# Author Policy How-to Guide

<table data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th><th data-hidden></th></tr></thead><tbody><tr><td><mark style="color:blue;"><strong>1 -</strong></mark> <mark style="color:blue;"><strong>Manage user metadata how-to guide</strong></mark></td><td></td><td></td><td><a href="../open-managing-user-metadata/manage-user-metadata-how-to-guide">manage-user-metadata-how-to-guide</a></td><td></td></tr><tr><td><mark style="color:blue;"><strong>2 -</strong></mark> <mark style="color:blue;"><strong>Manage data metadata how-to guide</strong></mark></td><td></td><td></td><td><a href="../open-managing-data-metadata/manage-data-metadata-how-to-guide">manage-data-metadata-how-to-guide</a></td><td></td></tr><tr><td><strong>3 -</strong> <strong>Author policy how-to guide</strong></td><td></td><td></td><td></td><td></td></tr></tbody></table>

Authoring global data policies to automate access controls involves using the data metadata and user metadata in Immuta to identify the data that should be governed and the users the policy should target.

This how-to guide demonstrates how to author a global data policy in Immuta to automate access decisions.

For detailed explanations and examples of how to author data policies, see the [Author policy guide](https://documentation.immuta.com/saas/govern/getting-started-with-secure/compliantly-open-more-sensitive-data-for-ml-and-analytics/open-author-policy).

## Requirements

**Immuta permission**: `GOVERNANCE` global permission, `Manage Policies` domain permission, or own the data source

## Prerequisites

* [User metadata configured](https://documentation.immuta.com/saas/govern/getting-started-with-secure/automate-data-access-control-decisions/managing-user-metadata/manage-user-metadata-how-to-guide)
* [Data metadata configured](https://documentation.immuta.com/saas/govern/getting-started-with-secure/automate-data-access-control-decisions/managing-data-metadata/manage-data-metadata-how-to-guide)

## Understand your metadata

How you author policies is dictated by how your user and data metadata is organized to grant access. For this use case, the **fact-based (ABAC) method** is recommende&#x64;**.** Organizations using this method use [many variables](#user-content-fn-1)[^1] to determine access, and data sources are tagged at the column and table level.

## Author a data policy

<details>

<summary>Masking policy</summary>

1. Determine what tags are applied to sensitive columns.
2. Determine what users are allowed to see that data (if any).
3. [Build a masking policy that leverages that tag to target specific columns](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/data-policy-tutorial). An example is provided below.

**Example**

This policy will mask the values in all columns with the tag `Strictly Confidential` for users who are not in both the `Employees` group and the `HR` group.

> Mask columns tagged `Strictly Confidential` except for users who are a member of group `Employees` AND `HR` on all data sources.

</details>

<details>

<summary>Row-level policy</summary>

1. Determine what tags are applied to sensitive columns.
2. Determine what users are allowed to see that data (if any).
3. [Build a row-level policy that leverages that tag to redact rows for users](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/row-redaction-tutorial). An example is provided below.

**Example**

This policy will only show rows to users that contain a value in the column `Country` that matches the value of their `Location` attribute key:

> Only show rows where user possesses an attribute in `Location` that matches the value in the column `Country` for everyone on all data sources.

</details>

## Next steps

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th></th></tr></thead><tbody><tr><td><strong>Learn</strong></td><td>Explore this use case to learn more about using Immuta to automate data access control decisions.</td><td><a href="..">Automate data access control decisions</a>: This section focuses on how to use Immuta to automate decisions that determine whether users should have access to data objects.</td></tr><tr><td><strong>Implement</strong></td><td>Follow these guides to test your policies and use Immuta to enforce fine-grained access controls.</td><td><ol><li>Optionally <a href="../../test-and-deploy-policy">test and deploy policy</a>.</li><li><a href="../../automate-data-access-control-decisions/author-policy/author-policy-how-to-guide">Author a subscription policy</a>.</li></ol></td></tr></tbody></table>

[^1]: An example of multiple variables determining access is a rule like this: `You must reside in the US and be a full time employee to see data tagged US and Highly Sensitive.`

    See the [Governance use cases introduction](https://documentation.immuta.com/saas/govern/getting-started-with-secure/..#choose-your-path-orchestrated-rbac-or-abac) for further explanation and examples.