# Permission Policy API The operations shown here are used to set, list, or update your permissions policies through the Treasure Data REST API. You might not see the same behavior if your administrator has not enabled granular permissions for authentication. Contact your Customer Support Engineer to upgrade to the latest version. ## GET /v3/access_control/policies Retrieves a list of policies. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/policies` | Gets a list of policies | ### Request Body | **Property Name** | **Value** | **Description** | | --- | --- | --- | | policy | object | Name of the policy | ### Sample Response Status: 200 OK ```json [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] ``` ## POST /v3/access_control/policies Creates a policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | POST | `/v3/access_control/policies` | Creates a policy | **URI Parameters** | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy` | Yes | object | Example:`{"policy": { "name": "name of policy", "description": "Description of policy" }` | | `name` | Yes | string | Policy's name | | `description` | | string | Policy's description | ### Sample Request ```json { "policy": { "name": "some_policy", "description": "written about the policy" } } ``` #### Sample Response Status: 200 OK ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## GET /v3/access_control/policies/:policy_id Retrieve information about a policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/policies/:policy_id` | Gets a specific policy | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | Integer | AccessControlPolicyIdExample: `67` | #### Sample Response Status: 200 OK ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## PATCH /access_control/policies/:policy_id Update information related to a policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/policies/:policy_id` | Updates a specific policy | #### URI Parameters #### **Parameter Name** | **Required**| **Type**| **Description** ---|---|---|--- `policy_id`| Yes| Integer| AccessControlPolicyIdExample: `67` `policy`| Yes| Object| TBD #### Request Body | **Property Name** | **Value** | **Description** | | --- | --- | --- | | policy | object | Name of the policy | #### Sample Request ```json { "policy": { "name": "some_policy", "description": "written about the policy" } } ``` #### Sample Response Status: 200 OK ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## DELETE /v3/access_control/policies/:policy_id Delete a policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | DELETE | `/v3/access_control/policies/:policy_id` | Deletes a specific policy | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | Integer | AccessControlPolicyIdExample: `67` | #### Sample Response ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## GET /v3/access_control/users/:user_id/policies List policies per user. | **HTTP Verb** | **Resouce** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/users/:user_id/policies` | Gets a list of policies by user | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `user_id` | Yes | integer | UserIdExample: `123` | #### Sample Response Status: 200 OK ```json [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] ``` ## PATCH /v3/access_control/users/:user_id/policies Update a user’s policies. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/users/:user_id/policies` | Updates a user’s policies | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `user_id` | Yes | integer | UserIdExample: `123` | #### Request Body | **Property Name** | **Value** | **Description** | | --- | --- | --- | | policy_ids | array of string | List of policies | #### Sample Request ```json { "policy_ids": [ "1", "2", "42" ] } ``` #### Sample Response Status: 200 OK ```json [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] ``` ## POST /v3/access_control/users/:user_id/policies/:policy_id Attach a policy to a user. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | POST | `/v3/access_control/users/:user_id/policies/:policy_id` | Attaches a policy to a user | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `user_id` | Yes | integer | UserIdExample: `123` | | `policy_id` | Yes | integer | Example: `67` | #### Sample Response Status: 200 OK ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## DELETE /v3/access_control/users/:user_id/policies/:policy_id Delete a user’s policies. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | DELETE | `/v3/access_control/users/:user_id/policies/:policy_id` | Deletes a user’s policies | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `user_id` | Yes | integer | UserIdExample: `123` | | `policy_id` | Yes | integer | Example: `67` | #### Sample Response ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## POST /v3/access_control/policies/:policy_id/users/:user_id Attach a user to a specific policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | POST | `/v3/access_control/policies/:policy_id/users/:user_id` | Attaches a user to a policy. | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | | `user_id` | Yes | Integer | UseridExample: 123 | #### Sample Response Status: 200 OK ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## DELETE /v3/access_control/policies/:policy_id/users/:user_id Detach a user from a specific policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | DELETE | `/v3/access_control/policies/:policy_id/users/:user_id` | Deletes a user from a policy | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | | `user_id` | Yes | Integer | UseridExample: 123 | #### Sample Response Status: 200 OK ```json { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ``` ## GET /v3/access_control/permissions List all permissions. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/permissions` | Lists all permissions | #### Sample Response Status: 200 OK ```json [ { "id": 0, "permission_set_id": 0, "resource_type": "string", "filter_expression": "string", "filter_operator": "string", "filter_value": "string", "can_create": true, "can_read": true, "can_update": true, "can_delete": true, "can_execute": true, "custom_operation": "string" } ] ``` ## GET /v3/access_control/policies/:policy_id/permissions List the permissions for a specific policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/policies/:policy_id/permissions` | Lists permissions for a policy | | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | #### Sample Response Status: 200 OK ```json { "WorkflowProject": [ { "operation": "view" } ], "WorkflowProjectLevel": [ { "operation": "view", "name": "my_wf" } ], "Segmentation": [ { "operation": "full" } ], "MasterSegmentConfigs": [ { "operation": "view" } ], "MasterSegmentConfig": [ { "operation": "view", "id": "42" } ], "SegmentAllFolders": [ { "operation": "view", "audience_id": "42" } ], "SegmentFolder": [ { "operation": "view", "id": "42" } ], "Authentications": [ { "operation": "use" } ], "Sources": [ { "operation": "restricted" } ], "Destinations": [ { "operation": "restricted" } ] } ``` ## PATCH /v3/access_control/policies/:policy_id/permissions Update the permissions for a specific policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/policies/:policy_id/permission` | Updates permissions for a policy | #### URI Parameter | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | #### Available Body Request Fields | **Parameter Name** | **Value** | **Description** | **Example** | | --- | --- | --- | --- | | WorkflowProject | Array of object | Designates "view", "run", or "edit" access to all workflows. | Example:operation (string)enum: "view" "run" "edit"name (string) | | WorkflowProjectLevel | Array of object | Designates "view", "run", or "edit" access to a specific workflow project. | Example:operation (string)enum: `"view" "run" "edit"`name (string) | | Segmentation | Array of object | Grants "full" access to all segmentations. | Example:operation (string)value: `"full"` | | MasterSegmentConfigs | Array of object | Grants "view" or "edit" access to all master segment configs, or "full" access to all CDP-generated workflows. | Example:operation (string)enum: `"view" "edit"` | | MasterSegmentConfig | Array of object | Grants "view" or "edit" access to specific master segment config, or "full" access to specific CDP-generated workflows. | Example:operation (string)enum: `"view" "edit"`id (string) | | MasterSegmentColumn | Array of object | Grants permissions on a master segment column. | Example: operations (string)enum: "view_clear" "view_non_pii" "view_pii" "blocked" | | MasterSegmentAllColumns | Array of object | Grants permissions on all columns of a master segment. | Example: operations (string)enum: "view_clear" "view_non_pii" "view_pii" "blocked_only_for_migration_purpose" | | SegmentAllFolders | Array of object | Grants "view" or "edit" access to all segment folders. | Example:operation (string)enum: `"view" "edit"`audience_id (string) | | SegmentFolder | Array of object | Grants "view" or "edit" access to a specific segment folder. | Example:operation (string)enum: `"view" "edit"`id (string) | | Databases | Array of object | Grants “manage” access to all databases.Grants “owner_manage” access to owned databases.Grants “edit”, “query” and “import” to access specific databases with “ids”.Grants “download” to allow downloads of databases that have read permissions. | Example:operation (string)enum: “manage” “owner_manage” “edit” “query” “import”ids: (string, required when operation is “edit” “query” “import”)“1,2,3” | | Authentications | Array of object | Grants "use" or "full" access to all authentications. Where "use" designates permissions to view authentications. | Example: operation (string) | | enum: "use" "full" "owner_manage" "use_limited" ## Order is up to you | | | | | ids (string, required when `operation` is "use_limited") | | | | | "1, 2, 3" | | | | | Sources | Array of object | Sets "restricted" access to all sources. | Example: Describes what authority you have (only one type may be selected)Example: | | operation (string) | | | | | enum: "restricted" | | | | | Destinations | Array of object | Grants "restricted" access to using destinations for result export. | Example: | | operation (string) | | | | | enum: "restricted" | | | | #### Sample Request ```json { "Authentications": [ { "operation": "full" } ], "Sources": [ { "operation": "restricted" } ], "Destinations": [ { "operation": "restricted" } ] } ``` #### Sample Response Status: 200 OK ```json { "Authentications": [ { "operation": "full" } ], "Sources": [ { "operation": "restricted" } ], "Destinations": [ { "operation": "restricted" } ] } ``` ## GET /v3/access_control/users Retrieve a list of users and their permissions. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/users` | Gets a list of users and their permissions | #### Sample Response Status: 200 OK ```json [ { "user_id": 123, "account_id": 123, "permissions": { "WorkflowProject": [ { "operation": "view" } ], "WorkflowProjectLevel": [ { "operation": "view", "name": "my_wf" } ], "Segmentation": [ { "operation": "full" } ], "MasterSegmentConfigs": [ { "operation": "view" } ], "MasterSegmentConfig": [ { "operation": "view", "id": "42" } ], "SegmentAllFolders": [ { "operation": "view", "audience_id": "42" } ], "SegmentFolder": [ { "operation": "view", "id": "42" } ], "Authentications": [ { "operation": "use" } ], "Sources": [ { "operation": "restricted" } ], "Destinations": [ { "operation": "restricted" } ] }, "policies": [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] } ] ``` ## GET /v3/access_control/users/:user_id Retrieve a specific user by ID. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/users/:user_id` | Gets a user | #### URI Parameter | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | #### Sample Response Status: 200 OK ```json { "user_id": 123, "account_id": 123, "permissions": { "WorkflowProject": [ { "operation": "view" } ], "WorkflowProjectLevel": [ { "operation": "view", "name": "my_wf" } ], "Segmentation": [ { "operation": "full" } ], "MasterSegmentConfigs": [ { "operation": "view" } ], "MasterSegmentConfig": [ { "operation": "view", "id": "42" } ], "SegmentAllFolders": [ { "operation": "view", "audience_id": "42" } ], "SegmentFolder": [ { "operation": "view", "id": "42" } ], "Authentications": [ { "operation": "use" } ], "Sources": [ { "operation": "restricted" } ], "Destinations": [ { "operation": "restricted" } ] }, "policies": [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] } ``` ## PATCH /v3/access_control/users/:user_id/permissions Update permissions for a specific user. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/users/:user_id/permissions` | Updates permissions | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `user_id` | Yes | Integer | UseridExample: 123 | #### Request Body | **Property Name** | **Value** | **Description** | | --- | --- | --- | | WorkflowProject | array of object | Example:operation (string)enum:`"view" "run" "edit"`property name (any) | | WorkflowProjectLevel | array of object | Example:operation (string)enum:`"view" "run" "edit"`name (string)property name (any) | #### Sample Request ```json { "WorkflowProject": [ { "operation": "view" } ], "WorkflowProjectLevel": [ { "operation": "view", "name": "my_wf" } ] } ``` #### Sample Response Status: 200 OK ```json { "user_id": 123, "permissions": { "WorkflowProject": [ { "operation": "view" } ], "WorkflowProjectLevel": [ { "operation": "view", "name": "my_wf" } ], "Segmentation": [ { "operation": "full" } ], "MasterSegmentConfigs": [ { "operation": "view" } ], "MasterSegmentConfig": [ { "operation": "view", "id": "42" } ], "SegmentAllFolders": [ { "operation": "view", "audience_id": "42" } ], "SegmentFolder": [ { "operation": "view", "id": "42" } ], "Authentications": [ { "operation": "use" } ], "Sources": [ { "operation": "restricted" } ], "Destinations": [ { "operation": "restricted" } ] } } ``` ## GET /v3/access_control/policies/:policy_id/users Retrieve a list of users associated with a specific policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/policies/:policy_id/users` | Gets a list of users of a policy | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | #### Sample Response Status: 200 OK ```json [ { "user_id": 123, "account_id": 123, "email": "jake@gmail.com", "name": "Jake Becker" } ] ``` ## PATCH /v3/access_control/policies/:policy_id/users Update a list of users associated with a specific policy. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/policies/:policy_id/users` | Updates a list of users with a policy | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | #### Request Body | **Property Name** | **Value** | **Description** | | --- | --- | --- | | user_ids | array of integer | List of user IDs | #### Sample Request ```json { "user_ids": [ 123 ] } ``` #### Sample Response Status: 200 OK ```json [ { "user_id": 123, "account_id": 123, "permissions": { "WorkflowProject": [ { "operation": "view" } ], "WorkflowProjectLevel": [ { "operation": "view", "name": "my_wf" } ], "Segmentation": [ { "operation": "full" } ], "MasterSegmentConfigs": [ { "operation": "view" } ], "MasterSegmentConfig": [ { "operation": "view", "id": "42" } ], "SegmentAllFolders": [ { "operation": "view", "audience_id": "42" } ], "SegmentFolder": [ { "operation": "view", "id": "42" } ], "Authentications": [ { "operation": "use" } ], "Sources": [ { "operation": "restricted" } ], "Destinations": [ { "operation": "restricted" } ] }, "policies": [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] } ] ``` ## GET /v3/access_control/policies/{policy_id}/column_permissions Retrieve information related to a policy that contains column-level permissions. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/access_control/policies/{policy_id}/column_permissions` | Retrieve information related to a policy that contains column-level permissions. | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | AccessControlPolicyIdExample: `67` | #### Sample Response ```json { "tags": [ "string" ], "except": true, "masking" : "hash" } ``` ## GET /v3/access_control/policies?column_permissions_tag={tag} Retrieve all policies that contain column tags. | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | GET | `/v3/access_control/policies?column_permission_tag={tag}` | Retrieve all policies that contain column tags. | #### Sample Response ```json [ { "id": 67, "account_id": 123, "name": "some_policy", "description": "written about the policy", "user_count": 3 } ] ``` ## PATCH /v3/access_control/policies/{policy_id}/column_permissions Update information related to a column-level access control policy. | **Control Type** | **Description** | | --- | --- | | Allow | A policy that allows access with “xxx, yyy, zzz” tags | | Allow - Except | A policy that allows access to all columns with the exception of “aaa, bbb, ccc” tags | | Mask | A policy that hides specified columns using modified content. | ### **ALLOW** | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/policies/:policy_id/column_permissions` | Updates a specific policy to allow access to specific tags. | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | policy_idExample: `6196842` | #### Sample Request ```bash curl -X PATCH \ -H "Authorization: TD1 ${TD1_KEY}" \ -H "Content-Type: application/json" \ -d '{"column_permissions":[ {"tags":["home-address"]} ]}' ``` #### Sample Response ```json [ { "tags": [ "home-address" ] } ] ``` ### **ALLOW Except** | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/policies/:policy_id/column_permissions` | Updates a specific policy to allow access to specific tags. | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | policy_idExample: `6196842` | #### Sample Request ```bash curl -X PATCH \ -H "Authorization: TD1 ${TD1_KEY}" \ -H "Content-Type: application/json" \ -d '{"column_permissions":[ {"tags":["email-raw"], "except":true} ]}' ``` #### Sample Response ```json [ { "tags": [ "email-raw" ], "except": true } ] ``` ### **MASKING** | **HTTP Verb** | **Resource** | **Description** | | --- | --- | --- | | PATCH | `/v3/access_control/policies/:policy_id/column_permissions` | Updates a specific policy to allow access to specific tags. | #### URI Parameters | **Parameter Name** | **Required** | **Type** | **Description** | | --- | --- | --- | --- | | `policy_id` | Yes | integer | policy_idExample: `6196842` | #### Sample Request ```bash curl -X PATCH \ -H "Authorization: TD1 ${TD1_KEY}" \ -H "Content-Type: application/json" \ -d '{"column_permissions":[ {"tags":["home-address"], "masking":"hash"} ]}' ``` #### Sample Response ```json [ { "tags": [ "home-address" ], "masking": "hash" } ] ```