Policy Configuration Templates¶
Access Policy¶
API Path Access¶
The provided template defines an access policy for REST APIs within DataOS. The sample given below authorizes users with the dataos:u:user tag to execute GET, POST, and PUT predicates on the designated API path, /city/api/v1. Please remember to customize the template by replacing the placeholder values with the necessary details based on your specific requirements.
name: {{access-policy-api-path}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: {{allow user to access rest apis}}
layer: system
policy:
access:
subjects:
tags:
- - {{dataos:u:user}}
predicates:
- {{get}}
- {{post}}
- {{put}}
- {{options}}
objects:
paths:
- {{/city/api/v1}}
allow: {{true}}
Dataset Access¶
The provided template defines an access policy for a Depot within DataOS. The sample given below authorizes users with the roles:id:healthcaredatauser tag to READ predicate on the dataset stored at the UDL address, dataos://icebase:test/customer_test. Please remember to customize the template by replacing the placeholder values with the necessary details based on your specific requirements.
name: {{test-access-healthcaredata}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
description: {{policy allowing users to read healthcare data.}}
layer: user
policy:
access:
subjects:
tags:
- - {{roles:id:healthcaredatauser}}
predicates:
- {{read}}
objects:
paths:
- {{dataos://icebase:test_healthcare/patients}}
allow: {{true}}
Collection Access¶
The provided template defines an access policy for a Collection within a Depot. The sample given below authorizes users with the dataos:u:people-DW:user tag to perform READ predicate on the collection stored at the UDL address, dataos://icebase:people_dw/*. Please remember to customize the template by replacing the placeholder values with the necessary details based on your specific requirements.
name: {{people-dw-access-policy}}
version: v1
type: policy
layer: user
description: {{Policy allows users having people-DW:user tag to read data from people_dw collection}}
policy:
access:
subjects:
tags:
- {{dataos:u:people-DW:user}}
predicates:
- {{read}}
objects:
paths:
- {{dataos://icebase:people_dw/*}}
allow: {{true}}
Deny All Predicates on Dataset by Tag¶
The provided template defines a policy that denies access to a dataset stored within a Depot. The sample given below denies users with the roles:id:tag:selective-restricted-access tag to execute any predicates on the dataset stored at the UDL address, dataos://icebase:test/customer_test. Please remember to customize the template by replacing the placeholder values with the necessary details based on your specific requirements.
name: {{deny-schema-policy}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
description: {{policy denying users to access a dataset}}
layer: user
policy:
access:
subjects:
tags:
- - {{roles:id:tag:selective-restricted-access}}
predicates:
- {{'**'}}
objects:
paths:
- {{dataos://icebase:test/customer_test}}
allow: {{false}}
Collection Access by Regex-Filtered Tags¶
The provided template defines a policy that allows access to a dataset stored within a Depot. The sample given below allows users with tags following the regex roles:id:** OR users:id:** tag to execute any predicates on the dataset stored at the UDL address, dataos://icebase:test_healthcare/**. Please remember to customize the template by replacing the placeholder values with the necessary details based on your specific requirements.
name: {{test-phi-deny-access}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
description: {{policy denying access to all users}}
layer: user
policy:
access:
subjects:
tags:
- - {{roles:id:**}}
- - {{users:id:**}}
predicates:
- {{create}}
- {{read}}
- {{write}}
- {{put}}
- {{update}}
- {{delete}}
- {{post}}
objects:
paths:
- {{dataos://icebase:spend_analysis/**}}
allow: {{false}}
Data Policy¶
Masking Policy¶
Note
Certain predefined tags such as pii.dateofbirth, pii.age, and pii.location have default policies already created for them, each assigned a priority of 99. These policies are not applied automatically — they only take effect when the tag is manually applied to a column.
Once a tag is applied, its associated default policy (e.g., data bucketing or masking logic) will take effect.
For more information refer the How to implement masking policy guide.
Bucketing Age¶
name: {{agephi}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
description: >-
{{An age bucket is formed by grouping the ages together. Based on defined age
buckets, the age of individuals is redacted and anonymized. If an individual’s
age falls under a defined bucket, it is replaced with the lowest value of the
bucket.}}
owner: {{dataos-manager}}
layer: user
policy:
data:
priority: {{100}}
type: mask
mask:
bucket_number:
buckets:
- {{5}}
- {{12}}
- {{18}}
- {{25}}
- {{45}}
- {{60}}
- {{70}}
operator: bucket_number
selector:
column:
tags:
- {{PHI.Age}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
Bucketing Income¶
name: {{income}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
- {{dataos:resource:policy}}
description: >-
Incomes are grouped into buckets to represent different income ranges. An
individual's income is redacted and anonymized with the lowest value in the
bucket.
owner: {{dataos-manager}}
layer: user
policy:
data:
priority: {{100}}
type: mask
mask:
bucket_number:
buckets:
- {{1000}}
- {{2000}}
- {{5000}}
- {{10000}}
- {{50000}}
- {{100000}}
- {{200000}}
- {{500000}}
operator: bucket_number
selector:
column:
tags:
- {{PII.Income}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
Bucketing Date¶
1. Bucket Date with month precision
name: {{date-of-birth}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
- {{dataos:resource:policy}}
- {{dataos:layer:user}}
description: >-
{{Groups the date of births into buckets and redacts it to
either(hour/day/week/month). By replacing the Date of Birth with the bucket's
lower value, an individual's Date of Birth is hidden.}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{99}}
type: mask
mask:
bucket_date:
precision: {{month}}
operator: bucket_date
selector:
column:
tags:
- {{PII.DateOfBirth}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
2. Bucket Date with week precision
name: {{date-of-birth}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
- {{dataos:resource:policy}}
- {{dataos:layer:user}}
description: >-
{{Groups the date of births into buckets and redacts it to
either(hour/day/week/month). By replacing the Date of Birth with the bucket's
lower value, an individual's Date of Birth is hidden.}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{99}}
type: mask
mask:
bucket_date:
precision: {{month}}
operator: bucket_date
selector:
column:
tags:
- {{PII.DateOfBirth}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
Hashing¶
1. Hashing Email
name: {{email}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:layer:user}}
description: >-
{{Masks an individual’s email address by replacing it with a generated hash
against the value.}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{98}}
type: mask
mask:
hash:
algo: {{sha256}}
operator: hash
selector:
column:
tags:
- {{PII.Email}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
2. Hashing Name
name: {{name}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
description: >-
{{Masks an individual’s name by replacing it with a generated hash against the
value.}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{100}}
type: mask
mask:
hash:
algo: {{sha256}}
operator: hash
selector:
column:
tags:
- {{PII.Name}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
3.Hashing Sensitive Information
name: {{pii-hash}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: {{default data policy to hash any column tagged with fingerprint pii}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{100}}
type: mask
mask:
hash:
algo: {{sha256}}
operator: hash
selector:
column:
tags:
- {{PII.Sensitive}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
Hashing Health related sensitive information
name: {{test-phi-mask}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
description: {{data policy to hash PHI columns by tags}}
owner: {{iamgroot}}
layer: user
policy:
data:
dataset: {{patients}}
collection: {{test_healthcare}}
depot: {{icebase}}
priority: {{40}}
type: mask
mask:
hash:
algo: {{sha256}}
operator: hash
selector:
column:
tags:
- {{PHI.sensitive}}
user:
match: {{any}}
tags:
- {{roles:id:healthcaredatauser}}
Redact¶
1. Redacting Gender
name: {{gender}}
version: v1
type: policy
tags:
- {{dataos:layer:user}}
description: >-
{{The gender of all individuals is redacted and replaced with a constant value
‘REDACTED’}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{97}}
type: mask
mask:
hash:
algo: {{sha256}}
operator: redact
selector:
column:
tags:
- {{PII.Gender}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
2. Redacting Location
name: {{location}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: >-
{{The location of all individuals is redacted and replaced with a constant value
‘REDACTED’. Location can be classified as an individual’s address, zip code,
state, or country.}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{100}}
type: mask
mask:
hash:
algo: {{sha256}}
operator: redact
selector:
column:
tags:
- {{PII.Location}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
Redacting columns having given tags
name: {{test-phi-redact}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: {{data policy to redact PHI columns by tags}}
owner: {{iamgroot}}
layer: user
policy:
data:
dataset: {{patients}}
collection: {{test_healthcare}}
depot: {{icebase}}
priority: {{40}}
type: mask
mask:
hash:
algo: {{sha256}}
operator: redact
selector:
column:
tags:
- {{PHI.int_sensitive}}
- {{PHI.confidential}}
user:
match: {{any}}
tags:
- {{roles:id:healthcaredatauser}}
Random Pattern¶
Mapping Random Values to Security Number Format
name: {{social-security-number}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: >-
{{By replacing an individual's Personal ID number with a random string of the
same length, it masks their identity. The column data type is preserved.}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{100}}
type: mask
mask:
operator: rand_pattern
rand_pattern:
pattern: {{'####-###-####-##'}}
selector:
column:
tags:
- {{PII.SocialSecurityNumber}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
Regex Replace¶
Replace last five digits of phone number
name: {{phone-number}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: >-
{{Replaces the last five digits of an individual’s phone number with ‘XXXX’ to
mask the contact information}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{{{100}}}}
type: mask
mask:
operator: regex_replace
regex_replace:
pattern: {{.{5}$}}
replacement: {{xxxxx}}
selector:
column:
tags:
- {{PII.PhoneNumber}}
user:
match: {{any}}
tags:
- {{roles:id:user}}
Replace whole phone number with regex replace pattern
name: {{policy-test-regex-replace}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: {{mask policy on a column using regex_replace operator}}
owner: {{iamgroot}}
layer: user
policy:
data:
dataset: {{sample_driver}}
collection: {{data_uber}}
depot: {{icebase}}
priority: {{90}}
type: mask
mask:
operator: regex_replace
regex_replace:
pattern: {{'[0-9]'}}
replacement: {{'#'}}
selector:
column:
names:
- {{d_ph_n}}
user:
match: {{any}}
tags:
- {{users:id:iamgroot}}
Masking All Digits Except Last Four
name: {{test-phi-regex-replace-cc}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
description: {{Masking for credit card info}}
owner: {{iamgroot}}
layer: user
policy:
data:
dataset: {{patients}}
collection: {{test_healthcare}}
depot: {{icebase}}
priority: {{40}}
type: mask
mask:
operator: regex_replace
regex_replace:
pattern: {{'[0-9](?=.*.{4})'}}
replacement: {{'#'}}
selector:
column:
tags:
- {{PHI.ccn}}
user:
match: {{all}}
tags:
- {{roles:id:healthcaredatauser}}
Pass Through¶
name: {{pii-reader}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
- {{dataos:resource:policy}}
- {{dataos:layer:user}}
description: >-
{{default data policy to allow access to the value of columns tagged with
fingerprint pii if they are pii-readers}}
owner: {{iamgroot}}
layer: user
policy:
data:
priority: {{90}}
type: mask
mask:
operator: pass_through
selector:
column:
tags:
- {{PII.Sensitive}}
user:
match: {{any}}
tags:
- {{roles:id:pii-reader}}
Filtering Policy¶
name: {{filter-to-florida}}
version: v1
type: policy
tags:
- {{dataos:type:resource}}
- {{dataos:type:cluster-resource}}
- {{dataos:resource:policy}}
- {{dataos:layer:user}}
description: {{data policy to filter just FL data}}
owner: {{iamgroot}}
layer: user
policy:
data:
dataset_id: {{icebase.retail.customer}}
priority: {{10}}
type: filter
filters:
- column: {{vehicle_id}}
value: {{FL}}
selector:
user:
match: {{any}}
tags:
- - {{users:**}}
- - {{roles:**}}