Policies Overview
The Policy Engine lets governance teams define repeatable rules for catalog products, evaluate those rules against current metadata, and track violations over time. Use policies when a rule should be checked consistently across products instead of handled through one-off review comments.
Policies are available at /policies when the governance.policies_enabled feature is enabled for your tier.
Where Policies Fit
Policies work alongside the catalog:
- Product metadata and field metadata provide the evidence.
- Policy conditions decide which products or fields are in scope.
- Policy actions classify matching products, require missing governance evidence, or validate access controls.
- Evaluation runs produce compliant, non-compliant, or pending-review results.
- Product detail pages show active non-compliant policy banners for the product.
Space And Organization Scope
The Policies page supports two scopes when an organization is selected:
| Scope | What you can do |
|---|---|
| Space | Create, edit, evaluate, archive, unarchive, delete, and review policies for the current space. Compliance summary cards and templates are also space-aware. |
| Organization | Review policy coverage across organization spaces and see source-space context. Organization-level policies and templates can be managed through organization policy APIs and organization template controls where enabled. |
Start in space scope when you are fixing violations. Use organization scope when you need a portfolio view or want to compare policies across spaces.
Policy Types
| Type | Use it for | Typical actions |
|---|---|---|
| Classification | Detect fields or products that should be classified. | Set product sensitivity, flag matched fields as PII, and apply tags. |
| Requirement | Check whether matching products have required governance evidence. | Require an active data contract, required product tags, or required field tags. |
| Access control | Check whether products have appropriate applicable source-system roles. | Require at least one applicable role, restrict allowed access levels, or require roles that grant PII or PHI access. |
Each policy also has an enforcement mode:
| Mode | Behavior |
|---|---|
| Advisory | Reports violations and shows warnings without blocking product edits. |
| Blocking | Marks violations as blocking. Active blocking violations can prevent non-remediation product updates until the issue is resolved. |
Blocking policies still allow metadata-only remediation edits, such as fixing descriptions, classifications, ownership-related product metadata, environment, lawful basis, retention, data-subject categories, or processing purpose.
Create A Policy
- Open
/policiesin the space that owns the products. - Choose New Policy. If templates are available, either start from a template or skip the template picker.
- Enter a name and optional description. Use names that explain the rule, such as
PII columns must be confidentialorCritical products require a contract. - Choose a policy type and enforcement mode.
- Leave the policy enabled if it should participate in evaluations immediately.
- Configure conditions:
- Match mode
anymeans a product or field can match at least one condition group. - Match mode
allmeans every configured condition group must match. - Column-name patterns match field names with glob-style patterns, such as
*email*,*ssn*, or*account_number*. - Include product tags limit evaluation to products with one of the listed tags.
- Exclude product tags skip products with any of the listed tags.
- Match mode
- Configure actions for the selected policy type.
- Save the policy, then run an evaluation to produce current results.
Templates
Templates are a safer starting point for common governance patterns. Qarion ships system templates such as:
- GDPR PII Detection
- SOC2 Access Controls
- Financial Data Protection
The template manager lets you review system, space, and organization templates. Custom templates can be created, edited, marked as default, disabled, or deleted depending on their scope. System templates can be overridden into a custom scope when you need local wording, conditions, actions, or enforcement mode.
For classification templates, AI-assisted pattern suggestions may be available when AI classification is enabled. Suggestions propose column-name patterns from the template name, description, existing patterns, and actions. Review suggested patterns before saving; they are accelerators, not approvals.
Evaluate Policies
Evaluation is what turns a policy definition into evidence.
| Action | What happens |
|---|---|
| Evaluate one policy | Runs that policy against products in the space and opens an inline results panel. |
| Re-evaluate all | Runs all enabled policies against products in the space and refreshes compliance summary data. |
| Evaluation runs | Opens historical runs for a policy, including run time, evaluated count, skipped count, compliant count, non-compliant count, and pending-review count. |
| Status filter in a run | Filters historical run details to compliant, non-compliant, or pending-review results. |
Immediate evaluation results show product or managed-dataset links, status, matched fields, applied classification actions, missing requirements, access-control findings, and contract presence where applicable.
Compliance Summary
The summary cards show:
- Total policies.
- Compliant product evaluations.
- Non-compliant product evaluations.
- Compliance rate.
The summary is a current evaluation view, not a guarantee that every policy has been evaluated recently. Check each policy's last evaluated date and use evaluation runs when you need a point-in-time audit trail.
Violations And Remediation
Product detail pages show active non-compliant policy banners. Blocking violations are highlighted as blocking and link back to /policies.
Use this remediation loop:
- Open the violating product from the evaluation result or product banner.
- Read the violation details. For example, a requirement policy may list missing product tags, missing field tags, or a missing active data contract.
- Fix the product metadata, field metadata, contract, role mapping, or classification that the policy requires.
- Re-run the policy or re-evaluate all policies.
- Confirm the product moves to compliant in the latest evaluation run.
Common fixes:
| Violation | Typical remediation |
|---|---|
| Missing product tags | Add the required tags to the product. |
| Missing field tags | Add required tags to matched fields. |
| Missing active data contract | Create or activate the product's data contract. |
| Matched PII-like fields | Confirm the matched fields, set sensitivity, flag PII where appropriate, and apply required tags. |
| Missing applicable role | Add source-system applicable roles for the product. |
| Disallowed access level | Change or remove applicable roles that exceed allowed access levels. |
| Missing PII or PHI access grant | Configure an applicable role that grants the required data access. |
Version History And Archiving
Editing a policy increments its version and stores a version-history snapshot before the update. Use version history to understand what changed, who changed it, and when.
Archive policies that are no longer active but should remain available for audit context. Archived policies are hidden by default; enable Show archived when you need to review or unarchive them. Delete policies only when the record is truly obsolete and no longer needed for audit review.
Filters And Table Actions
Use the toolbar to filter the policy table by:
- Policy type.
- Enabled or disabled status.
- Archived visibility.
Each space-scope row includes actions for evaluate, version history, evaluation runs, edit, archive or unarchive, and delete. Organization-scope rows are primarily for review and source-space context.
Operating Practices
- Start new governance rules in advisory mode, run evaluations, and review false positives before switching to blocking.
- Use include and exclude product tags to narrow blast radius during rollout.
- Prefer templates for common patterns, then customize them after reviewing current product metadata.
- Run re-evaluate all after bulk imports, product metadata migrations, contract changes, tag cleanup, or access-role updates.
- Treat blocking policies as operational controls. Confirm owners know how to remediate before enabling blocking mode.
- Review evaluation runs before audits so you can cite the run time and result counts.
Technical Reference
- User route:
/policies - Product banners: active non-compliant policy evaluations on product detail pages
- Main API family:
/api/v1.0/spaces/{slug}/policies - Organization policy family:
/api/v1.0/organizations/{org_slug}/policies - Developer reference: Policies API
Related
- Product Details - product metadata and violation banners.
- Data Contracts - contract evidence used by requirement policies.
- Documentation Dashboard - completeness scoring that often informs policy rollout.