Author Policy How-to Guide

3 - Author policy how-to guide

Authoring global data policies to automate access controls involves using the data metadata and user metadata in Immuta to identify the data that should be governed and the users the policy should target.

This how-to guide demonstrates how to author a global data policy in Immuta to automate access decisions.

For detailed explanations and examples of how to author data policies, see the Author policy guide.

Requirements

Immuta permission: GOVERNANCE global permission, Manage Policies domain permission, or own the data source

Prerequisites

Understand your metadata

How you author policies is dictated by how your user and data metadata is organized to grant access. For this use case, the fact-based (ABAC) method is recommended. Organizations using this method use to determine access, and data sources are tagged at the column and table level.

Author a data policy

Masking policy
  1. Determine what tags are applied to sensitive columns.

  2. Determine what users are allowed to see that data (if any).

Example

This policy will mask the values in all columns with the tag Strictly Confidential for users who are not in both the Employees group and the HR group.

Mask columns tagged Strictly Confidential except for users who are a member of group Employees AND HR on all data sources.

Row-level policy
  1. Determine what tags are applied to sensitive columns.

  2. Determine what users are allowed to see that data (if any).

Example

This policy will only show rows to users that contain a value in the column Country that matches the value of their Location attribute key:

Only show rows where user possesses an attribute in Location that matches the value in the column Country for everyone on all data sources.

Next steps

Learn

Explore this use case to learn more about using Immuta to automate data access control decisions.

Automate data access control decisions: This section focuses on how to use Immuta to automate decisions that determine whether users should have access to data objects.

Implement

Follow these guides to test your policies and use Immuta to enforce fine-grained access controls.

Last updated

Was this helpful?