Skip to content

You are viewing documentation for Immuta version 2023.2.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Create Policies API Examples

Audience: Data Engineers

Content Summary: This page contains example request payloads for creating policies.

Subscription Policies

Anyone Can Subscribe

name: Anyone
policyKey: subscription anyone
type: subscription
actions:
  type: anyone
  automaticSubscription: false
  description: Rationale
circumstances:
- type: tags
  tag: Discovered

Anyone Can Subscribe When Approved

name: Approval
policyKey: subscription approval
type: subscription
actions:
  type: approval
  approvals:
  - specificApproverRequired: false
    requiredPermission: OWNER
  - specificApproverRequired: true
    requiredPermission: GOVERNANCE
  description: Rationale
circumstances:
- type: columnTags
  columnTag: Discovered

Users with Specific Groups or Attributes

name: Entitlement
policyKey: subscription entitlements
type: subscription
actions:
  type: entitlements
  entitlements:
    operator: any
    groups:
    - Employee
    attributes:
    - name: auth1
      value: SOMETHING_ELSE
  automaticSubscription: true
  allowDiscovery: false
  description: Some description here
circumstances:
- type: columnRegex
  regex: ssn
  caseInsensitive: false
staged: false

Users with Specific Groups or Attributes (Advanced)

name: Advanced Entitlement
policyKey: subscription entitlements advanced boolean
type: subscription
actions:
  type: entitlements
  advanced: "@isInGroups('Engineers', 'Founders'') AND @hasAttribute('Auth1', 'Super Secret')"
  automaticSubscription: true
  allowDiscovery: false
  description: Some description here
circumstances:
- type: columnRegex
  regex: ssn
  caseInsensitive: false
staged: false

Individual Users You Select

name: Manual
policyKey: subscription manual
type: subscription
actions:
  type: manual
  description: Rationale

Data Policies

Data Owner Restrictions

name: Owner Restricted Policy
policyKey: data owner restriction
type: data
ownerRestrictions:
  users:
  - iamid: bim
    username: user@example.com
  groups:
  - engineers
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.PII
      maskingConfig:
        type: Hash
circumstances:
- type: columnTags
  columnTag: Discovered.PII

Masking Policies

Conditional Masking

name: Conditional Masking
policyKey: data conditional masking
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.PII
      conditionalPredicate: "@columnTagged('Discovered.Country') = 'USA'"
      maskingConfig:
        type: Hash
circumstanceOperator: all
circumstances:
- type: columnTags
  columnTag: Discovered.PII
- type: columnTags
  columnTag: Discovered.Country

Conditional Masking (Using Otherwise Clause)

name: Conditional
policyKey: data mask otherwise
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Country
      maskingConfig:
        type: "Null"
    inclusions:
      groups:
      - Employee
  - type: Masking
    exceptions:
      purposes:
      - Re-identification Prohibited
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Country
      maskingConfig:
        type: Hash
circumstances:
- type: columnTags
  columnTag: Discovered.Country

With a Constant

name: Mask with Constant
policyKey: data mask constant
type: data
actions:
- rules:
  - type: Masking
    exceptions:
      operator: any
      attributes:
      - name: auth
        value: SOMETHING_ELSE
      - name: auth1
        value: super secret
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Country
      - type: columnTags
        columnTag: Discovered.PII
      maskingConfig:
        type: Constant
        constant: REDACTED
circumstanceOperator: any
circumstances:
- type: columnTags
  columnTag: Discovered.Country
- type: columnTags
  columnTag: Discovered.PII

Format Preserving Masking

name: Format Preserving Masking
policyKey: data mask fpe
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered
      maskingConfig:
        type: Format Preserving Masking
circumstances:
- type: columnTags
  columnTag: Discovered

With Hashing (No Tags)

name: Hashing
policyKey: data mask hashing
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: noTags
      maskingConfig:
        type: Hash
circumstances:
  - type: noTags

K-Anonymization (Using Fingerprint)

name: K-Anonymization Using Fingerprint on any tags
policyKey: masking kanon using fingerprint
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: anyTag
      maskingConfig:
        type: K-Anonymization
circumstances:
- type: anyTag

K-Anonymization (by Specifying K)

name: K-Anonymization using kLevel
policyKey: data mask kanon specifying k
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: anyTag
      maskingConfig:
        type: K-Anonymization
        kLevel: 5
circumstances:
- type: anyTag

K-Anonymization (by Specifying Re-identification Probability)

name: K-Anonymization using reIdProbability
policyKey: data mask kanon specifying re-id
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: anyTag
      maskingConfig:
        type: K-Anonymization
        reIdProbability: 15
circumstances:
- type: anyTag

Make Null Using Column Regex

name: Null using column regex
policyKey: data mask null
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnRegex
        regex: ssn
        caseInsensitive: true
      maskingConfig:
        type: "Null"
circumstances:
- type: columnRegex
  regex: ssn
  caseInsensitive: true

Randomized Response

name: Random Categorical
policyKey: data mask random response
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: allColumns
      maskingConfig:
        type: Randomized Response
        replacementRatePercent: 10

Randomized Response (by Specifying Standard Deviation)

name: Random Numeric
policyKey: data mask random response specifying stddev
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: allColumns
      maskingConfig:
        type: Randomized Response
        stddev: 2
        clip: false

Using a Regex

name: Regex
policyKey: data mask regex
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Postal Code
      maskingConfig:
        type: Regular Expression
        regex: "(\\d{4})(\\d)"
        replacement: "$1X"
        caseInsensitive: true
        global: true
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Postal Code

With Reversibility

name: Mask using Reversible
policyKey: data mask reversible
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Social Security Number
      maskingConfig:
        type: Reversible
    exceptions:
      groups:
      - founders
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Social Security Number

Using Rounding (Date)

name: RoundingDate
policyKey: data mask rounding by date
type: data
actions:
- rules:
  - type: Masking
    exceptions:
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Date
      maskingConfig:
        type: Grouping
        timePrecision: MONTH
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Date

Using Rounding (Using Fingerprint)

name: RoundingFingerprint
policyKey: data mask round using fingerprint
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Date
      maskingConfig:
        type: Grouping
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Date

Using Rounding (Numeric)

name: RoundingNumeric
policyKey: data mask round numeric
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.Entity.Date
      maskingConfig:
        type: Grouping
        bucketSize: 10
circumstances:
- type: columnTags
  columnTag: Discovered.Entity.Date

Minimize Data Created Between

name: Minimize
policyKey: data minimize
type: data
actions:
- rules:
  - type: Minimization
    config:
      percent: 15
circumstances:
- type: time
  startDate: '2020-12-01T16:23:54.734Z'
  endDate: '2020-12-31T16:23:54.745Z'

Purpose Restrictions

Any Purpose

name: Purpose
policyKey: data purpose restriction
type: data
actions:
- rules:
  - type: Purpose Restriction
    config:
        operator: any
        purposes:
        - "<ANY PURPOSE>"

Purpose in Server

name: Purpose in a specific server
policyKey: data server circumstance
type: data
actions:
- rules:
  - type: Purpose Restriction
    config:
        purposes:
          - Re-identification Prohibited
circumstances:
- type: server
  server: your@server.example.com:5432/tpc

Row Redaction

By Time

name: Row Level By Time
policyKey: data row-level
type: data
actions:
- rules:
  - type: Time Restriction
    config:
      isOlderOrNewer: newer
      time: 2592000
circumstances:
- type: tags
  tag: Discovered.PCI

Where User

name: Row Level Where User
policyKey: data where user
type: data
actions:
- rules:
  - type: Row Restriction By User Entitlements
    config:
      operator: all
      matches:
        type: group
        tag: Discovered.Entity
circumstanceOperator: ANY
circumstances:
- type: columnTags
  columnTag: Discovered.Entity

Custom Where Clause

name: Row Level Where
policyKey: data custom where
type: data
actions:
- rules:
  - type: Row Restriction by Custom Where Clause
    config:
      predicate: "@columnTagged('Discovered.Country')  in ('USA', 'CANADA', 'MEXICO')"
circumstances:
- type: tags
  tag: Discovered.Country

Multiple Policies

name: Multiple
policyKey: data multiple
type: data
actions:
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.PII
      maskingConfig:
        type: Hash
  description: 'PII Rule'
- rules:
  - type: Minimization
    config:
      percent: 25
  description: 'PII Rule, also'
- rules:
  - type: Masking
    config:
      fields:
      - type: columnTags
        columnTag: Discovered.PHI
      maskingConfig:
        type: "Null"
  description: 'PHI Rule'
circumstanceOperator: any
circumstances:
- type: columnTags
  columnTag: Discovered.PII
- type: columnTags
  columnTag: Discovered.PHI