# Author a Row-Level Policy

## Permissions

`GOVERNANCE` Immuta permission or `Manage Policies` domain permission

## Build the policy

1. Click the <i class="fa-shield">:shield:</i> **Policies** icon in the navigation menu and select the **Data Policies** tab. Click **New data policy** and complete the **Policy name** field.
2. Select **Protect** as the policy type.
3. Select the **Only show rows** action from the first dropdown.
4. Choose one of the following policy conditions:
   * **Where user**
     1. Choose the condition that will drive the policy from the next dropdown: **is a member of a group** or **possesses an attribute**.
     2. Use the next field to choose the **attribute**, **group**, or **purpose** that you will match values against.
     3. Use the next dropdown menu to choose the tag that will drive this policy. You can add more than one condition by selecting **+ Add Another Condition**. The dropdown menu then contains conjunctions for your policy. If you select **or**, only one of your conditions must apply to a user for them to see the data. If you select **and**, all of the conditions must apply.
   * **Where the value in the column tagged**
     1. Select the tag from the next dropdown menu.
     2. From the subsequent dropdown, choose **is** or **is not** in the list, and then **enter a list of comma-separated values**.
   * **Where:** Enter a valid **SQL WHERE clause** in the subsequent field. When you place your cursor in this field, a tooltip details valid input and the column names of your data source. See [Custom WHERE Clause Functions](/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/custom-where-clause-functions.md) for more information about specific functions.
   * **Never**

     The **never** condition blocks all access to the data source.

     1. Choose the condition that will drive the policy from the next dropdown: **for everyone**, **for everyone except**, or **for everyone who**.
     2. Select the condition that will further define the policy: **is a member of group**, **is acting under a purpose**, or **possesses attribute**.
     3. Use the next field to choose the **group**, **purpose**, or **attribute** that you will match values against.
5. Choose **for everyone**, **everyone except**, or **for everyone who** to drive the policy. If you choose for everyone except, use the subsequent dropdown to choose the group, purpose, or attribute for your condition. If you choose for everyone who as a condition, complete the **Otherwise** clause before continuing to the next step.
6. <i class="fa-sparkles">:sparkles:</i> [**AI-powered feature**](/saas/configuration/application-configuration/reference-guides/immuta-ai-faq/immutas-ai-features.md)**:** Click **Explain this policy** to open the AI assistant side sheet. The [AI assistant](/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/data-policies.md#ai-assistant) will generate a textual summary and explanation of the policy behavior on various users using mock data.
7. Opt to complete the **Enter Rationale for Policy (Optional)** field, and then click **Add**.
8. Click the dropdown menu beneath **Where should this policy be applied**, and select **On all data sources**, **On data sources**, or **When selected by data owners**. If you select **On data sources**, finish the condition in one of the following ways:
   * **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu.
   * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu.
   * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields.
   * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
   * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
9. Click **Activate Policy** or **Stage Policy**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/row-redaction-tutorial.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.