# Getting Started

Purpose-based access control makes access decisions based on the purpose for which a given user or tool intends to use the data. This method of data access also provides flexibility for you to override policies and grant access to unmasked data to an individual for a very specific reason. Immuta recommends using [purposes](/saas/govern/secure-your-data/projects-and-purpose-based-access-control/purpose-index/reference-guides/projects.md#purposes) to create exceptions to global data policies.

There is some up-front work that needs to occur to make this possible.

1. A user with the `GOVERNANCE` Immuta permission [creates legitimate purposes](/saas/govern/secure-your-data/projects-and-purpose-based-access-control/purpose-index/how-to-guides/purposes-tutorial.md) for access to different data types unmasked. As part of creating the purposes, they may want to [alter the acknowledgement statement](/saas/govern/secure-your-data/projects-and-purpose-based-access-control/purpose-index/how-to-guides/purposes-tutorial.md#customize-acknowledgement-statements) the user must agree to when acting under that purpose.
2. A data owner or governor updates the masking or row-level policies to [include those purposes as exceptions to the policy](/saas/govern/secure-your-data/authoring-policies-in-secure/data-policies/how-to-guides/purpose-tutorial.md).
3. Users [create a project](/saas/govern/secure-your-data/projects-and-purpose-based-access-control/purpose-index/how-to-guides/create-project-tutorial.md) and connect the project to both the policy and the purpose by
   * [adding data sources](/saas/govern/secure-your-data/data-consumers/project-member-guide.md#add-data-sources-to-a-project) with the policies they want users to be excluded from and
   * [adding the purposes](/saas/govern/secure-your-data/projects-and-purpose-based-access-control/purpose-index/how-to-guides/purposes-tutorial.md#add-a-purpose-to-an-existing-project) to the project
4. However, that project does nothing until the purpose is [<mark style="color:blue;">approved by a user with the</mark> <mark style="color:blue;">`PROJECT_MANAGEMENT`</mark> <mark style="color:blue;">Immuta permission</mark>](/saas/govern/secure-your-data/projects-and-purpose-based-access-control/purpose-index/how-to-guides/purposes-tutorial.md#manage-purpose-requests).
5. Once that approval is complete, the user wanting the exception must [acknowledge they will only use the data for that purpose](/saas/govern/secure-your-data/data-consumers/project-member-guide.md#subscribe-to-a-project).
6. Using the Immuta UI, the [user switches to that project context](/saas/govern/secure-your-data/data-consumers/project-member-guide.md#switch-projects-in-the-immuta-ui). Once switched to that project, the approved exceptions occur for the user.

These exceptions can be made temporary by deleting the project once access is no longer needed or un-approving the purpose for the project after the need for access is gone.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/saas/govern/secure-your-data/projects-and-purpose-based-access-control/purpose-index/getting-started.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.