# Author a Row-Level Policy

1. Determine your [policy scope](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/..#policy-scope):
   * **Global policy**:
     * Click the <i class="fa-shield">:shield:</i> **Policies** icon in the navigation menu and select the **Data Policies** tab. Click **New data policy** and complete the **Policy name** field.
     * Select **Protect** as the policy type.
   * **Local policy**: Navigate to a specific data source and click the **Policies** tab. Scroll to the **Data Policies** section and click **New Policy**.
2. Select the **Only show rows** action from the first dropdown.
3. Choose one of the following policy conditions:
   * **Where user**
     1. Choose the condition that will drive the policy from the next dropdown: **is a member of a group** or **possesses an attribute**.
     2. Use the next field to choose the **attribute**, **group**, or **purpose** that you will match values against.
     3. Use the next dropdown menu to choose the tag that will drive this policy. You can add more than one condition by selecting **+ Add Another Condition**. The dropdown menu then contains conjunctions for your policy. If you select **or**, only one of your conditions must apply to a user for them to see the data. If you select **and**, all of the conditions must apply.
   * **Where the value in the column tagged**
     1. Select the tag from the next dropdown menu.
     2. From the subsequent dropdown, choose **is** or **is not** in the list, and then **enter a list of comma-separated values**.
   * **Where:** Enter a valid **SQL WHERE clause** in the subsequent field. When you place your cursor in this field, a tooltip details valid input and the column names of your data source. See [Custom WHERE Clause Functions](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/reference-guides/custom-where-clause-functions) for more information about specific functions.
   * **Never**

     The **never** condition blocks all access to the data source.

     1. Choose the condition that will drive the policy from the next dropdown: **for everyone**, **for everyone except**, or **for everyone who**.
     2. Select the condition that will further define the policy: **is a member of group**, **is acting under a purpose**, or **possesses attribute**.
     3. Use the next field to choose the **group**, **purpose**, or **attribute** that you will match values against.
4. Choose **for everyone**, **everyone except**, or **for everyone who** to drive the policy. If you choose for everyone except, use the subsequent dropdown to choose the group, purpose, or attribute for your condition. If you choose for everyone who as a condition, complete the **Otherwise** clause before continuing to the next step.
5. <i class="fa-sparkles">:sparkles:</i> [**AI-powered feature**](https://documentation.immuta.com/saas/configuration/application-configuration/reference-guides/immuta-ai-faq/immutas-ai-features)**:** Click **Explain this policy** to open the AI assistant side sheet. The [AI assistant](https://documentation.immuta.com/saas/govern/secure-your-data/authoring-policies-in-secure/reference-guides/data-policies#ai-assistant) will generate a textual summary and explanation of the policy behavior on various users using mock data.
6. Opt to complete the **Enter Rationale for Policy (Optional)** field, and then click **Add**.
7. For global policies: Click the dropdown menu beneath **Where should this policy be applied**, and select **On all data sources**, **On data sources**, or **When selected by data owners**. If you select **On data sources**, finish the condition in one of the following ways:
   * **tagged**: Select this option and then search for **tags** in the subsequent dropdown menu.
   * **with columns tagged**: Select this option and then search for **tags** in the subsequent dropdown menu.
   * **with column names spelled like**: Select this option, and then enter a **regex** and choose a **modifier** in the subsequent fields.
   * **in server**: Select this option and then choose a **server** from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
   * **created between**: Select this option and then choose a **start date** and an **end date** in the subsequent dropdown menus.
8. Click **Create Policy**. If creating a global policy, you then need to click **Activate Policy** or **Stage Policy**.