# Author Policy How-to Guide

<table data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th><th data-hidden></th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>1 -</strong></mark> <mark style="color:blue;"><strong>Manage user metadata how-to guide</strong></mark></td><td></td><td></td><td><a href="../open-managing-user-metadata/manage-user-metadata-how-to-guide">manage-user-metadata-how-to-guide</a></td><td></td></tr><tr><td><mark style="color:blue;"><strong>2 -</strong></mark> <mark style="color:blue;"><strong>Manage data metadata how-to guide</strong></mark></td><td></td><td></td><td><a href="../open-managing-data-metadata/manage-data-metadata-how-to-guide">manage-data-metadata-how-to-guide</a></td><td></td></tr><tr><td><strong>3 -</strong> <strong>Author policy how-to guide</strong></td><td></td><td></td><td></td><td></td></tr></tbody></table>

Authoring global data policies to automate access controls involves using the data metadata and user metadata in Immuta to identify the data that should be governed and the users the policy should target.

This how-to guide demonstrates how to author a global data policy in Immuta to automate access decisions.

For detailed explanations and examples of how to author data policies, see the [Author policy guide](https://documentation.immuta.com/saas/govern/getting-started-with-secure/compliantly-open-more-sensitive-data-for-ml-and-analytics/open-author-policy).

## Requirements

**Immuta permission**: `GOVERNANCE` global permission, `Manage Policies` domain permission, or own the data source

## Prerequisites

* [User metadata configured](https://documentation.immuta.com/saas/govern/getting-started-with-secure/automate-data-access-control-decisions/managing-user-metadata/manage-user-metadata-how-to-guide)
* [Data metadata configured](https://documentation.immuta.com/saas/govern/getting-started-with-secure/automate-data-access-control-decisions/managing-data-metadata/manage-data-metadata-how-to-guide)

## Understand your metadata

How you author policies is dictated by how your user and data metadata is organized to grant access. For this use case, the **fact-based (ABAC) method** is recommende&#x64;**.** Organizations using this method use [many variables](#user-content-fn-1)[^1] to determine access, and data sources are tagged at the column and table level.

## Author a data policy

<details>

<summary>Masking policy</summary>

1. Determine what tags are applied to sensitive columns.
2. Determine what users are allowed to see that data (if any).
3. [Build a masking policy that leverages that tag to target specific columns](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/data-policy-tutorial). An example is provided below.

**Example**

This policy will mask the values in all columns with the tag `Strictly Confidential` for users who are not in both the `Employees` group and the `HR` group.

> Mask columns tagged `Strictly Confidential` except for users who are a member of group `Employees` AND `HR` on all data sources.

</details>

<details>

<summary>Row-level policy</summary>

1. Determine what tags are applied to sensitive columns.
2. Determine what users are allowed to see that data (if any).
3. [Build a row-level policy that leverages that tag to redact rows for users](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/row-redaction-tutorial). An example is provided below.

**Example**

This policy will only show rows to users that contain a value in the column `Country` that matches the value of their `Location` attribute key:

> Only show rows where user possesses an attribute in `Location` that matches the value in the column `Country` for everyone on all data sources.

</details>

## Next steps

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th></th></tr></thead><tbody><tr><td><strong>Learn</strong></td><td>Explore this use case to learn more about using Immuta to automate data access control decisions.</td><td><a href="..">Automate data access control decisions</a>: This section focuses on how to use Immuta to automate decisions that determine whether users should have access to data objects.</td></tr><tr><td><strong>Implement</strong></td><td>Follow these guides to test your policies and use Immuta to enforce fine-grained access controls.</td><td><ol><li>Optionally <a href="../../test-and-deploy-policy">test and deploy policy</a>.</li><li><a href="../../automate-data-access-control-decisions/author-policy/author-policy-how-to-guide">Author a subscription policy</a>.</li></ol></td></tr></tbody></table>

[^1]: An example of multiple variables determining access is a rule like this: `You must reside in the US and be a full time employee to see data tagged US and Highly Sensitive.`

    See the [Governance use cases introduction](https://documentation.immuta.com/saas/govern/getting-started-with-secure/..#choose-your-path-orchestrated-rbac-or-abac) for further explanation and examples.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/saas/govern/getting-started-with-secure/compliantly-open-more-sensitive-data-for-ml-and-analytics/open-author-policy/author-policy-how-to-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.