The V2 API is built to easily enable an “as-code” approach to managing your data sources, so each time you POST data to this endpoint, you must provide complete details of what you want in Immuta. The two examples below illustrate this design:
If you POST once explicitly defining a single table under sources, and then POST a second time with a different table, this will result in a single data source in Immuta pointing to the second table and the first data source will be deleted or disabled (depending on the value specified for hardDelete).
If you POST once with two tableTags specified (e.g., Tag.A and Tag.B) and do a follow-up POST with tableTags: [Tag.C], only Tag.C will exist on all of the tables specified; tags Tag.A and Tag.B will be removed from all the data sources. Note: If you are frequently using the v2 API to update data tags, consider using theinstead.
Through this endpoint, you can create or update all data sources for a given schema or database.
Create or update data sources.
Required Immuta permission: CREATE_DATA_SOURCE
Parameter
Description
Required or optional
Default value
The body of the request contains the details of the data source you want to create. The following table describes the attributes you can include in the body.
Attribute
Description
Required or optional
The connection object specifies the connection details required to connect to your data source. The tables below describes its child attributes.
Attribute
Description
Required or optional
Use the nameTemplate object to use the backing table, schema, or database names to systematically name the Immuta data sources created through the connection. All names will default to lowercase. The table below describes its child attributes.
Attribute
Description
Accepted values
Example
For the table, TPC.CUSTOMER, that is given the following nameTemplate:
This nameTemplate will produce a data source named tpc.customer in a schema project named tpc.
The options object allows you to override the default options for the data sources created through this connection. If not provided, Immuta will use the system defaults. The table below describes its child attributes.
Attribute
Description
Default values
There are three options for the owners object when POSTing to the /data endpoint:
Include the object with data owners.
Include the object, but leave the type, name, and iam out. This will remove all data owners from the data source (other than the calling user).
Exclude the object from the payload. This will not impact your data owners and allow you to manage data owners through external processes or the UI.
The owners object is an array of objects for each owner. The table below describes its child attributes.
Attribute
Description
Accepted values
The sources array determines which tables are registered as data sources. The table below describes its child attributes.
Option
Description
Required or optional
Examples
This will register specific tables and add tags and column descriptions.
There are three options for the columns object when POSTing to the /data endpoint:
Include the object with column details. Only the columns listed will be in the Immuta data source.
Include the object, but leave it empty. This will turn on column detection, and Immuta will update the columns once a day to be accurate to the backing table.
Exclude the object from the payload. This will register all the columns in the table, but column detection will be off.
The columns object is an array of objects for each column. The table below describes its child attributes.
Attribute
Description
You can add descriptions to columns without having to specify all the columns in the data source. columnDescriptions is an array of objects with the following schema:
Attribute
Description
You can add tags to columns or data sources. tags is an object with the following schema:
Attribute
Description
0
A template to override naming conventions. If not provided, system defaults will be used.
Optional
object
Override options for these data sources. If not provided, system defaults will be used.
Optional
object
Specify owners for all data sources created.
Optional
array
Configure which data sources are created. If not provided, all objects from the given connection will be created.
Optional
databasestring
The database name.
Required
schemastring
The schema in the remote database.
Optional
hostnamestring
The hostname of the remote database instance.
Required
portnumber
The port of the remote database instance.
Optional
warehousestring
The default pool of compute resources Immuta will use to run queries and other Snowflake operations.
Required
connectionStringOptionsstring
Additional connection string options to be used when connecting to the remote database.
Optional
authenticationMethodstring
The type of authentication method to use. Options include userPassword, keyPair, and oAuthClientCredentials.
Required
usernamestring
The username used to connect to the remote database.
Required if using userPassword or keyPair.
passwordstring
The password used to connect to the remote database.
Required if using userPassword.
useCertificateboolean
Set to true when using client certificate credentials to request an access token. Otherwise, set to false to use client secret.
Required if using oAuthClientCredentials.
userFilesobject
Details about the files required for the request.
Required if using keyPair or oAuthClientCredentials with useCertificate set to true.
keyNamestring
The connection name of the key file. Must be PRIV_KEY_FILE if using keyPair, or must be oauth client certificate if using oAuthClientCredentials.
Required if using keyPair or oAuthClientCredentials with useCertificate set to true.
contentstring
The content of the file, base-64 encoded.
Required if using keyPair or oAuthClientCredentials with useCertificate set to true.
userFilenamestring
The name of the file - for display in the UI.
Required if using keyPair or oAuthClientCredentials with useCertificate set to true.
Attribute
Description
Required or optional
handler
Databricks
Required
sslboolean
Set to true to enable SSL communication with the remote database.
Optional
Attribute
Description
Required or optional
handler
Redshift
Required
sslboolean
Set to true to enable SSL communication with the remote database.
Optional
Attribute
Description
handler
Google BigQuery, Presto, and Trino
sslboolean
Set to true to enable SSL communication with the remote database.
databasestring
The database name.
Format to be used to name the Immuta table created in this group.
<tablename>
<schema>
<database>
schemaProjectNameFormatstring
Format to be used to name the Immuta schema project created in this group.
<tablename>
<schema>
<database>
The ID of the domain to assign the data sources to. Use the to retrieve domains and domain IDs.
-
hardDeleteboolean
If true, when the table backing the data source is no longer available, the data source in Immuta is deleted. If this is false, the data source will be disabled.
false
tableTagsarray
An array of tags (strings) to place at the data source level on every data source.
-
The ID of the identity manager system the user or group comes from. If excluded, any user/group that matches will be added as an owner.
-
The specific schema to monitor with schema monitoring.
Optional
array
Details about the data source columns.
Optional
descriptionstring
A short description for the data source.
Optional
documentationstring
Markdown-supported documentation for the data source.
Optional
namingobject
Use this object to override the nameTemplate provided for the whole database/schema. .
Optional
ownersobject
Specify owners for an individual data source. .
Optional
object
Details about the tags to attach to the data source.
Optional
The actual data type in the remote database.
primaryKeystring
Specifies whether this is the primary key of the remote table.
descriptionstring
Describes the column.
dryRunboolean
If true, no updates will actually be made.
Optional
false
waitnumber
The number of seconds to wait for data sources to be created before returning. Anything less than 0 will wait indefinitely.
connectionKeystring
A key/name to uniquely identify this collection of data sources.
An array of objects that specifies columnName (string) and tags (an array of tags). The listed tags will be applied to the columns.
POST/api/v2/data
Technology-specific examples
Databricks data source with M2M OAuth - Azure Databricks
Databricks Unity Catalog behavior
If you register a connection and a data object has no subscription policy set on it, Immuta will REVOKE access to the data in Databricks for all Immuta users, even if they had been directly granted access to the table in Unity Catalog.
If you disable a Unity Catalog data source in Immuta, all existing grants and policies on that object will be removed in Databricks for all Immuta users. All existing grants and policies will be removed, regardless of whether they were set in Immuta or in Unity Catalog directly.
Databricks data source with overriding the naming convention
Databricks Unity Catalog behavior
If you register a connection and a data object has no subscription policy set on it, Immuta will REVOKE access to the data in Databricks for all Immuta users, even if they had been directly granted access to the table in Unity Catalog.
If you disable a Unity Catalog data source in Immuta, all existing grants and policies on that object will be removed in Databricks for all Immuta users. All existing grants and policies will be removed, regardless of whether they were set in Immuta or in Unity Catalog directly.
Your nativeSchemaFormat must contain _immuta to avoid schema name conflicts.
connectionKey:redshiftconnection:hostname:
Snowflake data source only registering specific tables
Path parameters
Body parameters
connection object
nameTemplate object
options object
owners object
sources array
Best practices
Register everything and use subscription policies to control access: If you are not tagging individual columns, omit sources to create data sources for all tables in the schema or database, and then use subscription policies to control access to the tables instead of excluding them from Immuta.
Use schema monitoring: Specifying all: true will turn on automatic schema monitoring in Immuta. As tables are added or removed, Immuta will look for those changes on a schedule (by default, once a day) and either disable or delete data sources for removed tables or create data sources for new tables.
This project will be created with an Anyone subscription policy, where anyone can request and will automatically be granted access.
This project will be created with an Anyone who asks (and is approved) subscription policy, where anyone can request access and they will get access when their request is approved.
Any string
Any string
If a user is not registered in Immuta, Immuta will have no effect on that user's access to data in Unity Catalog.
Additional connection string options to be used when connecting to the remote database.
Optional
authenticationMethodstring
The type of authentication method to use. Options include oAuthM2M and token.
Required
tokenstring
The Databricks personal access token for the service principal created for Immuta.
Required if using token authentication.
useCertificateboolean
Set to true when using client certificate credentials to request an access token. Otherwise, client secret.
Required if using oAuthM2M.
clientIdstring
The client identifier of the Immuta service principal you configured. This is the client ID displayed in Databricks when creating the client secret for the service principal.
Required if using oAuthM2M.
audiencestring
The audience for the OAuth Client Credential token request.
Required if using oAuthM2M.
clientSecretstring
An application password an app can use in place of a certificate to identity itself.
Required if using oAuthM2M and useCertificate is set to false.
certificateThumbprintstring
The certificate thumbprint to use to generate the JWT for the OAuth Client Credential request.
Required if using oAuthM2M and useCertificate is set to true.
scopestring
The scope limits the operations and roles allowed in Databricks by the access token. See the OAuth 2.0 documentation for details about scopes.
Optional
httpPathstring
The HTTP path of your Databricks cluster or SQL warehouse.
Required
databasestring
The database name.
Optional
schemastring
The schema in the remote database.
Required
connectionStringOptionsstring
Additional connection string options to be used when connecting to the remote database.
Optional
hostnamestring
The hostname of the remote database instance.
Required
portnumber
The port of the remote database instance.
Optional
authenticationMethodstring
The type of authentication method to use. Options include userPassword and okta.
Required
usernamestring
The username used to connect to the remote database.
Required
passwordstring
The password used to connect to the remote database.
Required
idpHoststring
The Okta identity provider host URL.
Required if using okta.
appIDstring
The Okta application ID.
Required if using okta.
rolestring
The Okta role.
Required if using okta.
schemastring
The schema in the remote database.
userFilesarray
Array of objects; each object must have keyName (corresponds to a connection string option), content (base-64 encoded content), and userFilename (the name of the file - for display purposes in the app).
connectionStringOptionsstring
Additional connection string options to be used when connecting to the remote database.
hostnamestring
The hostname of the remote database instance.
portnumber
The port of the remote database instance.
authenticationMethodstring
The type of authentication method to use. Starburst (Trino) and Trino (Presto) options include No Authentication, LDAP Authentication, or Kerberos Authentication. Google BigQuery (Google BigQuery) option is keyFile.
usernamestring
The username used to connect to the remote database.
passwordstring
The password used to connect to the remote database.
sidstring
Required for Google BigQuery, the BigQuery project ID used to build the connection string.
subscription policy, where users with a specific attribute or in a specific group will automatically be granted access.
Parameter
Description
Default value
dryRunboolean
If true, no updates will actually be made.
false
deleteDataSourcesOnWorkspaceDeleteboolean
If true, will delete all data and the data sources associated with a project workspace when the workspace is deleted.
false
Attribute
Description
Required or optional
Default values
Accepted values
projectKeystring
A key to uniquely identify this project for future API calls.
Required
-
-
The subscriptionPolicy object allows you to define the policy for how users can subscribe to the project.
Attribute
Description
Required or optional
Default values
Accepted values
typestring
The type of subscription policy the project will have.
Required
-
anyone: Anyone can subscribe
approval: Anyone can request approval and will be subscribed when it is approved
entitlements: Users with the listed attributes or groups will be subscribed
This array is required if the policy type is approval in the subscriptionPolicy object. It allows you to define the users who can approve subscription requests.
Attribute
Description
Required or optional
Default values
Accepted values
specificApproverRequiredboolean
If true, the user to approve the request will be selected by the user requesting access. If false, any user with the required permission can approve the request.
Required if type is approval
-
true
false
This object is required if the policy type is entitlements in the subscriptionPolicy object. It allows you to define the groups or attributes that users must have to subscribe to the project.
Attribute
Description
Required or optional
Default values
Accepted values
operatorstring
Specify whether all of the circumstances must be met for the user to be subscribed (AND), or just any of them (OR).
Required if type is entitlements
-
all
any
Attribute
Description
Required or optional
Default values
Accepted values
typestring
The technology the workspace is in.
Required
-
snowflake
databricks
POST/api/v2/project
name:A Bare Bones ProjectprojectKey:simplest possible project
name:Anyone ProjectprojectKey:Anyone projectdocumentation:"# Anyone Can See This"description:"Anyone can join this project"allowMaskedJoins:falsesubscriptionPolicy:type:anyoneautomaticSubscription:truedescription:"Auto-subscribe everyone"tags:-Discovered.Person Namepurposes:-Use Purposes-Purpose Hierarchy.Child 2.Grandchild 2
name:Approval ProjectprojectKey:Approval projectdescription:"Need approval to join this project"allowMaskedJoins:truesubscriptionPolicy:type:approvalapprovals:-requiredPermission:GOVERNANCEspecificApproverRequired:true-requiredPermission:ADMINspecificApproverRequired:false
name: Entitlement Project
projectKey: entitlement project
description: "Need specific entitlements to join this project"
subscriptionPolicy:
type: entitlements
automaticSubscription: false
allowDiscovery: true
entitlements:
operator: any
groups:
- Engineers
- Founders
attributes:
- name: Auth1
value: super secret
Projects with workspaces examples
Project with Databricks Spark workspace
Project with Snowflake workspace
Path parameters
Body parameters
subscriptionPolicy object
approvals array
entitlements object
workspace object
manual: Users must be manually added to be subscribed
namestring
The name of the project.
Required
-
-
descriptionstring
A short description for the project.
Optional
-
-
documentationstring
Markdown-supported documentation for this project.
Optional
-
-
allowedMaskedJoinsboolean
If true, will allow joining on masked columns between data sources in this project. Only certain policies allow masked join.
name:Snowflake ProjectprojectKey:snowflake projectdatasources:-Snowflake Case-Snowflake Customer-Snowflake Web Salesworkspace:type:snowflakeconfig:schema:SNOWFLAKE_NATIVEwarehouses:-DEMO_WHtags:-Discovered.Passport
Immuta V2 API
Learn about managing data sources and policies using the V2 API
Policy as code benefits
Reduces complexity: The data source API has been simplified to only require the connection information in most instances and one endpoint for all database technologies.
Maintains less state: Whether updating or creating, the same endpoint is used, and the same data is passed. No ids are required, so no additional state is required.
Requires fewer steps: Only an API key is required; no additional authentication step is required before using the API.
Integrates with Git: Define data sources and policies in files that can be tracked in Git and easily pushed to Immuta. Both JSON and YAML are supported for more flexibility. (For example, use YAML to add comments in files.)
All of the API endpoints described below take either JSON or YAML, and the endpoint and payload are the same for both creating and updating data sources, policies, projects, and purposes.
The body of the request contains the details of the policy you want to create. The following table describes the attributes you can include in the body.
Attribute
Description
Required or optional
Default value
Accepted values
The actions object describes the rules of the policy.
Attribute
Description
Required or optional
Default value
Accepted values
This array is required if the policy type is approval in the . It allows you to define the users who can approve subscription requests.
Attribute
Description
Required or optional
Default value
Accepted values
This object is required if the policy type is entitlements in the . It allows you to define the groups or attributes that users must have to subscribe to the project.
Attribute
Description
Required or optional
Default value
Accepted values
The circumstances array dictates what data sources the policy will be applied to. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period.
Attribute
Description
Required or optional
Default value
Accepted values
The certification object contains the details of the certification for the policy.
Attribute
Description
Required or optional
Default value
Accepted values
false
The name of the policy that will be displayed in the Immuta UI.
Required
-
-
typestring
The type of policy.
Required
-
subscription
data
object
The actual rules for this policy.
Required
-
-
array
When and where the policy should get applied.
Optional
-
-
circumstanceOperatorstring
Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).
Optional
any
all
any
stagedboolean
If true, this global policy is in a staged status.
Optional
false
true
false
object
Certification information for the global policy.
Optional
-
-
When true, users will be automatically subscribed to the data source without having to take action.
Optional
false
true
false
allowDiscoveryboolean
When true, users can see the data source in the Immuta UI, even if they do not have the attributes and groups specified by the policy.
Optional
false
true
false
advancedstring
An advanced function to use as the subscription policy. See the for details about the functions Immuta supports.
Optional
-
-
descriptionstring
The rationale for your policy.
Optional
-
-
array
Details about the user(s) that will approve subscription requests.
Required if type is approval
-
-
object
Details about the entitlements required for users to subscribe to the data sources.
Required if type is entitlements
-
-
The required permissions for the user approving the subscription request.
Required
-
USER_ADMIN
GOVERNANCE
AUDIT
The names of the groups the user must be a member of to subscribe to the data source.
Requires either groups or attributes
-
-
attributesarray[object]
Details about attributes the user must have to subscribe to the data source.
Requires either groups or attributes
-
-
attributes.namestring
The name of the attribute the user must have to subscribe to the data source. This is commonly referred to as a key.
Required if using attributes
-
-
attributes.valuestring
The value of the attribute the user must have to subscribe to the data source.
Required if using attributes
-
-
The tag to dictate when the policy is applied.
Required if type is tags.
-
-
columnTagstring
The column tag to dictate when the policy is applied.
Required if type is columnTags.
-
-
regexstring
The regex to match against column names and apply the policy when found.
Required if type is columnRegex.
-
-
caseInsensitiveboolean
If true, the regex is case insensitive. Use with typecolumnRegex.
Optional
-
true
false
serverstring
Specifies the server that contains the data sources the policy should be applied to.
Required if type is server
-
-
startDatestring
Specifies to apply policies to data sources created on or after this date and before the endDate.
Required if type is time
-
-
endDatestring
Specifies to apply policies to data sources created before this date and after the startDate.
Optional
-
-
domainsarray[object]
Specifies to apply policies to data sources in the listed domains.
Required if type is domains.
-
-
domains.idstring
The unique ID of the domain.
Requires either domains.id or domains.name if type is domains.
-
-
domains.namestring
The name of the domain.
Requires either domains.id or domains.name if type is domains.
-
-
The label that appears when the policy has been certified.
Required
-
-
tagsarray[string]
Tags that impact the certification.
Optional
-
-
recertifyboolean
When true, data owners must re-certify all data sources this policy applies to.
If true (and if the certification has changed), someone will need to re-certify this policy on all impacted data sources.
policyKeystring
A key/name to uniquely identify this policy.
Required
-
-
typestring
The type of subscription policy.
Required
-
anyone: Anyone can subscribe
approval: Anyone can request approval and will be subscribed when it is approved
entitlements: Users with the listed attributes or groups will be subscribed
manual: Users must be manually added to be subscribed
specificApproverRequiredboolean
If true, the user to approve the request will be selected by the user requesting access. If false, any user with the required permission can approve the request.
Required
-
true
false
operatorstring
Specifies whether users must have all or any of the entitlements to be eligible to subscribe to the data source.
Required
-
all
any
typestring
Specifies how to determine whether or not to apply the policy to the data source.
Optional
Defaults to all data sources
tags: Apply the policy when the data source has these tags.
columnRegex: Apply the policy when the data source has column names that match the regex.
columnTags: Apply the policy when the data source has columns with these tags.
domains: Apply the policy to data sources in these domains.
null: Apply the policy to data sources when it is selected by data owners.
server: Apply the policy to data sources in this server.
time: Apply the policy to data sources created in a specific time period.
textstring
The text that appears when a data owner attempts to certify a policy.
The body of the request contains the purpose details. The following attributes are available:
Attribute
Description
Required or optional
The subpurposes array allows you to define a hierarchy of purposes, where each subpurpose can have its own acknowledgement and can be used to further categorize data usage. Each subpurpose can itself have a subpurposes array, allowing for nested hierarchies.
Attribute
Description
Required or optional
The acknowledgement that users must agree to when joining a project with this purpose. If not provided, the system default will be used.
Optional
array
The subpurposes of the purpose.
Optional
Nested subpurposes.
Optional
subpurposes:
-name:Purpose Hierarchy.Child 1
acknowledgement:Override the root acknowledgement
subpurposes:
-name:Purpose Hierarchy.Child 1.Grandchild 1
-name:Purpose Hierarchy.Child 1.Grandchild 2
-name:Purpose Hierarchy.Child 2
subpurposes:
-name:Purpose Hierarchy.Child 2.Grandchild 1
-name:Purpose Hierarchy.Child 2.Grandchild 2
If true, no updates will actually be made.
false
reAcknowledgeRequiredboolean
If true, will require all users of any projects using this purpose to re-acknowledge any updated acknowledgement statements.
false
namestring
The name of the purpose.
Required
descriptionstring
A short description for the purpose.
Optional
namestring
The name of the subpurpose.
Required
acknowledgementstring
The acknowledgement that users must agree to when joining a project with this subpurpose. If not provided, the system default will be used.
This simple masking policy masks all columns with no tags using a hash function.
name:HashingpolicyKey:data mask hashingtype
This complex masking policy masks columns with specific tags using a constant value, but only if the user does not have certain attributes. If the user has the auth attribute set to SOMETHING_ELSE or auth1 set to super secret, the masking policy will not be applied.
Parameter
Description
Required or optional
Default value
The body of the request contains the details of the policy you want to create. The following table describes the attributes you can include in the body.
Attribute
Description
Required or optional
Default value
Accepted values
The actions array contains one or more rules arrays that describe the rules of the policy. Each rules array can have its own configuration and exceptions.
Attribute
Description
Required or optional
Accepted values
The config object contains the details of the policy configuration. This includes the fields the policy will be applied to and the masking configuration.
Attribute
Description
Required or optional
Accepted values
The fields array specifies which columns the policy will be applied to. You can specify columns by tags, regex, or all columns.
Attribute
Description
Required or optional
Accepted values
The maskingConfig object contains the details of the masking policy. You can specify the type of masking, the constant value to use, or a regular expression to match against.
Attribute
Description
Required or optional
Accepted values
The exceptions object specifies the users that will not be affected by the policy. You can specify exceptions based on purposes or attributes.
Attribute
Description
Required or optional
Accepted values
The circumstances array dictates what data sources the policy will be applied to. For example, you could specify to apply the policy to data sources that have specific tags or to data sources created during a certain time period.
Attribute
Description
Required or optional
Default value
Accepted values
The certification object contains the details of the certification for the policy.
Attribute
Description
Required or optional
Default value
Accepted values
false
The name of the policy that will be displayed in the Immuta UI.
Required
-
-
typestring
The type of policy.
Required
-
subscription
data
array
The actual rules for this policy.
Required
-
-
array
When and where the policy should get applied.
Optional
-
-
circumstanceOperatorstring
Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).
Optional
any
all
any
stagedboolean
If true, this global policy is in a staged status.
Optional
false
true
false
object
Certification information for the global policy.
Optional
-
-
Masking
Minimization
Purpose Restriction
object
Details about the configuration of the policy.
Required
-
rules.inclusionsobject
The specific users this policy is meant to affect. If you use inclusions, you must add a second rules array for the other users. .
Optional
-
rules.inclusions.groupsarray[string]
Group names. Users in these groups will be affected by the rules in this rules array.
Required for rules.inclusions
-
object
These are the users the policy is not meant to target.
Optional
-
-
conditionalPredicatestring
to dictate where the policy is applied.
Optional
-
operatorstring
Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).
Optional
any
purposesarray[string]
Purpose names. Restriction to the data will be applied to everyone except users acting under these purposes.
Required if rules.type is Purpose Restriction
-
percentinteger
Specifies the percentage of the data to show.
Required if rules.type is Minimization
-
isOlderOrNewerstring
Specifies if the policy should be applied to columns older or newer than the provided time.
Required if rules.type is Time Restriction
newer
older
timeinteger
The time (in seconds) that the row must be older or newer than to be visible.
Required if rules.type is Time Restriction
-
predicatestring
to dictate what rows are visible.
Required if rules.type is Row Restriction by Custom Where Clause
-
matchesobject
The user entitlements that must match the value in the specified column for the row to show.
Required if rules.type is Row Restriction By User Entitlements
-
matches.typestring
The type of user entitlements to base the policy on.
Required if rules.type is Row Restriction By User Entitlements
Group
Attribute
Purpose
matches.tagstring
The tag of the column that's data must match the user's entitlement.
Required if rules.type is Row Restriction By User Entitlements
-
-
regexstring
The regex to match against column names and apply the policy when found.
Required if type is columnRegex
-
caseInsensitiveboolean
If true, the regex is case insensitive. Use with columnRegextype.
Optional
true
false
-
regexstring
The regular expression that identifies the portion of the value to mask.
Required if type is Regular Expression
-
replacementstring
The string that will replace the portion of the value identified by the regular expression to mask.
Required if type is Regular Expression
-
caseInsensitiveboolean
If true, the regex is case insensitive. Use with Regular Expressiontype.
Optional
true
false
timePrecisionstring
Specifies where Immuta will round the time to.
Requires timePrecision or bucketSize if type is Grouping
HOUR
DAY
MONTH
bucketSizeinteger
The bucket size to round to.
Requires timePrecision or bucketSize if type is Grouping
-
-
attributesarray[object]
Attribute names and values. Users with these attributes will not be affected by this policy.
Requires either purposes or attributes
-
attributes.namestring
An attribute name.
Required if attributes is used
-
attributes.valuestring
An attribute value.
Required if attributes is used
-
The tag to dictate when the policy is applied.
Required if type is tags
-
-
columnTagstring
The column tag to dictate when the policy is applied.
Required if type is columnTags
-
-
regexstring
The regex to match against column names and apply the policy when found.
Required if type is columnRegex
-
-
caseInsensitiveboolean
If true, the regex is case insensitive. Use with columnRegextype.
Optional
-
true
false
serverstring
Specifies the server that contains the data sources the policy should be applied to.
Required if type is server
-
-
startDatestring
Specifies to apply policies to data sources created on or after this date and before the endDate.
Required if type is time
-
-
endDatestring
Specifies to apply policies to data sources created before this date and after the startDate.
Optional
-
-
domainsarray[object]
Specifies to apply policies to data sources in the listed domains.
Required if type is domains
-
-
domains.idstring
The unique ID of the domain.
Requires either domains.id or domains.name if type is domains
-
-
domains.namestring
The name of the domain.
Requires either domains.id or domains.name if type is domains
-
-
The label that appears when the policy has been certified.
Required
-
-
tagsarray[string]
Tags that impact the certification.
Optional
-
-
recertifyboolean
When true, data owners must re-certify all data sources this policy applies to.
Optional
false
true
false
:
data
actions:
-rules:
-type:Masking
config:
fields:
-type:noTags
maskingConfig:
type:Hash
circumstances:
-type:noTags
dryRunboolean
If true, no updates will actually be made.
Optional
false
reCertifyboolean
If true (and if the certification has changed), someone will need to re-certify this policy on all impacted data sources.
name:Null using column regexpolicyKey:data mask nulltype
Randomized response
Support limitation: This policy is only supported in Snowflake integrations.
name:Random CategoricalpolicyKey:data mask random responsetype
Randomized response with a standard deviation
Sample data is processed during computation of randomized response policies When a randomized response policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process. To enforce the policy, Immuta generates and stores predicates and a list of allowed replacement values that may contain data that is subject to regulatory constraints (such as GDPR or HIPAA) in Immuta's metadata database. The location of the metadata database depends on your deployment:
Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.
SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta. To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant. To enable randomized response for your account, see the .
Using a regex
With reversibility
Using date rounding
Using rounding with fingerprint
Using numeric rounding
Minimization
Purpose restrictions
Row-level
By time
Where user
Custom where clause
Path parameters
Body parameters
actions array
config object
fields array
maskingConfig object
exceptions object
circumstances array
certification object
name:Mask with ConstantpolicyKey:data mask constanttype:dataactions:-rules:-type:Maskingexceptions:operator:anyattributes:-name:authvalue:SOMETHING_ELSE-name:auth1value:super secretconfig:fields:-type:columnTagscolumnTag:Discovered.Country-type:columnTagscolumnTag:Discovered.PassportmaskingConfig:type:Constantconstant:REDACTEDcircumstanceOperator:anycircumstances:-type:columnTagscolumnTag:Discovered.Country-type:columnTagscolumnTag:Discovered.Passport
name:Mask using ReversiblepolicyKey:data mask reversibletype:dataactions:-rules:-type:Maskingconfig:fields:-type:columnTagscolumnTag:Discovered.Entity.Social Security NumbermaskingConfig:type:Reversibleexceptions:groups:-founderscircumstances:-type:columnTagscolumnTag:Discovered.Entity.Social Security Number
name:RoundingDatepolicyKey:data mask rounding by datetype:dataactions:-rules:-type:Maskingconfig:fields:-type:columnTagscolumnTag:Discovered.Entity.DatemaskingConfig:type:GroupingtimePrecision:MONTHcircumstances:-type:columnTagscolumnTag:Discovered.Entity.Date
name:RoundingFingerprintpolicyKey:data mask round using fingerprinttype:dataactions:-rules:-type:Maskingconfig:fields:-type:columnTagscolumnTag:Discovered.Entity.DatemaskingConfig:type:Groupingcircumstances:-type:columnTagscolumnTag:Discovered.Entity.Date
name:Row Level By TimepolicyKey:data row-leveltype:dataactions:-rules:-type:Time Restrictionconfig:isOlderOrNewer:newertime:2592000circumstances:-type:tagstag:Discovered.PCI
name:Row Level Where UserpolicyKey:data where usertype:dataactions:-rules:-type:Row Restriction By User Entitlementsconfig:operator:allmatches:type:Grouptag:Discovered.EntitycircumstanceOperator:anycircumstances:-type:columnTagscolumnTag:Discovered.Entity
name:Row Level WherepolicyKey:data custom wheretype:dataactions:-rules:-type:Row Restriction by Custom Where Clauseconfig:predicate:"@columnTagged('Discovered.Country') in ('USA', 'CANADA', 'MEXICO')"circumstances:-type:tagstag:Discovered.Country