Skip to content

You are viewing documentation for Immuta version 2022.5.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Write a Global Data Policy

Use Case

Compliance Requirement: Redact all personal information for everyone except when running queries in Test and Prod.

For this organization's purposes, they should write a Global Policy that masks all personal information, except for system accounts running queries in Test and Prod. To do so, they will use the tags and attributes created in Chapter 2 to build their Global Data Policy. The steps below use this scenario to illustrate the policy, but other policy builder options are noted throughout the tutorial.

1 - Create a Global Data Policy

Best Practice: Write Global Policies

Build Global Policies with tags instead of writing Local Policies to manage data access. This practice will prevent you from having to write/re-write single policies for every data source added to Immuta.

  1. Click the Policies page icon in the left sidebar and select the Data Policies tab at the top of this page.
  2. Click Add Policy, enter a name for your policy, and then select Mask from the first dropdown menu.

    Select Mask

  3. Select columns tagged and then select PII from the subsequent dropdown menu. Additional options include columns with any tag, columns with no tags, all columns, or columns with names spelled like.

    Select Columns Tagged

  4. Select using hashing from the next dropdown menu. Additional custom masking types include with reversibility, by making null, using a constant, using a regex, by rounding, with format preserving masking, with K-Anonymization, using randomized response, or using the custom function. Click on the tabs below to view specific instructions for these masking policies:

    using a constant

    Enter a constant in the field that appears next to the masking type dropdown:

    Masking Policy Enter Constant

    by rounding

    1. Select using fingerprint or specifying the bucket from the subsequent dropdown menu.
    2. If specifying the bucket, select the Bucket Type and then enter the bucket size.

      Specify Bucket

    Note: If you choose by rounding as your masking type, the statistics of the data fingerprint will autogenerate the bucket size when the policy is applied to a data source.

    using a regex

    1. Enter a regular expression and replacement value in the fields that appear next to the masking type dropdown.
    2. From the next dropdown, choose to make the regex Case Insensitive and/or Global.

      Masking Policy Regex

    with K-Anonymization

    Select either using fingerprint or requiring group size of at least and enter a group size in the subsequent dropdown menu.

    using the custom function

    Enter the custom function native to the underlying database.

    Note: The function must be valid for the data type of the column. If it is not, the default masking type will be applied to the column.

    Select Hashing

  5. Select everyone except from the next dropdown menu to continue the condition. Additional options include everyone and everyone who.

    Everyone Except

  6. In the subsequent dropdown menus, choose possesses attribute and select Environment dev, or, and Environment prod. You could also use group or purpose to complete a condition.


    • If you choose for everyone who as a condition, complete the Otherwise clause before continuing to the next step.

    • You can add more than one condition by selecting + ADD. The dropdown menu in the far right of the Policy Builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.

    Possesses Attribute

  7. Opt to complete the Enter Rationale for Policy (Optional) field, and then click Add.

    Global Data Policy

  8. The dropdown menu beneath Where should this policy be applied should already be complete. However, you have the option to select On all data sources or On data sources. If you selected On data sources, finish the condition in one of the following ways:


    Select this option and then search for tags in the subsequent dropdown menu.

    with columns tagged

    Select this option and then search for tags in the subsequent dropdown menu.

    with column names spelled like

    Select this option, and then enter a regex and choose a modifier in the subsequent fields.

    in server

    Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.

    created between

    Select this option and then choose a start date and an end date in the subsequent dropdown menus.

  9. Click Create Policy, and then click Activate Policy or Stage Policy.

    Activate Policy

2 - Create a Custom Certification

This step is optional, but Data Governors can add certifications that outline acknowledgements or require approvals from Data Owners. For example, Data Governors could add a custom certification that states that Data Owners must verify that tags have been added correctly to their data sources before certifying the policy.

  1. Click Add Certification in the top right corner of the Data Policy Builder.

    Add Certification

  2. Enter a Certification Label and Certification Text in the corresponding fields of the dialog that appears.

    Custom Certification Dialog

  3. Click Save.


Now that this Global Policy is active, users with the attribute will see redacted data and users with the attributes Environment.test or will see all the data:

Dev User

Dev Results

Test User

Test Results

Prod User

Prod Results