type string

The type of policy.

Required

-

• subscription

• data

object

The actual rules for this policy.

Required

-

-

array

When and where the policy should get applied.

Optional

-

-

circumstanceOperator string

Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).

Optional

any

• all

• any

staged boolean

If true, this global policy is in a staged status.

Optional

false

• true

• false

object

Certification information for the global policy.

Optional

-

-

allowDiscovery boolean

When true, users can see the data source in the Immuta UI, even if they do not have the attributes and groups specified by the policy.

Optional

false

• true

• false

advanced string

An advanced function to use as the subscription policy. See the for details about the functions Immuta supports.

Optional

-

-

description string

The rationale for your policy.

Optional

-

-

array

Details about the user(s) that will approve subscription requests.

Required if type is approval

-

-

object

Details about the entitlements required for users to subscribe to the data sources.

Required if type is entitlements

-

-

attributes array[object]

Details about attributes the user must have to subscribe to the data source.

Requires either groups or attributes

-

-

attributes.name string

The name of the attribute the user must have to subscribe to the data source. This is commonly referred to as a key.

Required if using attributes

-

-

attributes.value string

The value of the attribute the user must have to subscribe to the data source.

Required if using attributes

-

-

columnTag string

The column tag to dictate when the policy is applied.

Required if type is columnTags.

-

-

regex string

The regex to match against column names and apply the policy when found.

Required if type is columnRegex.

-

-

caseInsensitive boolean

If true, the regex is case insensitive. Use with type columnRegex.

Optional

-

• true

• false

server string

Specifies the server that contains the data sources the policy should be applied to.

Required if type is server

-

-

startDate string

Specifies to apply policies to data sources created on or after this date and before the endDate.

Required if type is time

-

-

endDate string

Specifies to apply policies to data sources created before this date and after the startDate.

Optional

-

-

domains array[object]

Specifies to apply policies to data sources in the listed domains.

Required if type is domains.

-

-

domains.id string

The unique ID of the domain.

Requires either domains.id or domains.name if type is domains.

-

-

domains.name string

The name of the domain.

Requires either domains.id or domains.name if type is domains.

-

-

tags array[string]

Tags that impact the certification.

Optional

-

-

recertify boolean

When true, data owners must re-certify all data sources this policy applies to.

Optional

false

• true

• false

array

The subpurposes of the purpose.

Optional

type string

The type of policy.

Required

-

• subscription

• data

array

The actual rules for this policy.

Required

-

-

array

When and where the policy should get applied.

Optional

-

-

circumstanceOperator string

Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).

Optional

any

• all

• any

staged boolean

If true, this global policy is in a staged status.

Optional

false

• true

• false

object

Certification information for the global policy.

Optional

-

-

object

Details about the configuration of the policy.

Required

-

rules.inclusions object

The specific users this policy is meant to affect. If you use inclusions, you must add a second rules array for the other users. .

Optional

-

rules.inclusions.groups array[string]

Group names. Users in these groups will be affected by the rules in this rules array.

Required for rules.inclusions

-

object

These are the users the policy is not meant to target.

Optional

-

conditionalPredicate string

to dictate where the policy is applied.

Optional

-

operator string

Specifies whether all of the circumstances must be met for the policy to be applied (AND), or just any of them (OR).

Optional

any

purposes array[string]

Purpose names. Restriction to the data will be applied to everyone except users acting under these purposes.

Required if rules.type is Purpose Restriction

-

percent integer

Specifies the percentage of the data to show.

Required if rules.type is Minimization

-

isOlderOrNewer string

Specifies if the policy should be applied to columns older or newer than the provided time.

Required if rules.type is Time Restriction

• newer

• older

time integer

The time (in seconds) that the row must be older or newer than to be visible.

Required if rules.type is Time Restriction

-

predicate string

to dictate what rows are visible.

Required if rules.type is Row Restriction by Custom Where Clause

-

matches object

The user entitlements that must match the value in the specified column for the row to show.

Required if rules.type is Row Restriction By User Entitlements

-

matches.type string

The type of user entitlements to base the policy on.

Required if rules.type is Row Restriction By User Entitlements

• Group

• Attribute

• Purpose

matches.tag string

The tag of the column that's data must match the user's entitlement.

Required if rules.type is Row Restriction By User Entitlements

-

regex string

The regex to match against column names and apply the policy when found.

Required if type is columnRegex

-

caseInsensitive boolean

If true, the regex is case insensitive. Use with columnRegex type.

Optional

• true

• false

regex string

The regular expression that identifies the portion of the value to mask.

Required if type is Regular Expression

-

replacement string

The string that will replace the portion of the value identified by the regular expression to mask.

Required if type is Regular Expression

-

caseInsensitive boolean

If true, the regex is case insensitive. Use with Regular Expression type.

Optional

• true

• false

timePrecision string

Specifies where Immuta will round the time to.

Requires timePrecision or bucketSize if type is Grouping

• HOUR

• DAY

• MONTH

bucketSize integer

The bucket size to round to.

Requires timePrecision or bucketSize if type is Grouping

-

attributes array[object]

Attribute names and values. Users with these attributes will not be affected by this policy.

Requires either purposes or attributes

-

attributes.name string

An attribute name.

Required if attributes is used

-

attributes.value string

An attribute value.

Required if attributes is used

-

columnTag string

The column tag to dictate when the policy is applied.

Required if type is columnTags

-

-

regex string

The regex to match against column names and apply the policy when found.

Required if type is columnRegex

-

-

caseInsensitive boolean

If true, the regex is case insensitive. Use with columnRegex type.

Optional

-

• true

• false

server string

Specifies the server that contains the data sources the policy should be applied to.

Required if type is server

-

-

startDate string

Specifies to apply policies to data sources created on or after this date and before the endDate.

Required if type is time

-

-

endDate string

Specifies to apply policies to data sources created before this date and after the startDate.

Optional

-

-

domains array[object]

Specifies to apply policies to data sources in the listed domains.

Required if type is domains

-

-

domains.id string

The unique ID of the domain.

Requires either domains.id or domains.name if type is domains

-

-

domains.name string

The name of the domain.

Requires either domains.id or domains.name if type is domains

-

-

tags array[string]

Tags that impact the certification.

Optional

-

-

recertify boolean

When true, data owners must re-certify all data sources this policy applies to.

Optional

false

• true

• false

description string

A short description for the project.

Optional

-

-

documentation string

Markdown-supported documentation for this project.

Optional

-

-

allowedMaskedJoins boolean

If true, will allow joining on masked columns between data sources in this project. Only certain policies allow masked join.

Optional

false

• true

• false

purposes string[]

The list of purposes to add to this project.

Optional

-

-

datasources string[]

The list of data sources to add to this project.

Optional

-

-

object

The policy that determines which users can subscribe to the project.

Optional

Defaults to manual subscription if the object is omitted

-

object

If this is a workspace project, this is the workspace configuration. The project will automatically be equalized.

Optional

-

-

equalization boolean

If true, will normalize all users to the same entitlements so that everyone sees the same data.

Optional

false

• true

• false

tags array[]

Tags to add to the project.

Optional

-

-

description string

A description of the policy.

Optional

-

-

array[object]

Details about the user that will approve subscription requests.

Required if type is approval

-

-

object

Details about the entitlements required for users to subscribe to the project.

Required if type is entitlements

-

-

attributes object

Details about attributes the user must have to subscribe to the project.

Requires either groups or attributes

-

-

attributes.name string

The name of the attribute the user must have to subscribe to the project. This is commonly referred to as a key.

Required if using attributes

-

-

attributes.value string

The value of the attribute the user must have to subscribe to the project.

Required if using attributes

-

-

config.schema string

Your project workspace will exist within this schema in Snowflake under the database configured by the application admin.

Required when type is snowflake

-

config.warehouses array

These are the Snowflake warehouses that will be available to project members when they are working in the Snowflake workspace.

Required when type is snowflake

-

config.database string

The Databricks database the workspace will be in.

Required when type is databricks

-

config.directory string

The Databricks directory the workspace will be in.

Required when type is databricks

-

config.workspaceConfigurationName string

The Databricks workspace configuration name.

Required when type is databricks

-