingConfig.metadata.**regex** | `string` The regular expression that identifies the portion of the value to mask. | | config.maskingConfig.metadata.**replacement** | `string` The string that will replace the portion of the value identified by the regular expression to mask. | | config.**percent** | `integer` Specifies the percentage of the data to show. Required when **type** is `minimization`. | | exceptions.conditions.**authorization** |

string When actions.exceptions.conditions.type is hasTagAs, this value specifies the attribute key that will be used to match the user's attribute key-value pair against the column or data source tag.

If a user possesses an attribute with a key and value that matches any tag on the data source or column, they will see the masked data in the tagged data source or column in the clear.

| | exceptions.conditions.authorization.**auth** | `string` The attribute key to exempt from the data policy. Required when **actions.exceptions.conditions.type** is `authorizations`. | | exceptions.conditions.authorization.**value** | `string` The attribute value to exempt from the data policy. Required when **actions.exceptions.conditions.type** is `authorizations`. | | exceptions.conditions.**conditionType** |

string When actions.exceptions.conditions.type is hasTagAs, this value specifies the type of user entitlement to match against the data source or column tag. Accepted values are attribute or group.

See the Masking policies reference guide for details about these policy exceptions.

| | exceptions.conditions.group**.name** | `string` The group to exempt from the data policy. Required when **actions.exceptions.conditions.type** is `groups`. | | exceptions.conditions.**target** | `string` When **actions.exceptions.conditions.type** is [`hasTagAs`](#user-content-fn-12)[^12], this value specifies whether to match the user's group or attribute to a tag on the column or data source. Accepted values are `column` and `datasource`. | | exceptions.conditions.**type** |

string Specifies the types of entitlements to exempt from the policy. Accepted values are authorizations, groups, hasTagAs, or purposes. An example payload for each of these policy exception types is provided in the section below.

See the Masking policies reference guide for details about these policy exceptions.

| | exceptions.conditions.**value** | `string` The purpose to exempt from the data policy. Required when **actions.exceptions.conditions.type** is `purposes`. | | exceptions.**operator** | `string` Specifies the combination of entitlements the user must have to be exempt from the policy. Accepted values are `AND` or `OR`. | | inclusions.conditions.authorization.**auth** | `string` The attribute key the user must have for the data policy to apply to them. Required when **inclusions.conditions.type** is `authorizations`. | | inclusions.conditions.authorization.**value** | `string` The attribute value the user must have for the data policy to apply to them. Required when **inclusions.conditions.type** is `authorizations`. | | inclusions.conditions.**conditionType** |

string When actions.inclusions.conditions.type is hasTagAs, this value specifies the type of user entitlement to match against the data source or column tag to determine whether the policy applies to the user. Accepted values are attribute or group.

See the Masking policies reference guide for details about using these entitlements in policies.

| | inclusions.conditions.**group** | `string` The group the user must belong to for the data policy to apply to them. Required when **inclusions.conditions.type** is `groups`. | | inclusions.conditions.**target** | `string` When **actions.inclusions.conditions.type** is [`hasTagAs`](#user-content-fn-13)[^13], this value specifies whether to match the user's group or attribute to a tag on the column or data source to determine whether the policy applies to the user. Accepted values are `column` and `datasource`. | | inclusions.conditions.**type** | `string` Specifies the types of entitlements the user must have for the data policy to apply to them. Accepted values are `authorizations`, `groups`, [`hasTagAs`](#user-content-fn-13)[^13], or `purposes`. | | inclusions.conditions.**value** | `string` The purpose the user must be acting under for the data policy to apply to them. Required when **inclusions.conditions.type** is `purposes`. | | inclusions.**operator** | `string` Specifies the combination of entitlements the user must have for the policy to apply to them. Accepted values are `AND` or `OR`. | | {% endtab %} | | {% tab title="Reveal data policy" %} | Attribute | Description | Required | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | **type** | `string` The type of policy. For reveal data policies, this value must be `data`. | **Yes** | | **name** | `string` The name of the policy that will be displayed in the Immuta UI. | **Yes** | | **template** | `boolean` Specifies whether or not this policy should be available as a template. | No | | actions.**type** | `string` The type of policy. This value must be `exception` for reveal policies. | **Yes** | | actions.**rules** | `array` The policy rules to enforce. See the [Rules array section](#rules-array-1) for details. | **Yes** | | actions.**description** | `string` An explanation of the purpose of the policy. | No | | **staged** | `boolean` When `true`, the policy is not enforced on any data sources. | No | | circumstances.**type** | `string` Specifies how to determine whether or not to apply the policy to the data source. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period. Accepted values are `columnRegex`, `columnTags`, `domains`, [`null`](#user-content-fn-7)[^7], `server`, `tags`, or `time`. | No[^8] | | circumstances.columnRegex.**regex** | `string` The regular expression that identifies how column names are spelled. | Required when **circumstances.type** is `columnRegex`. | | circumstances.columnRegex.**caseInsensitive** | `boolean` When `true`, the regex will ignore the casing of column names. | No | | circumstances.**server** | `string` Specifies the server that includes the data sources to apply the policy to. | Required when **circumstances.type** is `server`. | | circumstances.**startDate** | `string` Specifies to apply policies to data sources created on or after this date and before the `endDate`. | Required when **circumstances.type** is `time`. | | circumstances.**endDate** | `string` Specifies to apply policies to data sources created before this date and after the `startDate`. | No | | circumstances.tag**.name** | `string` The name of the tag on the data source. | Required when **circumstances.type** is `tags`. | | circumstances.tag.**displayName** | `string` The display name of the tag on the data source. | No | | circumstances.tag.**hasLeafNodes** | `boolean` When `true`, indicates the tag on the data source has child tags. | No | | circumstances.columnTag.**name** | `string` The name of the tag. | Required when **circumstances.type** is `columnTags`. | | circumstances.columnTag.**displayName** | `string` The display name of the tag. | No | | circumstances.columnTag.**hasLeafNodes** | `boolean` When `true`, indicates the tag has child tags. | No | | circumstances.domains.**id** | `string` The unique identifier of the domain. | Required when **circumstances.type** is `domains` and **circumstances.domains.name** is not provided**.** | | circumstances.domains.**name** | `string` The name of the domain. | Required when **circumstances.type** is `domains` and **circumstances.domains.id** is not provided**.** | | circumstances.**operator** | `string` Specifies how multiple circumstances of the policy will be combined with each other. When **circumstances.type** is `domains`, this value must be `AND`. | **Yes** | #### **Rules array** The **rules** array configures the type of reveal data policy to enforce. The table below outlines its child attributes. Reveal policies are only supported for the `exception` type. | Attribute | Description | | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **type** | `string` The type of policy. Accepted value is `exception`. | | config.fields.**name** | `string` The name of the tag on the column that should be revealed. Required when **type** is `exception`. | | config.fields.**displayName** | `string` The display name of the tag on the column that should be revealed. | | config.fields.**hasLeafNodes** | `boolean` When `true`, indicates that the tag on the column to be revealed has child tags. | | exceptions.conditions.authorization.**auth** | `string` The attribute key the user must have for the reveal policy to apply to them. Required when **exceptions.conditions.type** is `authorizations`. | | exceptions.conditions.authorization.**value** | `string` The attribute value the user must have for the reveal policy to apply to them. Required when **exceptions.conditions.type** is `authorizations`. | | exceptions.conditions.**conditionType** |

string When actions.exceptions.conditions.type is hasTagAs, this value specifies the type of user entitlement to match against the data source or column tag to determine whether the reveal policy applies to the user. Accepted values are attribute or group.

See the Masking policies reference guide for details about using these entitlements in policies.

| | exceptions.conditions.**group** | `string` The group the user must belong to for the reveal policy to apply to them. Required when **exceptions.conditions.type** is `groups`. | | exceptions.conditions.**target** | `string` When **actions.exceptions.conditions.type** is `hasTagAs`, this value specifies whether to match the user's group or attribute to a tag on the column or data source to determine whether the reveal policy applies to the user. Accepted values are `column` and `datasource`. | | exceptions.conditions.**type** | `string` Specifies the types of entitlements the user must have for the reveal policy to apply to them. Accepted values are `authorizations`, `groups`, or `hasTagAs`. | | exceptions.**operator** | `string` Specifies the combination of entitlements the user must have for the reveal policy to apply to them. Accepted values are `AND` or `OR`. | | {% endtab %} | | | {% endtabs %} | | #### Request example This example request creates a global policy (saved in the `example-payload.json` file) in the Immuta tenant. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/global ``` **Request payload examples** {% tabs %} {% tab title="Subscription policy" %} This sample payload creates the following subscription policy: > Automatically grant users access when user is a member of group `HR` on data sources tagged `Employee`. ```json { "type": "subscription", "name": "HR policy", "template": false, "certification": null, "actions": [ { "type": "subscription", "subscriptionType": "policy", "description": null, "shareResponsibility": true, "allowDiscovery": false, "accessGrant": "READ", "exceptions": { "operator": "and", "conditions": [ { "type": "groups", "group": { "name": "HR" } } ] }, "automaticSubscription": true } ], "staged": true, "circumstances": [ { "operator": "or", "type": "tags", "tag": { "name": "Employee", "displayName": "Employee", "hasLeafNodes": false } } ] } ``` {% endtab %} {% tab title="Masking policy" %} This sample payload creates the following masking policy: > Mask data tagged `PII` for everyone on data sources with columns tagged `PII`. ```json { "type": "data", "name": "Mask PII", "template": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": null, "config": { "fields": [ { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } } } ], "description": "" } ], "staged": false, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } } ] } ``` {% endtab %} {% tab title="Masking policies with exceptions" %} **Attribute exception examples** This sample payload creates the following masking policy: > Mask columns tagged `PII` by making NULL for everyone except when user possesses attribute `Department:HR`. ```json { "type": "data", "name": "Attribute exception", "template": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": { "operator": "and", "conditions": [ { "type": "authorizations", "authorization": { "auth": "Department", "value": "HR" } } ] }, "config": { "fields": [ { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } } } ], "description": "" } ], "staged": false, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } } ] } ``` This sample payload creates the following masking policy: > Mask columns tagged `PII` by making NULL for everyone except when user possesses an attribute with key `Employee` and value that matches any column tag. ```json { "type": "data", "name": "Masking exception using column tag", "template": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": { "operator": "and", "conditions": [ { "conditionType": "attribute", "target": "column", "type": "hasTagAs", "authorization": "Employee" } ] }, "config": { "fields": [ { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } } } ], "description": "" } ], "staged": false, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } } ] } ``` **Group exception examples** This sample payload creates the following masking policy: > Mask by making NULL columns tagged `PII` for everyone except when user is a member of group `HR`. ```json { "type": "data", "name": "Group exception", "template": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": { "operator": "and", "conditions": [ { "type": "groups", "group": { "name": "HR" } } ] }, "config": { "fields": [ { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } } } ], "description": "" } ], "staged": false, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } } ] } ``` This sample payload creates the following masking policy: > Mask columns tagged `PII` by making NULL for everyone except when user is a member of a group with name that matches any data source tag. ```json { "type": "data", "name": "Masking policy group exception", "template": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": { "operator": "and", "conditions": [ { "conditionType": "group", "target": "datasource", "type": "hasTagAs" } ] }, "config": { "fields": [ { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } } } ], "description": "" } ], "staged": false, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } } ] } ``` **Purpose exception example** This sample payload creates the following masking policy: > Mask columns tagged `PII` by making NULL for everyone except when user is acting under purpose `Employee Retention`. ```json { "type": "data", "name": "Purpose exception", "template": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": { "operator": "and", "conditions": [ { "type": "purposes", "value": "Employee Retention" } ] }, "config": { "fields": [ { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } } } ], "description": "" } ], "staged": false, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "PII", "displayName": "PII", "hasLeafNodes": false, "source": "curated" } } ] } ``` {% endtab %} {% tab title="Row-access policy" %} This sample payload creates the following row-access policy: > Only show rows where user is a member of a group that matches the value in column tagged `Department` for everyone on data sources with columns tagged `Department`. ```json { "type": "data", "name": "Row-access policy", "template": false, "certification": null, "actions": [ { "type": "rowOrObjectRestriction", "rules": [ { "type": "visibility", "exceptions": null, "config": { "qualifications": { "operator": "and", "conditions": [ { "type": "groups", "field": { "name": "Department", "displayName": "Department", "hasLeafNodes": false } } ] } } } ], "description": "" } ], "staged": false, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "Department", "displayName": "Department", "hasLeafNodes": false } } ] } ``` {% endtab %} {% tab title="Reveal policy" %} This sample payload creates the following reveal policy: > Reveal columns tagged `email` when user is a member of group `Marketing` on data sources with columns tagged `email`. ```json { "type": "data", "name": "Reveal email addresses for marketing campaign", "template": false, "certification": null, "actions": [ { "type": "exception", "rules": [ { "type": "exception", "config": { "fields": [ { "name": "email", "displayName": "email", "hasLeafNodes": true, "source": "curated" } ] }, "exceptions": { "operator": "and", "conditions": [ { "type": "groups", "group": { "name": "Marketing" } } ] } } ], "description": "" } ], "staged": true, "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "email", "displayName": "email", "hasLeafNodes": true, "source": "curated" } } ] } ``` {% endtab %} {% endtabs %} #### Response example ```json { "policyKey": "HR data policy", "name": "HR data policy", "type": "subscription", "template": true, "staged": false, "systemGenerated": false, "deleted": false, "certification": null, "actions": [ { "type": "subscription", "exceptions": { "operator": "and", "conditions": [ { "type": "groups", "group": { "name": "HR" } } ] }, "accessGrant": "READ", "description": null, "allowDiscovery": false, "subscriptionType": "policy", "shareResponsibility": true, "automaticSubscription": true } ], "circumstances": null, "metadata": null, "clonedFrom": null, "createdBy": 2, "protected": false, "id": 24, "createdAt": "2025-04-21T19:09:17.884Z", "updatedAt": "2025-04-21T19:09:17.884Z", "createdByName": "Taylor", "ownerRestrictions": null } ``` ### Create or update a policy for a specific data source `POST` or `PUT` `/policy/handler/{dataSourceId}` Create (POST) or update (PUT) a policy for the specified data source. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Body parameter | Attribute | Description | Required | | ------------ | ----------------------------------------------- | -------- | | jsonPolicies | `array[object]` An array of JSON rules objects. | **Yes** | #### Response schema | Attribute | Description | Required | | ------------ | ----------------------------------------------- | -------- | | jsonPolicies | `array[object]` An array of JSON rules objects. | **Yes** | #### Response parameters | Attribute | Description | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | id | `integer` The policy handler ID. | | url | `string` The URL of the Immuta tenant. | | dataSourceId | `integer` The ID of the data source the policy is applied to. | | createdBy | `integer` The ID of the user who created the policy. | | ca | `string` The certificate authority. | | jsonPolicies | `array[object]` Policy metadata, including the policy `type` (`visibility`, `masking`, `time`, `minimization`, `prerequisite`, `customWhere`, `showRowsNever`, or `rowOrObjectRestriction`), `rules`, and `description`. | | rules | `object` The conditions of the policy. | | createdAt | `timestamp` The date the policy was created. | | updatedAt | `timestamp` The date the policy was modified. | #### Request example This example request applies the policy specified in the payload to the data source with the ID `2`. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/handler/2 ``` **Request payload example** ```json { "jsonPolicies": [{ "type": "masking", "rules": [{ "type": "masking", "config": { "fields": ["amount"], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null }], "createdAt": "2021-09-20T20:03:18.001Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [{ "type": "masking", "config": { "fields": ["geo_latitude"], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null }], "createdAt": "2021-09-20T20:02:02.213Z", "createdBy": 2, "description": null }, { "type": "prerequisite", "rules": [{ "type": "prerequisite", "exceptions": null, "config": { "qualifications": { "operator": "and", "conditions": [{ "type": "purposes", "value": "Re-identification Prohibited" }] } } }], "description": "" }], "dataSourcePolicyHandler": { "handlerId": 26, "visibilitySchema": { "fields": [] } } } ``` #### Response example ```json { "id": 42, "dataSourceId": 2, "createdBy": 2, "ca": ["-----BEGIN CERTIFICATE-----\ncertificatedata\n-----END CERTIFICATE-----"], "jsonPolicies": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "amount" ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "createdAt": "2021-09-20T20:03:18.001Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "geo_latitude" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "createdAt": "2021-09-20T20:02:02.213Z", "createdBy": 2, "description": null }, { "type": "prerequisite", "rules": [ { "type": "prerequisite", "config": { "qualifications": { "operator": "and", "conditions": [ { "type": "purposes", "value": "Re-identification Prohibited" } ] } }, "exceptions": null } ], "createdAt": "2021-09-20T20:05:35.925Z", "createdBy": 2, "description": null } ], "createdAt": "2021-09-21T18:49:34.021Z", "updatedAt": "2021-09-21T18:49:34.021Z" } ``` ### Apply a global policy to a data source *Note: Global policies that contain the condition "with columns tagged" or "on all data sources" will automatically apply to relevant data sources when the policy is created. The endpoint detailed below can be used to apply global policies that contain the condition "when selected by data owners," as these policies are not automatically applied to data sources.* `POST` `/policy/global/applyPolicy` Apply the global policy to the specified data source. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Body parameters | Attribute | Description | Required | | ------------ | ----------------------------------------------------------- | -------- | | policyID | `integer` The ID of the global policy. | **Yes** | | dataSourceID | `integer` The ID of the data source to apply the policy to. | **Yes** | | merged | `boolean` **Default `false`.** | **Yes** | #### Response schema None. When successful, no message will display. #### Request example This example request applies the specified global policy to the specified data source (saved in the `example-payload.json` file) in the Immuta tenant. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/global/applyPolicy ``` **Request payload example** The following payload will apply the global policy with the ID `1` to the data source with ID `1`. ```json { "policyId": 1, "dataSourceId": 1, "merged": false } ``` ### Update a global policy `PUT` `/policy/global/{policyId}` Update the specified policy. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be the policy creator #### Path parameters | Attribute | Description | Required | | --------- | --------------------------------------------------------- | -------- | | policyId | `integer` The ID of the global policy you want to update. | **Yes** | #### Body parameters See the [Create a global policy section ](#create-a-global-policy)for payload details. #### Response schema When successful, the response returns the body of the request payload. #### Request example This example request updates the specified global policy (`8`) with changes to the metadata saved in the `example-payload.json` file. ```bash curl \ --request PUT \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ --data @example-payload.json \ https://demo.immuta.com/policy/global/8 ``` **Request payload example** In this payload, the user updated the `description` attribute to update the policy. ```json { "id": 8, "policyKey": "Mask Passports", "name": "Mask Passport", "type": "data", "template": false, "staged": false, "systemGenerated": false, "deleted": false, "certification": { "tags": ["Discovered.Passport"], "text": "This certifies that all columns containing passports in this data source have been tagged appropriately.", "label": "Certified" }, "actions": [{ "type": "masking", "rules": [{ "type": "masking", "config": { "fields": [{ "name": "Discovered.Passport", "source": "curated", "hasLeafNodes": false, "displayName": "Discovered > Passport" }], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null }], "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." }], "circumstances": [{ "type": "columnTags", "operator": "or", "columnTag": { "name": "Discovered.Passport", "hasLeafNodes": false, "displayName": "Discovered > Passport" } }], "metadata": null, "clonedFrom": null, "createdBy": 2, "createdAt": "2021-09-21T18:35:48.615Z", "updatedAt": "2021-09-21T18:41:36.054Z", "createdByName": "Katie", "ownerRestrictions": null } ``` #### Response example ```json { "id": 6, "policyKey": "mask-passports", "name": "Mask Passports", "type": "data", "template": false, "createdBy": 2, "createdByName": "Kate", "createdAt": "2021-09-14", "updatedAt": "2021-09-15", "actions": [ { "type": "masking", "rules": [ { "type": "masking", "exceptions": null, "config": { "fields": [ { "name": "Discovered.Passport", "hasLeafNodes": false, "source": "curated" } ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } } } ], "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." } ], "circumstances": [ { "operator": "or", "type": "columnTags", "columnTag": { "name": "Discovered.Passport", "hasLeafNodes": false } } ], "clonedFrom": 0, "staged": false, "systemGenerated": false, "deleted": false, "certification": { "label": "string", "text": "string", "tags": [ "string" ], "recertify": false } } ``` ## Review policies | Method | Path | Purpose | | ------ | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | | POST | `/policy/search` | [Search all policies](#search-for-policies). | | GET | `/policy/global/{policyId}` | [Find the policy with the specified ID](#find-policies-by-policy-id). | | GET | `/policy/global` | [Find a list of global policies with the specified `entityType`](#find-policies-by-entity-type). | | GET | `/policy/global/appliedTo/{policyId}` | [Find the number of data sources the specified policy is currently applied to](#find-the-number-of-data-sources-a-specified-policy-applies-to). | | GET | `/policy/dataSourcePolicies/{dataSourceId}` | [Get the policy information for the specified data source](#get-the-policy-information-for-a-specific-data-source). | | GET | `/policy/diff/{dataSourceId}` | [Get the differences between two policy handler versions](#get-the-differences-between-two-policy-versions). | | GET | `/policy/handler/{dataSourceId}` | [Get the policy handler metadata for a specific data source](#get-the-policy-handler-metadata-for-a-specific-data-source). | ### Search for policies `POST` `/policy/search` Searches for specified policies. #### Body parameters | Attribute | Description | Required | | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | body | `array[object]` Facets of the policy to search by, including the rule type, where the policy applies, exceptions, and policy circumstances. | No | | type | `string` The type of policy to search for: `data` or `subscription`. | No | | scope | `string` Indicates whether the policy is `global` or `local`. | No | | size | `integer` Pages results by default; `size` is the number of results to return per page. | No | | offset | `integer` Used in combination with `size` to fetch pages. | No | | sortField | `string` Indicates which field to sort the policies by: `name`, `createdBy`, `createdAt`, `state`, `isNotApplied`, or `scope`. | No | | sortOrder | `string` Indicates whether to sort policies in ascending or descending order: `asc` or `desc`. | No | | searchText | `string` Searches text; this will filter policies by name. | No | | countOnly | `boolean` When `true`, will only return the number of policies found in the search. | No | | mode | `string` Attribute options include `similarPolicies`, `impactedUsers`, or `impactedDataSources`. | No | | excludedPolicies | `array[integer]` Global policy IDs to exclude. | No | #### Response schema | Attribute | Description | | --------- | ----------------------------------------------------------------------------------------- | | count | `integer` The number of policies found that match the search criteria. | | hits | `array` Policy metadata, including the name, scope, type, and data sources it applies to. | #### Request example This example request searches for a global policy that contains the text `mask` in Immuta. ```bash curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/search?scope=global&searchText=mask ``` #### Response example ```json { "count": 1, "hits": [{ "name": "Mask Passports", "createdBy": "Katie", "state": "active", "isNotApplied": false, "scope": "global", "type": "data", "globalPolicyId": 8, "policyId": null, "dataSourceId": null, "createdAt": "2021-09-21T18:35:48.615Z", "detailLabels": { "ruleType": ["masking"], "tags": ["Discovered.Passport"] }, "enforcedOn": { "count": 1, "hits": [{ "id": 1, "name": "Public Credit Accounts" }] } }] } ``` ### Find policies by policy ID `GET` `/policy/global/{policyId}` Find the policy with the specified ID. #### Path parameter | Attribute | Description | Required | | --------- | -------------------------------------- | -------- | | policyId | `integer` The ID of the global policy. | **Yes** | #### Response schema The response returns a policy object. See the [Create a global policy section ](#create-a-global-policy)for descriptions. #### Request example This example request returns the global policy with the ID `1`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global/1 ``` #### Response example ```json { "id": 1, "policyKey": "New Column Added", "name": "New Column Added", "type": "data", "template": false, "staged": false, "systemGenerated": true, "deleted": false, "certification": null, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ { "name": "New", "source": "curated", "hasLeafNodes": false } ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "description": null } ], "circumstances": [ { "type": "columnTags", "operator": "or", "columnTag": { "name": "New", "hasLeafNodes": false } } ], "metadata": null, "clonedFrom": null, "createdBy": 1, "createdAt": "2021-09-09T13:47:03.448Z", "updatedAt": "2021-09-16T14:10:05.694Z", "createdByName": "Immuta System Account", "ownerRestrictions": null } ``` ### Find policies by entity type `GET` `/policy/global` Find the policy with the specified entity type. #### Query parameters | Attribute | Description | Required | | ---------- | -------------------------------------------------------------------------------------------------------------------- | -------- | | offset | `integer` Used in combination with `size` to fetch pages. | No | | size | `integer` Pages results by default; `size` is the number of results to return per page. | No | | sortField | `string` Indicates which field to sort the policies by: `name` or `createdAt`. **Default `createdAt`**. | No | | sortOrder | `string` Indicates whether to sort policies in ascending or descending order: `asc` or `desc`. **Default `desc`**. | No | | searchText | `string` Searches text; this will filter policies by `name`. | No | | type | `string` The type of policy to search for: `data` or `subscription`. | No | | scope | `string` Indicates whether the policy is `global` or `local`. | No | | nameOnly | `boolean` When `true`, only returns the policy name, type, and ID. | No | | templates | `boolean` When `true`, returns templates only. When `false`, returns non-templates only. When omitted, returns both. | No | #### Response schema | Attribute | Description | | --------- | ------------------------------------------------------------------------------------------------ | | name | `string` The name of the policy. | | id | `integer` The policy ID. | | type | `string` The type of policy: `data` or `subscription`. | | hits | `array` Policy metadata, including the `name`, `scope`, `type`, and `dataSources` it applies to. | #### Request example This example request returns the name, type, and ID of all policies. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global?nameOnly=true ``` #### Response example ```json [ { "name": "Mask Passports", "id": 6, "type": "data" }, { "name": "New Column Added", "id": 1, "type": "data" } ] ``` ### Find the number of data sources a specified policy applies to `GET` `/policy/global/appliedTo/{policyId}` Find the number of data sources the specified policy applies to. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Path parameter | Attribute | Description | Required | | --------- | -------------------------------------- | -------- | | policyId | `integer` The ID of the global policy. | **Yes** | #### Response schema | Attribute | Description | | --------- | ----------------------------------------------------------- | | count | `integer` The number of data sources the policy applies to. | #### Request example This example request returns the number of data sources the global policy with the ID `6` applies to. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global/appliedTo/6 ``` #### Response example ```json { "count": 1 } ``` ### Get the policy information for a specific data source `GET` `/policy/dataSourcePolicies/{dataSourceId}` Get the policy information for the specified data source. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Query parameters | Attribute | Description | Required | | ------------- | -------------------------------------------------------------------------------- | -------- | | retrieveAll | `boolean` When `false`, filters out any custom domain-specific language rules. | No | | excludeGlobal | `boolean` When `true`, filters out any policy actions driven by a global policy. | No | #### Response schema | Attribute | Description | | ---------- | ---------------------------------------------------- | | type | `string` The type of policy. | | rules | `array` The rules for the data policy enforcement. | | exceptions | `array` The entitlements to exempt from the policy. | | createdAt | `timestamp` The time the policy was created. | | createdBy | `integer` The ID of the user who created the policy. | #### Request example This example request returns the information of policies applied to the data source with the ID `2`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/dataSourcePolicies/2 ``` #### Response example ```json [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "amount" ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "createdAt": "2021-09-20T20:03:18.001Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "geo_latitude" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "createdAt": "2021-09-20T20:02:02.213Z", "createdBy": 2, "description": null }, { "type": "prerequisite", "rules": [ { "type": "prerequisite", "config": { "qualifications": { "operator": "and", "conditions": [ { "type": "purposes", "value": "Re-identification Prohibited" } ] } }, "exceptions": null } ], "createdAt": "2021-09-20T20:05:35.925Z", "createdBy": 2, "description": null } ] ``` ### Get the differences between two policy versions `GET` `/policy/diff/{dataSourceId}` Get the differences between two policy handler versions. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Query parameters | Attribute | Description | Required | | ----------------- | ---------------------------------------- | -------- | | previousHandlerId | `integer` The ID of the previous policy. | No | | currentHandlerId | `integer` The ID of the current policy. | No | #### Response schema | Attribute | Description | | ---------- | ---------------------------------------------------------------------------------------------------------------------------------- | | current | `array` Contains policy metadata of the current policy, including the policy `type`, `rules`, `exceptions`, and date of creation. | | previous | `array` Contains policy metadata of the previous policy, including the policy `type`, `rules`, `exceptions`, and date of creation. | | hasChanges | `boolean` When `true`, indicates the policy was changed. | #### Request example This example request returns the information of policies applied to the data source with the ID `3`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/diff/3?currentHandlerId=47&previousHandlerId=46 ``` #### Response example ```json { "current": [{ "type": "rowOrObjectRestriction", "rules": [{ "type": "visibility", "config": { "predicate": "(`city` in (@groups()))", "qualifications": { "operator": "and", "conditions": [{ "type": "groups", "field": "city" }] } }, "exceptions": null }], "createdAt": "2021-09-28T18:46:00.868Z", "createdBy": 2, "description": null }], "previous": [{ "type": "rowOrObjectRestriction", "rules": [{ "type": "visibility", "config": { "predicate": "(`city` in (@groups()))", "qualifications": { "operator": "and", "conditions": [{ "type": "groups", "field": "city" }] } }, "exceptions": null }], "createdAt": "2021-09-28T18:46:00.868Z", "createdBy": 2, "description": null }], "hasChanges": false } ``` ### Get the policy handler metadata for a specific data source `GET` `/policy/handler/{dataSourceId}` Get the policy handler metadata for a specific data source. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be a data source owner #### Path parameter | Attribute | Description | Required | | ------------ | ------------------------------------ | -------- | | dataSourceId | `integer` The ID of the data source. | **Yes** | #### Response schema | Attribute | Description | | --------- | ----------------------------------------------------------------------------------- | | hits | `array` Policy metadata, including the `name`, `scope`, `rules`, and policy `type`. | #### Request example This example request returns the policy handler metadata for policies applied to the data source with the ID `1`. ```bash curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/handler/1 ``` #### Response example ```json { "id": 44, "dataSourceId": 1, "rules": "rule masking_0_0 { when { model_0_0 : MaskingModel ; } then { Masked(model_0_0, 0, 0) } } rule masking_5_0 { when { model_5_0 : MaskingModel ; } then { Masked(model_5_0, 5, 0) } } rule masking_6_0 { when { model_6_0 : MaskingModel ; } then { Masked(model_6_0, 6, 0) } }", "jsonPolicies": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "email" ], "maskingConfig": { "type": "Consistent Value", "metadata": { "constant": null } } }, "exceptions": null } ], "createdAt": "2021-09-21T19:27:27.589Z", "createdBy": 2, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "email" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 0, "tag": "Discovered.Passport", "name": "string", "reason": "test", "staged": false, "deleted": false, "conflict": "existingMasking", "disabled": true, "metadata": { "HEDReportVersion": "string", "certificationExpirationInterval": "string" }, "template": false, "createdAt": "2021-09-14T00:00:00.000Z", "createdBy": "Katie", "policyKey": "string", "updatedAt": "2021-09-14T00:00:00.000Z", "clonedFrom": 0, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "last_name" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 0, "tag": "Discovered.Passport", "name": "string", "reason": "test", "staged": false, "deleted": false, "conflict": null, "disabled": true, "metadata": { "HEDReportVersion": "string", "certificationExpirationInterval": "string" }, "template": false, "createdAt": "2021-09-14T00:00:00.000Z", "createdBy": "Katie", "policyKey": "string", "updatedAt": "2021-09-14T00:00:00.000Z", "clonedFrom": 0, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "ssn" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 0, "tag": "Discovered.Passport", "name": "string", "reason": "test", "staged": false, "deleted": false, "conflict": null, "disabled": true, "metadata": { "HEDReportVersion": "string", "certificationExpirationInterval": "string" }, "template": false, "createdAt": "2021-09-14T00:00:00.000Z", "createdBy": "Katie", "policyKey": "string", "updatedAt": "2021-09-14T00:00:00.000Z", "clonedFrom": 0, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": null }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "email" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 8, "tag": "Discovered.Passport", "name": "Mask Passports", "reason": null, "staged": false, "deleted": false, "conflict": "existingMasking", "disabled": true, "metadata": null, "template": false, "createdAt": "2021-09-21T18:35:48.615Z", "createdBy": "Katie", "policyKey": "Mask Passport", "updatedAt": "2021-09-21T18:41:54.299Z", "clonedFrom": null, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "last_name" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 8, "tag": "Discovered.Passport", "name": "Mask Passport", "reason": null, "staged": false, "deleted": false, "conflict": null, "disabled": false, "metadata": null, "template": false, "createdAt": "2021-09-21T18:35:48.615Z", "createdBy": "Katie", "policyKey": "Mask Passport", "updatedAt": "2021-09-21T18:41:54.299Z", "clonedFrom": null, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." }, { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ "ssn" ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "global": { "id": 8, "tag": "Discovered.Passport", "name": "Mask Passport", "reason": null, "staged": false, "deleted": false, "conflict": null, "disabled": false, "metadata": null, "template": false, "createdAt": "2021-09-21T18:35:48.615Z", "createdBy": "Katie", "policyKey": "Mask Passports", "updatedAt": "2021-09-21T18:41:54.299Z", "clonedFrom": null, "certification": true, "createdByName": "Katie", "changedOnApply": [], "systemGenerated": false, "ownerRestrictions": null }, "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." } ], "createdAt": "2021-09-21T19:27:27.977Z", "updatedAt": "2021-09-21T19:27:27.977Z" } ``` ## Delete a global policy `DELETE` `/policy/global/{policyId}` Delete the specified global policy. **Requirement**: `GOVERNANCE` permission, domain-specific `Manage Policies` permission, or be the policy creator #### Path parameter | Attribute | Description | Required | | --------- | ------------------------------- | -------- | | policyId | `integer` The ID of the policy. | **Yes** | #### Response schema The response returns a policy object of the policy that was deleted. See the [Create a global policy section ](#create-a-global-policy)for descriptions. #### Request example The following request deletes the global policy with ID `6`. ```bash curl \ --request DELETE \ --header "Content-Type: application/json" \ --header "Authorization: Bearer dea464c07bd07300095caa8" \ https://demo.immuta.com/policy/global/6 ``` #### Response example ```json { "id": 6, "policyKey": "mask-passports", "name": "Mask Passports", "type": "data", "template": false, "staged": false, "systemGenerated": false, "deleted": false, "certification": { "tags": [ "string" ], "text": "string", "label": "string" }, "actions": [ { "type": "masking", "rules": [ { "type": "masking", "config": { "fields": [ { "name": "Discovered.Passport", "source": "curated", "hasLeafNodes": false } ], "maskingConfig": { "type": "Consistent Value", "metadata": {} } }, "exceptions": null } ], "description": "This policy masks all passports for data sources with columns tagged Discovered.Passport." } ], "circumstances": [ { "type": "columnTags", "operator": "or", "columnTag": { "name": "Discovered.Passport", "hasLeafNodes": false } } ], "metadata": null, "clonedFrom": 0, "createdBy": 2, "createdAt": "2021-09-14T00:00:00.000Z", "updatedAt": "2021-09-15T18:46:17.661Z", "createdByName": "Katie", "ownerRestrictions": null } ``` [^1]: Users are granted access when approved by a specified user. [^2]: Anyone is granted access. [^3]: Individually selected users are granted access. [^4]: Users with specified entitlements are granted access. [^5]: Users are prevented from subscribing to the data source unless they have the entitlements specified in the conditions of the policy. [^6]: When `subscriptionType` is **policy**, `shareResponsibility` is **true** (this policy or the conditions of another policy must be met to get access). When `subscriptionType` is **guardrail**, `shareResponsibility` is **false** (the conditions of this policy must be met to be eligible to subscribe to the data source). See the [Subscription policy overview](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/section-contents/reference-guides/subscription-policies#policy-merging) page for details about how grant subscription policies and guardrail subscription policies are combined. [^7]: Setting circumstances.**type** to `null` only applies the policy to data sources when it is selected by data owners. \ Omitting circumstances.**type** applies the policy to all data sources. [^8]: Omitting circumstances.**type** applies the policy to all data sources. [^9]: This type redacts rows (corresponds with the `rowOrObjectRestriction` actions.type). [^10]: Used for hashing, making column values null, or masking with a constant. [^11]: Used for rounding numeric and time values. [^12]: This exception type is only available in global masking policies. [^13]: This inclusion type is only available in global masking policies.