# Tag Based Access Control Using the REST API

Using the Permission Policy API, you can create column-level access control using specific policy tags to restrict or permit the accessibility of a column in a Treasure Data database.

When you create policy-based column-level access control permissions, you define access control for specific tags and then assign the policy to specific users. The [policy-based Column-level Access Control](/products/control-panel/security/policies/policy-based-column-level-access-control-permissions) feature must be enabled to create these permissions.

## Setting Policy Default Accessibility

In TD Console UI, a user can define three types of column accessibilities with tags: **None, View,** and **Masked.** You can achieve similar results using the REST API.

## Setting policy default accessibility to None

Similar to setting controls in UI, you can effectively set the policy default accessibility to **None** using the REST API by omitting tags using: {"tags":[]}. This is demonstrated in the following example, where the tags for policy 420836 are explicitly not set, resulting in no accessibility.


```bash
curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":[]}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions
```

## Setting policy default accessibility to View

Similar to setting controls in the UI, you can set the default accessibility to **View**. In the following example, all tags for policy 420836 are set to **View.** To set everything to **View** , the tags are omitted and the *except* statement is set to "except":true , resulting in everything accessible to the user.


```bash
curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":[],"except":true}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions
```

Similar to setting controls in the UI, you can set **View** permission to everything except for PII tags. This means that any new tags will have **View** accessibility even if they are not mentioned in the policy.


```bash
curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":["PII"],"except":true}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions
```

## Designate Accessibility Setting for a Tag

You can set the visibility of PII to **Masked** or **View**.

### Set visibility of PII to Masked


```bash
curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":["PII"],"masking":"hash"}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions
```

### Set visibility of PII to View


```bash
curl -s -H "Content-Type: application/json" \
-d '{"column_permissions":[{"tags":["PII"]}]}' \
-H "Authorization: TD1 ..." \
-X PATCH https://api.treasuredata.com/v3/access_control/policies/420836/column_permissions
```