The following example shows how to create an authorization tag using the CreateAuthTag() method:
USING OpenEdge.DataAdmin.*.

VAR DataAdminService oDAS.
VAR IAuthTag oTag.
VAR IRole oRole.
VAR IGrantedRole oGRole. 
VAR LOGICAL lResult.

ASSIGN oDAS = NEW DataAdminService(LDBNAME("DICTDB"))
  /* Create the role if it does not yet exist */
  oRole = oDAS:NewRole("TestRole")
  oRole:Description = "User with data masking"
  /* This must be a DDM role as we will be assigning Auth Tags */
  oRole:IsDDM = TRUE
  lResult = oDAS:CreateRole(oRole).

oGRole = oDAS:NewGrantedRole(). 
oGRole:Role = oDAS:GetRole("TestRole").
oGRole:Grantee = SUBSTITUTE("&1@&2", oDAS:GetUser("user1"):Name, 
  oDAS:GetUser("user1"):Domain:Name). // Already existing user1 
oGRole:CanGrant = FALSE. // Cannot grant to others. 
oDAS:CreateGrantedRole(oGRole).
oTag = oDAS:NewAuthTag("#DDM_SEE_ContactInfo"). 
oTag:RoleName = oDAS:GetRole("TestRole"):Name. 
oTag:description = "Can see contact info".
lResult = oDAS:CreateAuthTag(oTag).