Prerequisite

Sensitive data discovery must be enabled.

Command overview: immuta sdd classifier

This command allows you to manage identifiers that will apply tags to data that matches the criteria you specify during SDD. The table below illustrates subcommands and arguments.

Options

Use these options to get more details about the sdd classifier command or any of its subcommands:

• -h

• --help

$ immuta sdd classifier -h
Manage Sensitive Data Discovery Classifiers

Usage:
  immuta sdd classifier [command]

Available Commands:
  create      Create an SDD classifier
  delete      Delete the passed SDD classifier
  get         Get an SDD classifier
  search      Search all classifiers
  update      Update an SDD classifier

Flags:
  -h, --help   Help for classifier

Global Flags:
      --config string    Config file (default $HOME/.immutacfg.yaml)
  -p, --profile string   Specifies the profile for what instance/api the cli will use (default "default")

Use "immuta sdd classifier [command] --help" for more information about a command.

Create an identifier

1. Save your identifier to a valid YAML or JSON file using these attributes.

   Examples are provided below.

2. Run immuta sdd classifier create <filepath> [flags], referencing the file you just created. The options you can specify include

   • -h or --help: Get more information about the command.

   • -o or --output json | yaml: Specify the output format.

   • --outputTemplate string: Format the response using a Go template.

{
  "name": "MY_REGEX_IDENTIFIER",
  "displayName": "My Regex Identifier",
  "description": "A regex identifier",
  "type": "regex",
  "config": {
    "regex": "^[A-Z][a-z]+",
    "tags": ["Discovered.regex-example"]
  }
}

{
  "name": "MY_DICTIONARY_IDENTIFIER",
  "displayName": "My Dictionary Identifier",
  "description": "A dictionary identifier",
  "type": "dictionary",
  "config": {
    "values": ["Bob", "Eve"],
    "caseSensitive": true,
    "tags": ["Discovered.dictionary-example", "Discovered.dictionary-example"]
  }
}

{
  "name": "MY_COLUMN_NAME_REGEX_IDENTIFIER",
  "displayName": "My Column Name Regex Identifier",
  "description": "A column name regex identifier",
  "type": "columnNameRegex",
  "config": {
    "columnNameRegex": "ssn|social ?security",
    "tags": ["Discovered.column-name-regex-example"]
  }
}

Example

$ immuta sdd classifier create ./account-classifier.json
Creating classifier from ./account-classifier...
Create successful.

Get an identifier

Run immuta sdd classifier get <classifierName> [flags], specifying the name of the identifier you would like to get. Options you can specify include

• -h or --help: Get more information about the command.

• -o or --output json | yaml: Specify the output format.

• --outputTemplate string: Format the response using a Go template.

Example

The example below illustrates a user getting an identifier called ACCOUNT_NUMBER_IDENTIFIER.

$ immuta sdd classifier get ACCOUNT_NUMBER_IDENTIFIER
Getting classifier ACCOUNT_NUMBER_IDENTIFIER...
{
  "createdBy": {
    "id": 1,
    "name": "Example User",
    "email": "user@example.com"
  },
  "name": "ACCOUNT_NUMBER_IDENTIFIER",
  "displayName": "Account Number Identifier",
  "description": "This identifier recognizes account numbers using a regex critiera",
  "type": "regex",
  "config": {
    "tags": [
      "Discovered.account-number"
    ],
    "regex": "^[0-9]{9}-[0-9]{3}-[0-9]{1}$"
  },
  "id": 69,
  "createdAt": "2022-03-28T14:52:14.004Z",
  "updatedAt": "2022-03-28T14:52:14.004Z"
}

Search identifiers

Run immuta sdd classifier search [string] [flags] to list all identifiers or search identifiers by name. Options you can specify include

• -h, --help: Help for search.

• --limit int The search limit for pagination (default 25).

• --offset int: The search offset for pagination.

• --order asc | desc: The sort order.

• -o, --output json | yaml: The output format.

• --outputTemplate string: Format the response using a Go template.

• -s, --sort id | name | displayName | type | createdAt | updatedAt: Field to sort by.

• --type regex | columnNameRegex | dictionary | builtIn: Limit results to the specified criteria type.

Example

The example below illustrates a user searching all identifiers containing account.

$ immuta sdd classifier search account
Searching all classifiers...
ACCOUNT_NUMBER_IDENTIFIER This identifier recognizes account numbers using a regex criteria.

Update an identifier

1. Update your identifier in a valid YAML or JSON file using these attributes:
2. Run immuta sdd classifier update <classifierName> <filepath> [flags], referencing the file you just updated. The options you can specify include

   • -h or --help: Get more information about the command.

   • -o or --output json | yaml: Specify the output format.

   • --outputTemplate string: Format the response using a Go template.

Example

The example below illustrates a user updating an identifier named ACCOUNT_NUMBER_IDENTIFIER.

$ immuta sdd classifier update ACCOUNT_NUMBER_IDENTIFIER ./account-classifier -o json
{
  "createdBy": {
    "id": 1,
    "name": "Example User",
    "email": "user@example.com"
  },
  "name": "ACCOUNT_NUMBER_IDENTIFIER",
  "displayName": "Account Number Identifier",
  "description": "This identifier recognizes account numbers using a regex criteria.",
  "type": "regex",
  "config": {
    "tags": [
      "Discovered.account-number"
    ],
    "regex": "^[0-9]{9}-[0-9]{3}-[0-9]{1}$"
  },
  "id": 69,
  "createdAt": "2022-03-28T14:52:14.004Z",
  "updatedAt": "2022-03-28T15:25:28.575Z"
}

Delete an identifier

Run immuta sdd classifier delete <classifierName> [flags] to delete the identifier. The options you can specify include

• -h or --help: Get more information about the command.

• -o or --output json | yaml: Specify the output format.

• --outputTemplate string: Format the response using a Go template.

Example

$ immuta sdd classifier delete ACCOUNT_NUMBER_IDENTIFIER -o json
{
  "createdBy": {
    "id": 1,
    "name": "Example User",
    "email": "user@example.com"
  },
  "name": "ACCOUNT_NUMBER_IDENTIFIER",
  "displayName": "Account Number Identifier",
  "description": "This identifier recognizes account numbers using a regex criteria.",
  "type": "regex",
  "config": {
    "tags": [
      "Discovered.account-number"
    ],
    "regex": "^[0-9]{9}-[0-9]{3}-[0-9]{1}$"
  },
  "id": 69,
  "createdAt": "2022-03-28T14:52:14.004Z",
  "updatedAt": "2022-03-28T15:25:28.575Z"
}

This page details the immuta datasource command, its subcommands and arguments, and the workflow for creating, renaming, and deleting data sources.

Command Overview: immuta datasource

This command allows you to list, save, delete, and rename data sources in your instance of Immuta. The table below illustrates subcommands and arguments.

Options

Use these options to get more details about the datasource command or any of its subcommands:

• -h

• --help

Create a Data Source: immuta datasource save

2. Run immuta datasource save <filepath> [--wait int] [--dryRun], referencing the file you just created. The options you can specify include

   • -d or --dryRun: No updates will actually be made to the data source(s).

   • -h or --help: Get more information about the command.

   • -w or --wait int: Specify how long to wait for data source creation.

Example

The following example illustrates a user saving an updated datasourceInfo.yaml file, first as a dry run and then by specifying that the data sources wait 5 seconds to be created.

Rename a Data Source Connection Key: immuta datasource rename

1. Run immuta datasource list keys to view a list of data source connection keys. Options you can specify include

   • -h or --help: Get more information about the command.

   • -v or --verbose: Print response as JSON.

2. To rename one of your data source connection keys, run immuta datasource rename <old connection key> <new connection key>. You can include the -h or --help options to get more information about this command.

Example

The following example illustrates a user renaming a data source connection key to demonstration.

Delete Data Sources: immuta datasource delete

This command will delete all data sources for the connection key you specify.

1. Run immuta datasource list keys to view a list of data source connection keys. Options you can specify include

   • -h or --help: Get more information about the command.

   • -v or --verbose: Print response as JSON.

2. Opt to view a list of the data sources in this connection key by running immuta datasource list sources <connection key>.

3. Run immuta datasource delete <connection key> [--dryRun] to delete all of these data sources. Options you can specify include

   • -d or --dryRun: No updates will actually be made.

   • -h or --help: Get more information about the command.

Example

The following example illustrates a user deleting the demonstration connection key and all its data sources.

The Immuta CLI allows users to interact with their Immuta tenant using the command line to manage data sources, projects, policies, and purposes. This feature allows you to have all of your Immuta tenant information in a Git repository and use the CLI to sync your Immuta tenant with the files in your Git repository. To install the Immuta CLI, follow .

Section Overview

You can navigate this section of documentation in two different ways: by or by .

Workflow

The navigation in the left pane is organized by major workflows you would use in Immuta. Each workflow contains relevant commands. Follow this chronological outline to find commands relevant to your workflow.

1. .

2. .

3. .

4. .

5. .

6. .

7. .

Commands

Below is a list of major commands available in the Immuta CLI. Click a command to navigate to its corresponding page that details subcommands, options, and arguments.

• : Interact with your Immuta tenant to create data sources, projects, policies, and purposes.

• : Make an authenticated Immuta API request. This command will let you hit any endpoint in the Immuta API, including . For example, immuta api /tag will hit the v1 endpoint to list tags. This allows you to use the immuta api command instead of something like Postman or cURL to interact with the V1 API.

• : Clone all data sources, projects, purposes, and policies information into files.

• : Generate shell completion scripts.

• : Specify an Immuta tenant url and API key to be saved to the Immuta configuration file.

• : Manage data sources.

• : Manage Global Policies.

• : Manage projects.

• : Manage purposes.

• : Manage the audit export.

This page details how to install the Immuta CLI and tab completions.

1 - Install the Immuta CLI

Download the binary that corresponds to your operating system.

The SHA 256 checksum is available to verify the file at .

2 - Configure the CLI with Your Immuta Tenant

1. Run immuta configure.

2. Enter the URL of your Immuta tenant in the interactive prompt.

3. Enter your Immuta API Key in the interactive prompt:

Below is the configuration file that will be saved at ~/.immutacfg.yaml:

3 - Install Tab Completions

To generate shell completion scripts for Immuta CLI commands, run immuta completion [bash|zsh|fish|powershell]. You can opt to specify -h or --help for instructions on installing tab completions for Bash, Zsh, Fish, and PowerShell commands and flags.

Use the tabs below for specific instructions for each of these shells.

The exact configuration file locations might vary based on your system. Make sure to restart your shell before you test whether completions are working.

Command overview: immuta sdd

This command allows you to customize and run SDD in your instance of Immuta. The table below illustrates subcommands and arguments.

Options

Use these options to get more details about the sdd command or any of its subcommands:

• -h

• --help

SDD workflow

Two common workflows for using SDD are outlined below. The first illustrates how to apply a global framework to all data sources, while the second outlines how users can create and apply frameworks to data sources they own.

Workflow 1: Apply the global framework to all data sources

Workflow 2: Apply a framework to a specific data source

Prerequisite

.

Command overview: immuta sdd template

This command allows you to manage identification frameworks, which are a collection of identifiers and settings used to drive the configuration of SDD runs. The table below illustrates subcommands and arguments.

Options

Use these options to get more details about the sdd template command or any of its subcommands:

• -h

• --help

Create an identification framework

1. Save your framework to a valid YAML or JSON file using these attributes:

   An example is provided below.
2. Run immuta sdd template create <filepath> [flags], referencing the file you just created. The options you can specify include

   • -h or --help: Get more information about the command.

   • -o or --output json | yaml: Specify the output format.

   • --outputTemplate string: Format the response using a Go template.

Example

Get an identification framework

Run immuta sdd template get <frameworkName> [flags], specifying the name of the framework you would like to get. Options you can specify include

• -h or --help: Get more information about the command.

• -o or --output json | yaml: Specify the output format.

• --outputTemplate string: Format the response using a Go template.

Example

The example below illustrates a user getting a framework named ACCOUNT_NUMBERS_FRAMEWORK.

Get the global framework

Run immuta sdd template global [flags], to get the global framework that has been configured for sensitive data discovery. Options you can specify include

• -h or --help: Get more information about the command.

• -o or --output json | yaml: Specify the output format.

• --outputTemplate string: Format the response using a Go template.

Example

The example below illustrates a user getting the global framework that had been configured in the Immuta UI by an administrator.

Search identification frameworks

Run immuta sdd template search [string] [flags] to list all identification frameworks or search identification frameworks by name. Options you can specify include

• --classifiers strings: Limit results to only frameworks that contain the specified identifiers.

• -h, --help: Help for search.

• --limit int The search limit for pagination (default 25).

• --offset int: The search offset for pagination.

• --order asc | desc: The sort order.

• -o, --output json | yaml: The output format.

• --outputTemplate string: Format the response using a Go template.

• -s, --sort id | name | displayName | type | createdAt | updatedAt: Field to sort by.

Example

The example below illustrates a user searching all frameworks containing the ACCOUNT_NUMBER_IDENTIFIER.

Update an identification framework

1. Update your framework in a valid YAML or JSON file using these attributes:
2. Run immuta sdd template update <frameworkName> <filepath> [flags], referencing the file you just updated. The options you can specify include

   • -h or --help: Get more information about the command.

   • -o or --output json | yaml: Specify the output format.

   • --outputTemplate string: Format the response using a Go template.

Example

The example below illustrates a user updating a framework named ACCOUNT_NUMBERS_FRAMEWORK.

Delete an identification framework

Run immuta sdd template delete <frameworkName> [flags] to delete the framework. The options you can specify include

• -h or --help: Get more information about the command.

• -o or --output json | yaml: Specify the output format.

• --outputTemplate string: Format the response using a Go template.

Example

This page details the immuta command, its subcommands and arguments, and the workflow for cloning a tenant and using the Immuta API.

Command Overview: immuta

This command allows you to manage your Immuta tenant by creating data sources, projects, policies, and purposes. The table below illustrates the immuta subcommands and arguments.

To view a list of the commands available in your current Immuta CLI version, run immuta with no additional arguments.

Options

Options you can specify with the immuta command include

• --config string: Specify the configuration file name and where it will be saved. (The default is $HOME/.immutacfg.yaml.)

• -h or --help: Get more information about the command.

• -p or --profile string: Specify the profile for what tenant or API the CLI will use.

Clone Your Tenant: immuta clone

If you have an Immuta tenant that was set up without using the API, you can use the immuta clone command to save all your data sources, projects, policies, and purposes as payloads:

This command will create valid V2 API YAML files for all your data sources, projects, policies, and purposes. Within these files, database passwords and user files (such as a BigQuery auth file) will be removed; instead passwords will appear as {{EnvVar "dbPass"}}. The CLI will then read the environment variable dbPass to fill in the password if you use the cloned payload to create or update a data source. File contents will appear as {{ReadFile "<filePath>"}}, and then the CLI will read the file at the path and replace the value when commands are run.

Options

• --force: Overwrite existing output directory targets. If this flag is omitted, you will receive an error when the output directory exists and is not empty.

• -h or --help: Get details about the command.

Limitations

• Tags for data sources and projects are not returned.

• Data sources will not have the sources field, so if these payloads are used in create commands, all possible tables will be created as data sources.

immuta api

This command makes an authenticated HTTP(s) request to the Immuta API and prints the response. The default HTTP request method is GET, but POST is used if any parameters were added. You can override the method with --method:

Options

• -b, --body string: Unmodified string to be sent as payload body.

• -d, --data key=value: Add a typed parameter in key=value format. The --data flag behaves like --raw-data, with type conversion based on the format of the value. Literal values, true, false, null, and integers are converted to appropriate JSON types. This will be sent in as the request payload.

• --data-raw key=value: Add a string parameter in key=value format. The --data flag behaves like --raw-data, with type conversion based on the format of the value. Literal values, true, false, null, and integers are converted to appropriate JSON types. This will be sent in as the request payload.

• -H, --header key:value: Add an HTTP request header in key:value format.

• -h, --help: Get details about the command.

• --input <filepath>: A raw request body may be passed from the outside via the file specified to use as body for the HTTP request. Pass in '-' for standard input.

• -X, --method string: The HTTP method for the request (default GET).

• -P, --path-param key=value: Add a string parameter in key=value format. Will replace {key} in the url with value.

• -q, --query key=value: Add a string parameter in key=value format. The key value pairs are serialized into URL query parameters.

Examples

The documentation below provides descriptions and examples of immuta api options.

Prerequisite

.

Command Overview: immuta sdd run

This command allows you to run SDD on specific data sources or all data sources in your instance of Immuta.

Options

Use these options to get more details about the sdd run command or any of its subcommands:

• -h

• --help

Run SDD on Specific Data Sources

Run immuta sdd run <dataSourceName> [flags], naming the data source you want to run SDD on. The options you can specify include

• -d, --dryRun: No updates will actually be made.

• -f, --force: Do not prompt for confirmation when attempting to run SDD on all data sources.

• -h or --help: Get more information about the command.

• -o or --output json | yaml: Specify the output format.

• --outputTemplate string: Format the response using a Go template.

• -t, --outputTemplate string: Run SDD with this framework. This flag can only be used with the dryRun flag.

• -w, --wait int: The number of seconds to wait for the SDD job(s) to finish. Default is until the SDD job(s) finish (default -1).

Example

The example below illustrates a user running SDD on a single data source.

Run SDD on All Data Sources

1. Run immuta sdd run. The options you can specify include

   • -d, --dryRun: No updates will actually be made.

   • -f, --force: Do not prompt for confirmation when attempting to run SDD on all data sources.

   • -h or --help: Get more information about the command.

   • -o or --output json | yaml: Specify the output format.

   • --outputTemplate string: Format the response using a Go template.

   • -t, --outputTemplate string: Run SDD with this framework. This flag can only be used with the dryRun flag.

   • -w, --wait int: The number of seconds to wait for the SDD job(s) to finish. Default is until the SDD job(s) finish (default -1).

2. Confirm that you want to run SDD on all data sources.

Example

This page details the immuta project command, its subcommands and arguments, and the workflow for creating, renaming, and deleting projects.

Command: immuta project

This command allows you to list, save, delete, and rename projects in your instance of Immuta. The table below illustrates subcommands and arguments.

Options

Use these options to get more details about the project command or any of its subcommands:

• -h

• --help

Create Project: immuta project save

2. Run the following referencing the file you just created: immuta project save <filepath> [--dryRun] [--deleteWorkSpaceDataSources] The options you can specify include

   • --deleteWorkSpaceDataSources: Delete all data and the data sources associated with a project workspace when the workspace is deleted.

   • -d or --dryRun: No updates will be made.

   • -h or --help: Get more information about the command.

Example

The example below illustrates a user listing all projects and then creating the project demo project.

Rename a Project Key: immuta project rename

1. Opt to list all project keys to identify which project you would like to rename by running immuta project list. Options you can specify include

   • -h or --help: Get more information about the command.

   • -v or --verbose: Print response as JSON.

2. Rename the project key by running immuta project rename <old project key> <new project key>, enclosing the name of the project key in quotation marks. Options you can specify to get more information about this command include -h or --help.

Example

The example below illustrates a user renaming the demo project project key to data analytics team.

Delete a Project: immuta project delete

1. Opt to list all project keys to determine which project key you would like to delete by running immuta project list. Options you can specify include

   • -h or --help: Get more information about the command.

   • -v or --verbose: Print response as JSON.

2. Delete a project key by running immuta project delete <project key> [--dryRun] [--hardDelete, enclosing the project key in quotation marks. Options you can specify include

   • -d or --dryRun: No updates will be made.

   • --hardDelete: If this is set, it will delete everything related to the project in Immuta. If not set, it will only disable the project.

   • -h or --help: Get more information about the command.

Example

The example below illustrates a user first disabling and then deleting the project Data Analytics Team.

Use these audit export configuration commands to manage exporting your audit logs to S3 and ADLS Gen2, including intervals the events are exported and the S3 bucket or ADLS container they are exported to.

immuta audit exportConfig {command} <arguments> [flags]

Inspect, disable, enable, and delete configurations for exporting your audit events to S3 and ADLS Gen 2.

The Immuta Audit CLI supports a number of flags for every command.

• --config string: Specifies the configuration file name and where it will be saved. (The default is $HOME/.immutacfg.yaml.)

• -h, --help: Gets more information about the command.

• -p, --profile string: Specifies the profile for what instance the CLI will use.

Commands

Audit Export Configuration Example

$ immuta audit exportConfig get f7f9e289-f37b-4942-a18d-66d6de6e7cb2
$
{
  "id": "f7f9e289-f37b-4942-a18d-66d6de6e7cb2",
  "interval": "EVERY_12_HOURS",
  "enabled": true,
  "endpointConfiguration": {
    "__typename": "S3EndpointConfiguration",
    "bucket": "your-s3-bucket",
    "path": "hr-data",
    "region": "us-east-1",
    "accessKeyId": "accessKey"
  },
  "createdAt": "2022-10-23T23:03:11.466Z",
  "createdBy": {
    "name": "John Doe",
    "identityProvider": "okta",
    "id": "johndoe@example.com",
    "type": "USER"
  },
  "updatedAt": "2022-10-23T23:03:11.466Z",
  "updatedBy": {
    "name": "John Doe",
    "identityProvider": "okta",
    "id": "johndoe@example.com",
    "type": "USER"
  }
}

This page details the immuta purpose command, its subcommands and arguments, and the workflow for creating and deleting purposes.

Command: immuta purpose

This command allows you to list, save, and delete purposes in your instance of Immuta. The table below illustrates subcommands and arguments.

Options

Use these options to get more details about the purpose command or any of its subcommands:

• -h

• --help

Manage Purposes

Usage:
  immuta purpose [command]

Available Commands:
  delete      Delete a purpose by name
  list        List all purposes
  save        Create/update a purpose in Immuta

Flags:
  -h, --help   help for purpose

Global Flags:
      --config string    config file (default $HOME/.immutacfg.yaml)
  -p, --profile string   specifies the profile for what instance/api the cli will use (default "default")

Use "immuta purpose [command] --help" for more information about a command.

Create a Purpose: immuta purpose save

1. Add your purpose information in a valid YAML file for the V2 API. Additional payload examples for creating purposes can be found here.

2. Run immuta purpose save <filepath> [--dryRun] [--reAcknowledge], referencing the file you just created. The options you can specify include

   • --reAcknowledge: Require all users of any projects using this purpose to re-acknowledge any updated acknowledgement statements.

   • -d or --dryRun: No updates will be made.

   • -h or --help: Get more information about the command.

name: Demo Purpose
acknowledgement: You promise not to share this data outside the project.
description: This project is only to be used for departmental data.

Examples

The example below illustrates a user creating a purpose called Demo Purpose.

$ immuta purpose list
Re-identification Prohibited
Re-identification Prohibited.CCPA
Re-identification Prohibited.Safe Harbor Method
Use Case Outside De-identification

$ immuta purpose save test-purpose.yml
{"dryRun":false,"creating":true,"updating":false,"purposeId":8}

$ immuta purpose list
Demo Purpose
Re-identification Prohibited
Re-identification Prohibited.CCPA
Re-identification Prohibited.Safe Harbor Method
Use Case Outside De-identification

Delete a Purpose: immuta purpose delete

1. Opt to list all purposes to determine which purpose you would like to delete by running immuta purpose list. Options you can specify include

   • -h or --help: Get more information about the command.

   • -v or --verbose: Print response as JSON.

2. Delete a purpose by running immuta purpose delete <purpose name> [--dryRun], enclosing the purpose name in quotation marks. Options you can specify include

   • -d or --dryRun: No updates will be made.

   • -h or --help: Get more information about the command.

Example

The example below illustrates a user deleting the purpose Demo Purpose.

$ immuta purpose list
Demo Purpose
Re-identification Prohibited
Re-identification Prohibited.CCPA
Re-identification Prohibited.Safe Harbor Method
Use Case Outside De-identification

$ immuta purpose delete "Demo Purpose"
{"dryRun":false,"deleting":["Demo Purpose"]}

$ immuta purpose list
Re-identification Prohibited
Re-identification Prohibited.CCPA
Re-identification Prohibited.Safe Harbor Method
Use Case Outside De-identification

This page details the immuta policy command, its subcommands and arguments, and the workflow for creating, renaming, cloning, and deleting Global Policies.

Command Overview: immuta policy

This command allows you to list, save, delete, and rename Global Policies in your instance of Immuta. The table below illustrates subcommands and arguments.

Options

Use these options to get more details about the policy command or any of its subcommands:

• -h

• --help

Create a Policy: immuta policy save

1. Add your policy information in a valid YAML file for the V2 API. Additional payload examples for creating policies can be found here:

   Copy

   name: Conditional Masking
   policyKey: data conditional masking
   type: data
   actions:
       - rules:
       - type: Masking
           config:
               fields:
               - type: columnTags
                   columnTag: Discovered.Passport
               conditionalPredicate: "@columnTagged('Discovered.Country') = 'USA'"
               maskingConfig:
                   type: Hash
   circumstanceOperator: all
   circumstances:
       - type: columnTags
           columnTag: Discovered.Passport
       - type: columnTags
           columnTag: Discovered.Country

2. Run immuta policy save <filepath> [--dryRun] [--reCertify], referencing the file you just created. The options you can specify include

   • -d or --dryRun: No updates will actually be made.

   • -h or --help: Get more information about the command.

   • --reCertify: If the certification has changed, someone will need to re-certify this policy on all impacted data sources.