You can use our NerdGraph API to create, query, update, and delete data access policies. Data access policies control which log partitions your users can access, allowing you to restrict access to sensitive log data based on user groups.
Requirements To manage data access policies via NerdGraph, you need:
Before you begin Before using the NerdGraph API for data access policies, understand how data access control works, and familiarize yourself with NerdGraph .
Common attributes The following attributes are commonly used in data access policy queries and mutations:
Attribute
Description
organizationId
The ID of the organization associated with the policy. Used to filter policies or scope policy creation.
id
The unique identifier of the policy. Required when updating or deleting a specific policy.
name
A user-friendly name for the data access policy.
policy
The JSON object that defines the policy's rules. It includes:
rules: An array of rule objects.operations: The operations to allow or deny (e.g., SELECT, *).eventTypes: An object specifying which event types to allow (e.g., ["*"]) or except (e.g., ["Log_accessible"]).accountId
The account ID the role grants access to.
dataAccessPolicyId
The data access policy ID that defines what data in an account is allowed.
roleId
The role ID that defines the access level.
Common operations Here are the most common operations for managing data access policies:
Query data access policies associated with access grants This query retrieves all access grants in your organization and their associated data access policies. Use this to get which policies are currently assigned to grants.
Sample query grants ( filter : { organizationId : { eq : "YOUR_ORG_ID" } } ) {
Parameter
Description
organizationId
Required. The organization ID the grants belong to. Use the equals (eq) operator to filter.
Sample response "customerAdministration" : {
"id" : "DATA_ACCESS_POLICY_ID" ,
"name" : "DATA_ACCESS_POLICY_NAME"
Response field
Description
items
List of grants in the organization.
dataAccessPolicy
The data access policy associated with each grant.
id
The unique identifier of the data access policy.
name
The name of the data access policy.
Query data access policies for an organization This query retrieves all data access policies in your organization.
Sample query dataAccessPolicies ( filter : { organizationId : { eq : "YOUR_ORG_ID" } } ) {
Parameter
Description
organizationId
Required. The organization ID the policies belong to. Use the equals (eq) operator to filter.
Sample response "customerAdministration" : {
"id" : "ddadbdd2-183b-42d9-8a1a-41ec7692fb4c" ,
"name" : "Log Operations" ,
"except" : [ "Log_Operations" ]
"id" : "bb8efcf5-3127-4a4d-b25f-114505a0a68d" ,
"name" : "Restrict Log_Security" ,
Response field
Description
items
List of data access policies in the organization.
id
The unique identifier of the data access policy.
name
The name of the data access policy.
policy
The JSON object containing the policy rules with operations and eventTypes.
status
The current status of the policy (e.g., VALID).
version
The policy version (currently 1.0-logs).
Create a data access policy This mutation creates a new data access policy to control access to log partitions.
Sample mutation mutation createMyPolicy {
eventTypes : { allow : [ "*" ] , except : [ "Log_accessible" ] }
organizationId : "YOUR_ORG_ID"
You can also use following variables:
mutation createMyPolicy ( $policy : DataAccessPolicyRawDocument ! ) {
organizationId : "YOUR_ORG_ID"
"operations" : [ "SELECT" ] ,
"eventTypes" : { "allow" : [ "*" ] , "except" : [ ] }
Parameter
Description
organizationId
Required. Your New Relic organization ID.
name
Required. A descriptive name for the policy.
policy
Required. The JSON object defining the policy rules with operations and eventTypes.
Sample response "dataAccessPolicyCreate" : {
"id" : "YOUR_DATA_POLICY_ID" ,
Response field
Description
id
The unique identifier of the newly created data access policy.
name
The name of the data access policy.
policy
The JSON object containing the policy rules with operations and eventTypes.
status
The status of the policy (e.g., VALID).
Update a data access policy This mutation updates an existing data access policy to modify its rules or name.
Sample mutation eventTypes : { allow : [ "*" ] , except : [ "Log_inaccessible" ] }
id : "YOUR_DATA_POLICY_ID"
Parameter
Description
id
Required. The ID of the policy to update.
name
Optional. Updated name for the policy.
policy
Optional. The JSON object defining the updated policy rules with operations and eventTypes.
Sample response "dataAccessPolicyUpdate" : {
"assigned" : "UNASSIGNED" ,
"id" : "YOUR_DATA_POLICY_ID" ,
"except" : [ "Log_inaccessible" ]
Response field
Description
assigned
Indicates if the policy is assigned to any grants (e.g., UNASSIGNED).
id
The unique identifier of the updated data access policy.
name
The name of the data access policy.
policy
The JSON object containing the updated policy rules with operations and eventTypes.
status
The status of the policy (e.g., VALID).
Delete a data access policy This mutation deletes an existing data access policy.
Importante Deleting a policy removes it from all assigned grants. Users in groups with those grants will lose the data access restrictions defined by the policy.
Sample mutation dataAccessPolicyDelete ( id : "YOUR_DATA_POLICY_ID" ) {
Parameter
Description
id
Required. The ID of the policy to delete.
Sample response "dataAccessPolicyDelete" : {
"id" : "YOUR_DATA_POLICY_ID" ,
"except" : [ "Log_inaccessible" ]
Response field
Description
id
The unique identifier of the deleted data access policy.
name
The name of the deleted data access policy.
policy
The JSON object containing the policy rules that were deleted.
status
The status of the policy (e.g., VALID).
Create an access grant with a data access policy This mutation creates a new access grant that includes a data access policy, assigning it to a specific account and role.
Sample mutation authorizationManagementGrantAccess (
accountId : YOUR_ACCOUNT_ID
dataAccessPolicyId : " YOUR_DATA_POLICY_ID "
Parameter
Description
accountId
Required. The account ID to grant access to.
dataAccessPolicyId
Required. The data access policy ID to apply.
roleId
Required. The role ID defining permissions.
Response The response shows the newly created access grant with its ID.
Update an access grant with a data access policy This mutation updates an existing access grant to add or change the data access policy.
Sample mutation authorizationManagementUpdateAccess (
accountAccessGrant : { dataAccessPolicyId : "YOUR_DATA_POLICY_ID" }
Parameter
Description
ids
Required. The grant ID to update.
dataAccessPolicyId
Required. The data access policy ID to apply to the grant.
Sample response "authorizationManagementUpdateAccess" : {
"id" : "YOUR_DATA_POLICY_ID"
Response field
Description
grants
List of updated grants.
dataAccessPolicy.id
The ID of the data access policy now assigned to the grant.
id
The ID of the updated grant.
Revoke an access grant with a data access policy This mutation removes an access grant that includes a data access policy.
Sample mutation authorizationManagementRevokeAccess (
accountId : YOUR_ACCOUNT_ID
dataAccessPolicyId : " YOUR_DATA_POLICY_ID "
Parameter
Description
accountId
Required. The account ID of the grant to revoke.
dataAccessPolicyId
Required. The data access policy ID of the grant to revoke.
roleId
Required. The role ID of the grant to revoke.
Response The response shows the revoked access grant with its ID.