Managing Policies Tutorial

Audience: Data Owners

Content Summary: This page outlines step-by-step instructions for building Local Policies and Restricted Global Policies in Immuta.

For information on how to create custom policy handlers, see the Advanced Guide.

Data Source Policies Tab Components

Data Owners and Governors can access the Policies tab from the Data Source Overview page. After navigating to the Policies tab, users can apply policies to the data source with the following features:

Apply Existing Policies Button: By clicking this button in the top right corner of the Policies tab, users can search for and apply existing policies to the data source from other data sources or Global Policies.
Subscription Policy Builder: In this section, users can determine who may access the data source. If a Subscription Policy has already been set by a Global Policy, a notification and a Disable button appear at the bottom of this section. Users can click the Disable button to make changes to the Subscription Policy.
Data Policy Builder: In this section, users can create policies to enforce privacy controls on the data source. A list of data policies currently applied to the data source populates here as well.

All changes made to policies by Data Owners or Governors with these features appear in an Activity panel on the right side of the screen.

Activity Panel

The information recorded in the Activity panel includes when the data source was created, the name and type of the policy, when the policy was applied or changed, and if the policy is in conflict on the data source. Additionally, Global policy changes are identified by the Governance icon; all other updates are labeled by the data sources icon.

Subscription Policies

Data Owners can easily control how subscribers can gain access to a data source through the Immuta UI.

These policies comprise four levels of restriction:

Anyone: Users are automatically granted access.
Anyone Who Asks (and is Approved): Users must request access and then be approved. This restriction supports multiple approving parties, meaning that Data Owners can allow more than one approver or users with specified permission types to approve other users who subscribe to the data source.
Users with Specific Groups/Attributes: Only users with the groups/attributes Data Owners specify will be able to see and access the data source.
Individual Users You Select: Only users Data Owners manually select will be able to see and access the data source.

To manage Subscription policies,

Navigate to the Data Source Overview tab.
Click the Policies tab in the top navigation bar.
Select the level of access restriction you would like to apply to your data source.

If you select Anyone Who Asks (and Is Approved),
1. Click anyone or an individual selected by user from the first dropdown menu in the Subscription Policy Builder.
  
  Note: If you choose an individual selected by user, when users request access to a data source they will be prompted to identify an approver with the permission specified in the policy and how they plan to use the data.
2. Select the Admin, Governance, or Audit permission from the subsequent dropdown menu.
  
  Note: You can add more than one approving party by selecting + Add and repeating steps a and b.
If you select Users with Specific Groups/Attributes,
1. Choose the condition that will drive the policy: when user is a member of a group or possesses attribute.
2. Use the subsequent dropdown to choose the group or attribute key / value pair for your condition.
  
  Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Subscription Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
Click Save to finish your policy.

Subscription Policy Advanced Rules DSL

You can use the Advanced Rules DSL Builder to create more complex policies for Users with Specific Groups/Attributes than the Subscription Policy Builder allows. To begin,

Select Users with Specific Groups/Attributes, and then click Advanced Rules DSL in the top right corner of the policy builder.
Complete the Enter Rules field with the available functions and variables: @iam, @isInGroups, and @hasAttribute. When you place your cursor in this field, a tooltip appears with the functions and values you can use to build your policy.
If you would like to make your data source visible in the list of all data sources in the UI to all users, click the Allow Discovery checkbox. Otherwise, this data source will not be discoverable by users who do not meet the criteria established in the policy.
Click Save to finish your policy.

Data Policies

Inclusionary Policies

For all policies except purpose-based restriction policies, inclusionary logic allows Data Owners to vary policy actions with an Otherwise clause.

For example, Data Owners could mask values using hashing for users acting under a specified purpose while masking those same values by making null for everyone else who accesses the data.

Inclusionary Policy

This variation can be created by selecting for everyone who when available from the condition dropdown menus and then completing the Otherwise clause in the bottom half of the Policy Builder. Each section below outlines this process in detail.

Masking

If a column contains sensitive data (i.e. credit card or social security numbers), Data Owners can apply a masking policy to conceal the data in that column to users unless the user possesses an attribute, belongs to a group, or is acting under a purpose defined by the Data Owner.

Masking Policy Builder Example

To create a masking policy,

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Policy.
Select mask in the first dropdown.
Select a custom masking type in the next dropdown menu: using hashing, with reversibility, by making null, using a constant, using a regex, by rounding, with format preserving masking, or with K-Anonymization.

If you select using a constant as your masking type, enter a constant in the field that appears next to the masking type dropdown:

If you choose using a regex as your masking type, enter a regular expression and replacement value in the fields that appear next to the masking type dropdown. Another dropdown will appear with possible modifiers for your regular expression. Make your regex case insensitive and/or global:

If you choose by rounding to mask a column with a numerical value, select the number to the nearest in the resulting dropdown. A field will appear for you to enter a bucket size or use the suggested bucket size, which is generated by the data fingerprint.

The example below would round the column value to the nearest 50:

If you choose by rounding to mask time-based values, the time to the nearest will autogenerate to the suggested time bucket, which is determined by the data fingerprint, in the resulting dropdown. If you click this dropdown menu, other time bucket options will appear:

If you choose with K-Anonymization (which will be available after the fingerprint service has been run on the data source) to mask columns, you can choose using fingerprint or requiring a group size of at least to auto-populate or manually select the group size, respectively.
Select your desired column in the next dropdown.
Choose the condition that will drive the policy: for or when, which allows conditional masking driven by data in the row.

If you choose for,
1. Use the next dropdown to continue the condition: everyone, everyone except, or everyone who.
2. Use the subsequent dropdown to choose the group, purpose, or attribute key / value pair for your condition.
If you choose when,
1. Enter your custom SQL clause in the next field. When you place your cursor in this field, a tool-tip appears that details valid input and the column names of your data source.
2. Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
3. Use the next field to choose the group, purpose, or attribute key / value pair for your condition.
Notes:
- If you choose for everyone who as a condition, complete the Otherwise clause before continuing to the next step.
- You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
Click Create to finish your policy.
Click Save All to apply the policy to your data source.

Row Redaction

For query-backed data sources, Data Owners can restrict which rows in the data source tables are visible to which users. This redaction is done by matching values in a specific column against a user's groups, attributes, or purposes.

For similar policy mechanics in object-backed data sources, see Object-level Security.

Note: A data source cannot have more than one row redaction policy applied.

Row Redaction Policy Builder Example

To create a row redaction policy,

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Policy.
Select the Only show rows action in the first dropdown.
Choose where user in the next dropdown. Note that you can also redact rows based on column values or by using a custom WHERE clause.
Choose the condition that will drive the policy in the next dropdown: is a member of a group or possesses an attribute.
Use the next field to choose the attribute, group, or purpose that you will match values against.
Use the next dropdown menu to choose the column that will drive this policy.

Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
Use the subsequent dropdown to choose the group, purpose, or attribute key / value pair for your condition.

Note: If you choose for everyone who as a condition, complete the Otherwise clause before continuing to the next step.
Click Create to finish your policy.
Click Save All to apply the policy to your data source.

Minimization

Data sources may contain minimization policies that hide a specified percentage of query results from a user, based on a column with high cardinality (e.g. an employee ID number or other unique identifier), is auto-selected based on the statistics of the data fingerprint.

Minimization Policy Builder Example

To create a minimization policy,

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Policy.
Select the Minimize Data Source action in the first dropdown.
In the next field, type the percentage of the data that you want to limit the data source to.
Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
Use the next field to choose the attribute, group, or purpose that you will match values against.

Notes:
- If you choose for everyone who as a condition, complete the Otherwise clause before continuing to the next step.
- You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
Click Create to finish your policy.
Click Save All to apply the policy to your data source.

Object-level Security

Data Owners can use the Policy Builder to restrict access to objects (blobs) in object-backed data sources. This is done by matching values in a specific blob metadata attribute against a user's groups, attributes, or purposes.

For similar policy mechanics in query-backed data sources, see Row Redaction or Filtering Data with a Custom WHERE Clause.

Only Show Objects Policy Builder Example

To create an only show objects policy,

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Policy.
Select the Only show objects action in the first dropdown.
Choose the condition that will drive the policy in the next dropdown.
Use the next field to choose the attribute, group, or purpose that you will match values against.
Use the next dropdown menu to choose the blob metadata attribute that will drive this policy.

Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
Use the next field to choose the attribute, group, or purpose that you will match values against.

Note: If you choose for everyone who as a condition, you will need to complete the Otherwise clause before continuing to the next step.
Click Create to finish your policy.
Click Save All to apply the policy to your data source.

Time-based Restrictions

These policies restrict access to rows/objects/files that fall within the time restrictions set in the policy. If a data source has time-based restriction policies, queries run against the data source by a user will only return rows/blobs with a date in its event-time column/attribute from within a certain range.

This type of policy can be used for both object-backed and query-backed data sources.

Only Show Data by Time Policy Builder Example

To create a time-based policy,

Navigate to the data source and click the Policies tab.
In the Data Policies section, click Add Policy.
Select the Only show data by time action in the first dropdown menu.
In the subsequent dropdown menu, select more recent than or older than, and then complete the enter number of field.
Select MINUTES, HOURS, DAYS, or YEARS from the next dropdown menu.
Then, choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
Use the subsequent dropdown to choose is a member of group, is acting under purpose, or possesses attribute key / value pair for your condition.

Note: If you choose for everyone who as a condition, complete the Otherwise clause by before continuing to the next step. 1. Opt to complete the Enter Rationale for Policy (Optional) field. 1. Click Create, and then click Save All.

Purpose-based Restrictions

Data Owners in Immuta can restrict usage of any data source to one or more purposes. If a user wishes to run SQL queries against a purpose-restricted data source, they must use the SQL credentials provided by a project containing that purpose.

Purpose-based Restrictions Policy Builder Example

To create a purpose-based restrictions policy,

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Policy.
Select Limit usage to purpose(s) in the first dropdown.
In the next field, select ANY PURPOSE or the specific purpose that you would like to restrict usage of this data source to.

Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
In the next dropdown, select for everyone or for everyone except. If you select for everyone except, you must select conditions that will drive the policy.
Click Create to finish your policy.
Click Save All to apply the policy to your data source.

Differential Privacy

Data sources with Differential Privacy policies will only return results for a certain type of SQL query: aggregates, such as the COUNT and SUM functions. Users must avoid aggregate queries that are too specific; Immuta will only return differentially private results for broad aggregate queries.

Note: Differential Privacy is only available for data sources with a configured High Cardinality Column. For guidance on choosing a High Cardinality Column, see the Query-backed Data Source Tutorial.

Differential Privacy Policy Builder Example

To create a differential privacy policy,

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Policy.
Select Make differentially private in the first dropdown.
Select the noise level you would like to apply to your data: small, medium, or large; these values correspond to epsilon-differential privacy, where epsilon (privacy loss) has values of 3, 2.1, and 1.4, respectively.
Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
Use the next field to choose the attribute, group, or purpose that you will match values against.

Notes:
- If you choose for everyone who as a condition, you will need to complete the Otherwise clause before continuing to the next step.
- You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
Click Create to finish your policy.
Click Save All to apply the policy to your data source.

Filtering Data with a Custom WHERE Clause

Data Owners can apply the most fine-grained control of their data by creating a custom WHERE clause policy. Using the Policy Builder, you can type your desired SQL clause directly into the policy statement. Unlike row redaction, the policy conditions that you select need to match exactly with cells in your data source. As demonstrated in the example below, Data Owners can pair a custom WHERE clause with any condition(s) that they desire in the policy statement.

Custom WHERE Clause Policy Builder Example

To create a custom where clause policy,

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Policy.
Select Only show rows in the first dropdown.
Select where in the next dropdown.
The next field allows you to enter your custom SQL clause. When you place your cursor in this field, a tool-tip should appear that details valid input and the column names of your data source. For example, loan_amnt >= 10000.
Choose the condition that will drive the policy: for everyone, for everyone except, or for everyone who.
Use the next field to choose the attribute, group, or purpose that you will match values against.

Notes:
- If you choose for everyone who as a condition, you will need to complete the Otherwise clause before continuing to the next step.
- You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
Click Create to finish your policy.
Click Save All to apply the policy to your data source.

Copying Policies from other Data Sources

If you have created a data source that is similar to an existing data source and you would like to apply the same policies, you can quickly copy those policies from the Policy Builder.

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the upper right corner of the Policies page, click on the dropdown menu that says Apply Existing Policies.
Search for and select the data source that you would like to copy policies from. If your data source is capable of supporting these policies, they will appear in the Policy Builder. If not, you will receive an error. Be sure that the data source that you are copying policies from follows a similar structure to your current data source so that the policies remain relevant.

Adding Exemptions to a Data Source's Policies

By default, policy exemptions are disabled in Immuta. However, this can be changed via a custom deployment configuration. If policy exemptions are enabled for your Immuta instance, you can add these exemptions on a per data source basis via the Policy Builder.

Exemptions Policy Builder Example

Suppose we have a data source with many policies applied and that we want to exempt one user from all policies on the data source so that this user is able to access everything.

Navigate to the Data Source Overview tab.
Click on the Policies tab in the top navigation bar.
In the Data Policies menu, click Add Exemptions. This button will only be visible if policy exemptions have been enabled in your Immuta instance.
Type the names of the users or groups that you wish to exempt from your policies in the corresponding fields.
Click Create to finish your exemption policy.
Click Save All to apply the policy to your data source.

Advanced Functions in Data Source Policies

Immuta offers several custom PostgreSQL functions for advanced data source policy logic. You can learn about these functions here.

Data Policy Advanced Rules DSL

You can use the Advanced Rules DSL Builder for masking and row redaction policies. For details about this feature, see the Advanced Data Policy Builder page.

Restricted Global Policies

Data Owners who are not Governors can write two types of Restricted Global Policies on the Policies page: Subscription and Data Policies.

Restricted Global Subscription Policies

To write a Restricted Global Subscription Policy,

Click the Policies icon in the left sidebar and navigate to the Subscription Policies tab.
Click Add Policy, complete the Enter Name field, and then select the level of access restriction you would like to apply to your data source.

If you select Allow anyone,
1. Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
  - tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
  - in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
  - created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
If you select Allow anyone who asks (and is approved),
1. Click anyone or an individual selected by user from the first dropdown menu in the Subscription Policy Builder.
  
  Note: If you choose an individual selected by user, when users request access to a data source they will be prompted to identify an approver with the permission specified in the policy and how they plan to use the data.
2. Select the Owner (of the data source), User_Admin, Governance, or Audit permission from the subsequent dropdown menu.
```
*Note: You can add more than one approving party by selecting **+ Add**.*
```
1. From the Where should this policy be applied dropdown menu, select When selected by data owners, On all data sources, or On data sources. If you selected On data sources, finish the condition in one of the following ways:
  - tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
  - in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
  - created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
If you select Allow users with specific groups/attributes,
1. Choose the condition that will drive the policy: when user is a member of a group or possesses attribute.
2. Use the subsequent dropdown to choose the group or attribute key / value pair for your condition.
3. If you would like to make your data source visible in the list of all data sources in the UI to all users, click the Allow Discovery checkbox. Otherwise, this data source will not be discoverable by users who do not meet the criteria established in the policy.
  
  Note: You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Subscription Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
4. Select When selected by data owners or On data sources from the Where should this policy be applied? dropdown menu. If you selected On data sources, finish the condition in one of the following ways:
  - tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
  - in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
  - created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
Alternatively, you can use the Advanced Rules DSL to create more complex policies than the Subscription Policy Builder allows. To begin,
1. Click Advanced Rules DSL in the top right corner of the policy builder.
2. Complete the Enter Rules field with the available functions and variables: @iam, @isInGroups, and @hasAttribute. When you place your cursor in this field, a tooltip appears with the functions and values you can use to build your policy.
3. Select When selected by data owners or On data sources from the Where should this policy be applied? dropdown menu. If you selected On data sources, finish the condition in one of the following ways:
  - tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
  - in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
  - created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
If you select Allow individually selected users,
1. Click the dropdown menu beneath Where should this policy be applied, and select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:
  - tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
  - with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
  - in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
  - created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
Beneath Whose Data Sources should this policy be restricted to?, add users or groups to the policy restriction by typing in the text fields and selecting from the dropdown menus that appear.
Opt to complete the Enter Rationale for Policy (Optional) field, and then click Create to save the policy.

Restricted Global Data Policies

To write a Restricted Global Data Policy,

Click the Policies icon in the left sidebar and navigate to the Data Policies tab.
Click Add Policy, complete the Enter Name field, and then build the data policy following these instructions above.
Opt to complete the Enter Rationale for Policy (Optional) field and click Add.
Where should this policy be applied, choose When selected by data owners, On all data sources, or On data sources and complete the condition using the subsequent dropdown menus (when applicable).
Beneath Whose Data Sources should this policy be restricted to, add users or groups to the policy restriction by typing in the text fields and selecting from the dropdown menus that appear.
Click Create to save the policy.

HIPAA Safe Harbor Policy Certification

After the HIPAA Safe Harbor policy is applied to your data source, you will receive a notification indicating that you need to certify the policy.

To certify the policy,

Navigate to the Policies tab of the affected data source, and review the HIPAA Safe Harbor policy in the Data Policies section.
Click the Certify Policy icon in the top right corner of the policy.
In the Policy Certification modal, click Sign and Certify.