Create Policies API Examples
Audience: Data Engineers
Content Summary: This page contains example request payloads for creating policies.
Subscription Policies
Anyone Can Subscribe
name: Anyone
policyKey: subscription anyone
type: subscription
actions:
type: anyone
automaticSubscription: false
description: Rationale
circumstances:
- type: tags
tag: Discovered
Anyone Can Subscribe When Approved
name: Approval
policyKey: subscription approval
type: subscription
actions:
type: approval
approvals:
- specificApproverRequired: false
requiredPermission: OWNER
- specificApproverRequired: true
requiredPermission: GOVERNANCE
description: Rationale
circumstances:
- type: columnTags
columnTag: Discovered
Users with Specific Groups or Attributes
name: Entitlement
policyKey: subscription entitlements
type: subscription
actions:
type: entitlements
entitlements:
operator: any
groups:
- Employee
attributes:
- name: auth1
value: SOMETHING_ELSE
automaticSubscription: true
allowDiscovery: false
description: Some description here
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: false
staged: false
Users with Specific Groups or Attributes (Advanced)
name: Advanced Entitlement
policyKey: subscription entitlements advanced boolean
type: subscription
actions:
type: entitlements
advanced: "@isInGroups('Engineers', 'Founders'') AND @hasAttribute('Auth1', 'Super Secret')"
automaticSubscription: true
allowDiscovery: false
description: Some description here
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: false
staged: false
Individual Users You Select
name: Manual
policyKey: subscription manual
type: subscription
actions:
type: manual
description: Rationale
Data Policies
Data Owner Restrictions
name: Owner Restricted Policy
policyKey: data owner restriction
type: data
ownerRestrictions:
users:
- iamid: bim
username: user@example.com
groups:
- engineers
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Passport
maskingConfig:
type: Hash
circumstances:
- type: columnTags
columnTag: Discovered.Passport
Masking Policies
Conditional Masking
name: Conditional Masking
policyKey: data conditional masking
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Passport
conditionalPredicate: "@columnTagged('Discovered.Country') = 'USA'"
maskingConfig:
type: Hash
circumstanceOperator: all
circumstances:
- type: columnTags
columnTag: Discovered.Passport
- type: columnTags
columnTag: Discovered.Country
Conditional Masking (Using Otherwise Clause)
name: Conditional
policyKey: data mask otherwise
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Country
maskingConfig:
type: "Null"
inclusions:
groups:
- Employee
- type: Masking
exceptions:
purposes:
- Re-identification Prohibited
config:
fields:
- type: columnTags
columnTag: Discovered.Country
maskingConfig:
type: Hash
circumstances:
- type: columnTags
columnTag: Discovered.Country
With a Constant
name: Mask with Constant
policyKey: data mask constant
type: data
actions:
- rules:
- type: Masking
exceptions:
operator: any
attributes:
- name: auth
value: SOMETHING_ELSE
- name: auth1
value: super secret
config:
fields:
- type: columnTags
columnTag: Discovered.Country
- type: columnTags
columnTag: Discovered.Passport
maskingConfig:
type: Constant
constant: REDACTED
circumstanceOperator: any
circumstances:
- type: columnTags
columnTag: Discovered.Country
- type: columnTags
columnTag: Discovered.Passport
Format Preserving Masking
name: Format Preserving Masking
policyKey: data mask fpe
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered
maskingConfig:
type: Format Preserving Masking
circumstances:
- type: columnTags
columnTag: Discovered
With Hashing (No Tags)
name: Hashing
policyKey: data mask hashing
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: noTags
maskingConfig:
type: Hash
circumstances:
- type: noTags
K-Anonymization (Using Fingerprint)
Sample data is processed during computation of k-anonymization policies
When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database.
The location of the metadata database depends on your deployment:
- Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.
- SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.
To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant. To enable k-anonymization for your account, contact your Immuta representative.
name: K-Anonymization Using Fingerprint on any tags
policyKey: masking kanon using fingerprint
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: anyTag
maskingConfig:
type: K-Anonymization
circumstances:
- type: anyTag
K-Anonymization (by Specifying K)
Sample data is processed during computation of k-anonymization policies
When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database.
The location of the metadata database depends on your deployment:
- Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.
- SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.
To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant. To enable k-anonymization for your account, contact your Immuta representative.
name: K-Anonymization using kLevel
policyKey: data mask kanon specifying k
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: anyTag
maskingConfig:
type: K-Anonymization
kLevel: 5
circumstances:
- type: anyTag
K-Anonymization (by Specifying Re-identification Probability)
Sample data is processed during computation of k-anonymization policies
When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules enforcing k-anonymity. The results of this query, which may contain data that is subject to regulatory constraints such as GDPR or HIPAA, are stored in Immuta's metadata database.
The location of the metadata database depends on your deployment:
- Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.
- SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.
To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant. To enable k-anonymization for your account, contact your Immuta representative.
name: K-Anonymization using reIdProbability
policyKey: data mask kanon specifying re-id
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: anyTag
maskingConfig:
type: K-Anonymization
reIdProbability: 15
circumstances:
- type: anyTag
Make Null Using Column Regex
name: Null using column regex
policyKey: data mask null
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnRegex
regex: ssn
caseInsensitive: true
maskingConfig:
type: "Null"
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: true
Randomized Response
name: Random Categorical
policyKey: data mask random response
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: allColumns
maskingConfig:
type: Randomized Response
replacementRatePercent: 10
Randomized Response (by Specifying Standard Deviation)
name: Random Numeric
policyKey: data mask random response specifying stddev
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: allColumns
maskingConfig:
type: Randomized Response
stddev: 2
clip: false
Using a Regex
name: Regex
policyKey: data mask regex
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Postal Code
maskingConfig:
type: Regular Expression
regex: "(\\d{4})(\\d)"
replacement: "$1X"
caseInsensitive: true
global: true
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Postal Code
With Reversibility
name: Mask using Reversible
policyKey: data mask reversible
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Social Security Number
maskingConfig:
type: Reversible
exceptions:
groups:
- founders
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Social Security Number
Using Rounding (Date)
name: RoundingDate
policyKey: data mask rounding by date
type: data
actions:
- rules:
- type: Masking
exceptions:
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
timePrecision: MONTH
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Date
Using Rounding (Using Fingerprint)
name: RoundingFingerprint
policyKey: data mask round using fingerprint
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Date
Using Rounding (Numeric)
name: RoundingNumeric
policyKey: data mask round numeric
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
bucketSize: 10
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Date
Minimize Data Created Between
name: Minimize
policyKey: data minimize
type: data
actions:
- rules:
- type: Minimization
config:
percent: 15
circumstances:
- type: time
startDate: '2020-12-01T16:23:54.734Z'
endDate: '2020-12-31T16:23:54.745Z'
Purpose Restrictions
Any Purpose
name: Purpose
policyKey: data purpose restriction
type: data
actions:
- rules:
- type: Purpose Restriction
config:
operator: any
purposes:
- "<ANY PURPOSE>"
Purpose in Server
name: Purpose in a specific server
policyKey: data server circumstance
type: data
actions:
- rules:
- type: Purpose Restriction
config:
purposes:
- Re-identification Prohibited
circumstances:
- type: server
server: your@server.example.com:5432/tpc
Row-level Policy
By Time
name: Row Level By Time
policyKey: data row-level
type: data
actions:
- rules:
- type: Time Restriction
config:
isOlderOrNewer: newer
time: 2592000
circumstances:
- type: tags
tag: Discovered.Passport
Where User
name: Row Level Where User
policyKey: data where user
type: data
actions:
- rules:
- type: Row Restriction By User Entitlements
config:
operator: all
matches:
type: group
tag: Discovered.Entity
circumstanceOperator: ANY
circumstances:
- type: columnTags
columnTag: Discovered.Entity
Custom Where Clause
name: Row Level Where
policyKey: data custom where
type: data
actions:
- rules:
- type: Row Restriction by Custom Where Clause
config:
predicate: "@columnTagged('Discovered.Country') in ('USA', 'CANADA', 'MEXICO')"
circumstances:
- type: tags
tag: Discovered.Country
Multiple Policies
name: Multiple
policyKey: data multiple
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Passport
maskingConfig:
type: Hash
description: 'Passport Rule'
- rules:
- type: Minimization
config:
percent: 25
description: 'Passport Rule, also'
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Person Name
maskingConfig:
type: "Null"
description: 'Person Name Rule'
circumstanceOperator: any
circumstances:
- type: columnTags
columnTag: Discovered.Passport
- type: columnTags
columnTag: Discovered.Person Name