Governance Policies
Data governance policies define the rules and constraints that govern data access, handling, and protection. The GovernanceController manages the full policy lifecycle from creation through approval and activation.
Policy Lifecycle
Policies follow a structured lifecycle with approval workflows:
DRAFT --> PENDING_APPROVAL --> APPROVED --> ACTIVE --> SUSPENDED
^ | |
| (clone) | |
+------------------------------------------+-----------+| Status | Description |
|---|---|
DRAFT | Initial state, editable |
PENDING_APPROVAL | Submitted for approval review |
APPROVED | Approved but not yet enforced |
ACTIVE | Actively enforced |
SUSPENDED | Temporarily suspended with reason |
Create Policy
POST /api/v1/governance/policiescurl -X POST "http://localhost:8080/api/v1/governance/policies" \
-H "Content-Type: application/json" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000" \
-d '{
"name": "PII Access Control Policy",
"description": "Restrict access to personally identifiable information",
"type": "ACCESS_CONTROL",
"scope": "TENANT",
"priority": 100,
"rules": [
{
"name": "Block PII for non-compliance roles",
"condition": "resource.containsPii == true AND user.role NOT IN [COMPLIANCE_OFFICER, DATA_STEWARD]",
"actionType": "MASK",
"parameters": {
"maskingType": "PARTIAL",
"visibleChars": "4"
}
}
]
}'Response
{
"id": "pol-001",
"tenantId": "550e8400-...",
"name": "PII Access Control Policy",
"type": "ACCESS_CONTROL",
"status": "DRAFT",
"priority": 100,
"rules": [
{
"name": "Block PII for non-compliance roles",
"condition": "resource.containsPii == true AND user.role NOT IN [COMPLIANCE_OFFICER, DATA_STEWARD]",
"actionType": "MASK"
}
],
"createdAt": "2026-02-12T10:00:00Z"
}Policy Types
| Type | Description |
|---|---|
ACCESS_CONTROL | Controls who can access what data |
DATA_RETENTION | Defines data retention and deletion rules |
DATA_QUALITY | Enforces data quality standards |
MASKING | Specifies data masking rules |
CLASSIFICATION | Auto-classification rules |
List Policies
GET /api/v1/governance/policies?type={type}&status={status}&page=0&size=20curl "http://localhost:8080/api/v1/governance/policies?type=ACCESS_CONTROL&status=ACTIVE&page=0&size=20" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000"Get Policy
GET /api/v1/governance/policies/{policyId}Update Policy
PUT /api/v1/governance/policies/{policyId}curl -X PUT "http://localhost:8080/api/v1/governance/policies/pol-001" \
-H "Content-Type: application/json" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000" \
-d '{
"name": "PII Access Control Policy (v2)",
"description": "Updated PII protection rules",
"priority": 150
}'Add Rule to Policy
POST /api/v1/governance/policies/{policyId}/rulescurl -X POST "http://localhost:8080/api/v1/governance/policies/pol-001/rules" \
-H "Content-Type: application/json" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000" \
-d '{
"name": "Block export of PII data",
"condition": "resource.containsPii == true AND action.isExport == true",
"actionType": "DENY",
"parameters": {}
}'Submit for Approval
POST /api/v1/governance/policies/{policyId}/submitcurl -X POST "http://localhost:8080/api/v1/governance/policies/pol-001/submit" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000"Approve Policy
POST /api/v1/governance/policies/{policyId}/approvecurl -X POST "http://localhost:8080/api/v1/governance/policies/pol-001/approve" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000" \
-H "X-User-ID: 550e8400-e29b-41d4-a716-446655440099"Activate Policy
POST /api/v1/governance/policies/{policyId}/activateSuspend Policy
POST /api/v1/governance/policies/{policyId}/suspendcurl -X POST "http://localhost:8080/api/v1/governance/policies/pol-001/suspend" \
-H "Content-Type: application/json" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000" \
-d '{ "reason": "Under review due to regulatory change" }'Clone Policy
Create a copy of an existing policy for modification:
POST /api/v1/governance/policies/{policyId}/clonecurl -X POST "http://localhost:8080/api/v1/governance/policies/pol-001/clone" \
-H "Content-Type: application/json" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000" \
-d '{ "newName": "PII Access Control Policy (GDPR variant)" }'Delete Policy
DELETE /api/v1/governance/policies/{policyId}Returns 204 No Content on success.
Evaluate Policies
Evaluate all active policies against a data access context to determine the access decision:
POST /api/v1/governance/policies/evaluatecurl -X POST "http://localhost:8080/api/v1/governance/policies/evaluate" \
-H "Content-Type: application/json" \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000" \
-d '{
"userId": "550e8400-e29b-41d4-a716-446655440099",
"userRoles": ["DATA_ANALYST", "VIEWER"],
"resourceId": "warehouse.analytics.customer_pii",
"operation": "SELECT",
"attributes": {
"dataCategory": "PII",
"department": "marketing"
}
}'Response
{
"decision": "ALLOW_WITH_MASKING",
"matchedPolicies": ["pol-001", "pol-003"],
"requiredMaskings": [
{
"column": "ssn",
"maskType": "FULL_MASK"
},
{
"column": "email",
"maskType": "PARTIAL",
"visibleChars": 4
}
],
"auditMessage": "Access allowed with masking per PII Access Control Policy"
}Source Reference
| Component | File |
|---|---|
| Policy CRUD | GovernanceController.java -- policy endpoints |
| Policy lifecycle | PolicyService.java |
| Policy model | DataPolicy.java |
| Policy rules | PolicyRule.java |