Create Policies API Examples
Audience: Data Engineers
Content Summary: This page contains example request payloads for creating policies.
Subscription Policies
Anyone Can Subscribe
name: Anyone
policyKey: subscription anyone
type: subscription
actions:
type: anyone
automaticSubscription: false
description: Rationale
circumstances:
- type: tags
tag: Discovered
Anyone Can Subscribe When Approved
name: Approval
policyKey: subscription approval
type: subscription
actions:
type: approval
approvals:
- specificApproverRequired: false
requiredPermission: OWNER
- specificApproverRequired: true
requiredPermission: GOVERNANCE
description: Rationale
circumstances:
- type: columnTags
columnTag: Discovered
Users with Specific Groups or Attributes
name: Entitlement
policyKey: subscription entitlements
type: subscription
actions:
type: entitlements
entitlements:
operator: any
groups:
- Employee
attributes:
- name: auth1
value: SOMETHING_ELSE
automaticSubscription: true
allowDiscovery: false
description: Some description here
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: false
staged: false
Users with Specific Groups or Attributes (Advanced)
name: Advanced Entitlement
policyKey: subscription entitlements advanced boolean
type: subscription
actions:
type: entitlements
advanced: "@isInGroups('Engineers', 'Founders'') AND @hasAttribute('Auth1', 'Super Secret')"
automaticSubscription: true
allowDiscovery: false
description: Some description here
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: false
staged: false
Individual Users You Select
name: Manual
policyKey: subscription manual
type: subscription
actions:
type: manual
description: Rationale
Data Policies
Data Owner Restrictions
name: Owner Restricted Policy
policyKey: data owner restriction
type: data
ownerRestrictions:
users:
- iamid: bim
username: user@example.com
groups:
- engineers
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.PII
maskingConfig:
type: Hash
circumstances:
- type: columnTags
columnTag: Discovered.PII
Masking Policies
Conditional Masking
name: Conditional Masking
policyKey: data conditional masking
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.PII
conditionalPredicate: "@columnTagged('Discovered.Country') = 'USA'"
maskingConfig:
type: Hash
circumstanceOperator: all
circumstances:
- type: columnTags
columnTag: Discovered.PII
- type: columnTags
columnTag: Discovered.Country
Conditional Masking (Using Otherwise Clause)
name: Conditional
policyKey: data mask otherwise
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Country
maskingConfig:
type: "Null"
inclusions:
groups:
- Employee
- type: Masking
exceptions:
purposes:
- Re-identification Prohibited
config:
fields:
- type: columnTags
columnTag: Discovered.Country
maskingConfig:
type: Hash
circumstances:
- type: columnTags
columnTag: Discovered.Country
With a Constant
name: Mask with Constant
policyKey: data mask constant
type: data
actions:
- rules:
- type: Masking
exceptions:
operator: any
attributes:
- name: auth
value: SOMETHING_ELSE
- name: auth1
value: super secret
config:
fields:
- type: columnTags
columnTag: Discovered.Country
- type: columnTags
columnTag: Discovered.PII
maskingConfig:
type: Constant
constant: REDACTED
circumstanceOperator: any
circumstances:
- type: columnTags
columnTag: Discovered.Country
- type: columnTags
columnTag: Discovered.PII
Format Preserving Masking
name: Format Preserving Masking
policyKey: data mask fpe
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered
maskingConfig:
type: Format Preserving Masking
circumstances:
- type: columnTags
columnTag: Discovered
With Hashing (No Tags)
name: Hashing
policyKey: data mask hashing
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: noTags
maskingConfig:
type: Hash
circumstances:
- type: noTags
K-Anonymization (Using Fingerprint)
name: K-Anonymization Using Fingerprint on any tags
policyKey: masking kanon using fingerprint
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: anyTag
maskingConfig:
type: K-Anonymization
circumstances:
- type: anyTag
K-Anonymization (by Specifying K)
name: K-Anonymization using kLevel
policyKey: data mask kanon specifying k
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: anyTag
maskingConfig:
type: K-Anonymization
kLevel: 5
circumstances:
- type: anyTag
K-Anonymization (by Specifying Re-identification Probability)
name: K-Anonymization using reIdProbability
policyKey: data mask kanon specifying re-id
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: anyTag
maskingConfig:
type: K-Anonymization
reIdProbability: 15
circumstances:
- type: anyTag
Make Null Using Column Regex
name: Null using column regex
policyKey: data mask null
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnRegex
regex: ssn
caseInsensitive: true
maskingConfig:
type: "Null"
circumstances:
- type: columnRegex
regex: ssn
caseInsensitive: true
Randomized Response
name: Random Categorical
policyKey: data mask random response
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: allColumns
maskingConfig:
type: Randomized Response
replacementRatePercent: 10
Randomized Response (by Specifying Standard Deviation)
name: Random Numeric
policyKey: data mask random response specifying stddev
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: allColumns
maskingConfig:
type: Randomized Response
stddev: 2
clip: false
Using a Regex
name: Regex
policyKey: data mask regex
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Postal Code
maskingConfig:
type: Regular Expression
regex: "(\\d{4})(\\d)"
replacement: "$1X"
caseInsensitive: true
global: true
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Postal Code
With Reversibility
name: Mask using Reversible
policyKey: data mask reversible
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Social Security Number
maskingConfig:
type: Reversible
exceptions:
groups:
- founders
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Social Security Number
Using Rounding (Date)
name: RoundingDate
policyKey: data mask rounding by date
type: data
actions:
- rules:
- type: Masking
exceptions:
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
timePrecision: MONTH
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Date
Using Rounding (Using Fingerprint)
name: RoundingFingerprint
policyKey: data mask round using fingerprint
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Date
Using Rounding (Numeric)
name: RoundingNumeric
policyKey: data mask round numeric
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.Entity.Date
maskingConfig:
type: Grouping
bucketSize: 10
circumstances:
- type: columnTags
columnTag: Discovered.Entity.Date
Minimize Data Created Between
name: Minimize
policyKey: data minimize
type: data
actions:
- rules:
- type: Minimization
config:
percent: 15
circumstances:
- type: time
startDate: '2020-12-01T16:23:54.734Z'
endDate: '2020-12-31T16:23:54.745Z'
Purpose Restrictions
Any Purpose
name: Purpose
policyKey: data purpose restriction
type: data
actions:
- rules:
- type: Purpose Restriction
config:
operator: any
purposes:
- "<ANY PURPOSE>"
Purpose in Server
name: Purpose in a specific server
policyKey: data server circumstance
type: data
actions:
- rules:
- type: Purpose Restriction
config:
purposes:
- Re-identification Prohibited
circumstances:
- type: server
server: your@server.example.com:5432/tpc
Row Redaction
By Time
name: Row Level By Time
policyKey: data row-level
type: data
actions:
- rules:
- type: Time Restriction
config:
isOlderOrNewer: newer
time: 2592000
circumstances:
- type: tags
tag: Discovered.PCI
Where User
name: Row Level Where User
policyKey: data where user
type: data
actions:
- rules:
- type: Row Restriction By User Entitlements
config:
operator: all
matches:
type: group
tag: Discovered.Entity
circumstanceOperator: ANY
circumstances:
- type: columnTags
columnTag: Discovered.Entity
Custom Where Clause
name: Row Level Where
policyKey: data custom where
type: data
actions:
- rules:
- type: Row Restriction by Custom Where Clause
config:
predicate: "@columnTagged('Discovered.Country') in ('USA', 'CANADA', 'MEXICO')"
circumstances:
- type: tags
tag: Discovered.Country
Multiple Policies
name: Multiple
policyKey: data multiple
type: data
actions:
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.PII
maskingConfig:
type: Hash
description: 'PII Rule'
- rules:
- type: Minimization
config:
percent: 25
description: 'PII Rule, also'
- rules:
- type: Masking
config:
fields:
- type: columnTags
columnTag: Discovered.PHI
maskingConfig:
type: "Null"
description: 'PHI Rule'
circumstanceOperator: any
circumstances:
- type: columnTags
columnTag: Discovered.PII
- type: columnTags
columnTag: Discovered.PHI