Policies
HatiData provides two policy systems: standard policies for column masking and row-level security, and ABAC policies for attribute-based access control. Both are scoped to environments.
Standard Policies
Standard policies define column masking rules and row-level security filters.
List Policies
GET /v1/environments/{env_id}/policies
Lists all standard policies in the environment.
Request:
curl https://api.hatidata.com/v1/environments/env_prod_x1y2/policies \
-H "Authorization: Bearer <jwt>"
Response 200 OK:
{
"data": [
{
"policy_id": "pol_a1b2c3",
"name": "pii-masking",
"type": "column_masking",
"enabled": true,
"rules": [
{
"table": "customers",
"column": "email",
"function": "full",
"exempt_roles": ["owner", "admin"]
},
{
"table": "customers",
"column": "ssn",
"function": "hash",
"exempt_roles": []
}
],
"created_at": "2026-01-20T10:00:00Z",
"updated_at": "2026-02-10T14:30:00Z"
},
{
"policy_id": "pol_d4e5f6",
"name": "department-isolation",
"type": "row_level_security",
"enabled": true,
"rules": [
{
"table": "sales_data",
"filter": "department = '{department}'",
"exempt_roles": ["owner", "admin"]
}
],
"created_at": "2026-01-25T11:00:00Z",
"updated_at": "2026-01-25T11:00:00Z"
}
],
"pagination": {
"cursor": null,
"has_more": false,
"total": 2
}
}
Create Policy
POST /v1/environments/{env_id}/policies
Creates a new standard policy. Requires Owner or Admin role.
Request (column masking):
curl -X POST https://api.hatidata.com/v1/environments/env_prod_x1y2/policies \
-H "Authorization: Bearer <jwt>" \
-H "Content-Type: application/json" \
-d '{
"name": "payment-masking",
"type": "column_masking",
"rules": [
{
"table": "payments",
"column": "card_number",
"function": "partial",
"visible_chars": 4,
"exempt_roles": []
},
{
"table": "payments",
"column": "cvv",
"function": "full",
"exempt_roles": []
}
],
"enabled": true
}'
Request (row-level security):
curl -X POST https://api.hatidata.com/v1/environments/env_prod_x1y2/policies \
-H "Authorization: Bearer <jwt>" \
-H "Content-Type: application/json" \
-d '{
"name": "agent-data-isolation",
"type": "row_level_security",
"rules": [
{
"table": "agent_memory",
"filter": "agent_id = '\''{agent_id}'\''",
"exempt_roles": ["owner", "admin", "auditor"]
}
],
"enabled": true
}'
Response 201 Created:
{
"policy_id": "pol_g7h8i9",
"name": "payment-masking",
"type": "column_masking",
"enabled": true,
"rules": [
{
"table": "payments",
"column": "card_number",
"function": "partial",
"visible_chars": 4,
"exempt_roles": []
},
{
"table": "payments",
"column": "cvv",
"function": "full",
"exempt_roles": []
}
],
"created_at": "2026-02-16T10:00:00Z",
"updated_at": "2026-02-16T10:00:00Z"
}
Update Policy
PUT /v1/environments/{env_id}/policies/{policy_id}
Updates an existing policy. Requires Owner or Admin role.
Request:
curl -X PUT https://api.hatidata.com/v1/environments/env_prod_x1y2/policies/pol_a1b2c3 \
-H "Authorization: Bearer <jwt>" \
-H "Content-Type: application/json" \
-d '{
"name": "pii-masking-v2",
"rules": [
{
"table": "customers",
"column": "email",
"function": "hash",
"exempt_roles": ["owner"]
},
{
"table": "customers",
"column": "ssn",
"function": "full",
"exempt_roles": []
},
{
"table": "customers",
"column": "phone",
"function": "null",
"exempt_roles": ["owner", "admin"]
}
],
"enabled": true
}'
Response 200 OK:
{
"policy_id": "pol_a1b2c3",
"name": "pii-masking-v2",
"type": "column_masking",
"enabled": true,
"rules": [
{
"table": "customers",
"column": "email",
"function": "hash",
"exempt_roles": ["owner"]
},
{
"table": "customers",
"column": "ssn",
"function": "full",
"exempt_roles": []
},
{
"table": "customers",
"column": "phone",
"function": "null",
"exempt_roles": ["owner", "admin"]
}
],
"created_at": "2026-01-20T10:00:00Z",
"updated_at": "2026-02-16T11:00:00Z"
}
Delete Policy
DELETE /v1/environments/{env_id}/policies/{policy_id}
Deletes a policy. Requires Owner or Admin role.
Request:
curl -X DELETE https://api.hatidata.com/v1/environments/env_prod_x1y2/policies/pol_a1b2c3 \
-H "Authorization: Bearer <jwt>"
Response 200 OK:
{
"policy_id": "pol_a1b2c3",
"deleted": true,
"deleted_at": "2026-02-16T12:00:00Z"
}
ABAC Policies
ABAC policies evaluate contextual attributes (role, time, origin, agent framework) to make dynamic access decisions. See Authorization for a detailed explanation of ABAC concepts.
List ABAC Policies
GET /v1/environments/{env_id}/abac-policies
Request:
curl https://api.hatidata.com/v1/environments/env_prod_x1y2/abac-policies \
-H "Authorization: Bearer <jwt>"
Response 200 OK:
{
"data": [
{
"policy_id": "abac_j0k1l2",
"name": "production-agent-policy",
"description": "Restrict production access to approved agent frameworks",
"rules": [
{
"condition": "AgentFrameworkIs",
"values": ["langchain", "crewai"],
"action": "allow"
},
{
"condition": "TimeOfDay",
"start": "06:00",
"end": "22:00",
"timezone": "UTC",
"action": "deny_outside"
}
],
"priority": 10,
"enabled": true,
"created_at": "2026-02-01T10:00:00Z"
}
],
"pagination": {
"cursor": null,
"has_more": false,
"total": 1
}
}
Create ABAC Policy
POST /v1/environments/{env_id}/abac-policies
Request:
curl -X POST https://api.hatidata.com/v1/environments/env_prod_x1y2/abac-policies \
-H "Authorization: Bearer <jwt>" \
-H "Content-Type: application/json" \
-d '{
"name": "weekend-read-only",
"description": "Restrict write operations on weekends",
"rules": [
{
"condition": "DayOfWeek",
"values": ["Saturday", "Sunday"],
"action": "read_only",
"message": "Write operations are not permitted on weekends"
}
],
"priority": 20,
"enabled": true
}'
Response 201 Created:
{
"policy_id": "abac_m3n4o5",
"name": "weekend-read-only",
"description": "Restrict write operations on weekends",
"rules": [
{
"condition": "DayOfWeek",
"values": ["Saturday", "Sunday"],
"action": "read_only",
"message": "Write operations are not permitted on weekends"
}
],
"priority": 20,
"enabled": true,
"created_at": "2026-02-16T10:00:00Z"
}
Simulate ABAC Policy
POST /v1/environments/{env_id}/abac-policies/simulate
Test policies against a hypothetical context without enforcement. Useful for validating policy behavior before enabling.
Request:
curl -X POST https://api.hatidata.com/v1/environments/env_prod_x1y2/abac-policies/simulate \
-H "Authorization: Bearer <jwt>" \
-H "Content-Type: application/json" \
-d '{
"context": {
"user_role": "developer",
"query_origin": "agent",
"agent_framework": "langchain",
"time_of_day": "14:30",
"day_of_week": "Saturday"
},
"query": "INSERT INTO logs (msg) VALUES ('\''test'\'')"
}'
Response 200 OK:
{
"decision": "deny",
"reason": "Write operations are not permitted on weekends",
"matching_policies": [
{
"policy_id": "abac_m3n4o5",
"name": "weekend-read-only",
"matched_rules": [
{
"condition": "DayOfWeek",
"values": ["Saturday", "Sunday"],
"result": "deny"
}
]
}
],
"evaluation_time_ms": 0.2
}
Agent Policy Summary
GET /v1/environments/{env_id}/abac-policies/agent-summary
Returns a summary of all policies that affect agent access, organized by framework.
Request:
curl https://api.hatidata.com/v1/environments/env_prod_x1y2/abac-policies/agent-summary \
-H "Authorization: Bearer <jwt>"
Response 200 OK:
{
"frameworks": {
"langchain": {
"allowed": true,
"policies_applied": 2,
"restrictions": [
"Queries restricted to business hours (06:00-22:00 UTC)",
"Read-only on weekends"
]
},
"crewai": {
"allowed": true,
"policies_applied": 2,
"restrictions": [
"Queries restricted to business hours (06:00-22:00 UTC)",
"Read-only on weekends"
]
},
"custom": {
"allowed": false,
"policies_applied": 1,
"restrictions": [
"Blocked: only langchain and crewai frameworks are permitted"
]
}
}
}
Error Responses
| Status | Code | Description |
|---|---|---|
400 | VALIDATION_ERROR | Invalid rule condition or missing required fields |
401 | UNAUTHORIZED | Missing or invalid authentication |
403 | FORBIDDEN | Insufficient role (must be Owner or Admin) |
404 | NOT_FOUND | Environment or policy not found |
409 | CONFLICT | Policy name already exists in this environment |
422 | INVALID_RULE | Rule condition references unknown attributes |