Subscription Policies Reference Guide
Once a subscription policy is applied to a data source, Immuta users must be subscribed to that data source to access the data. The subscription policy determines who can request access and has one of four possible restriction levels:
- Anyone: Users will automatically be granted access (least restricted).
- Anyone who asks (and is approved): Users will need to request access and be granted permission by the configured approvers (moderately restricted).
- Users with specific groups or attributes: Only users with the specified groups/attributes will be able to see the data source and subscribe (moderately restricted). This restriction type is referred to as an attribute-based access control (ABAC) global subscription policy throughout this page.
- Individual users you select: The data source will not appear in search results; data owners must manually add/remove users (most restricted).
See Write a Global Subscription Policy for a tutorial.
Default Subscription Policy
By default, Immuta does not apply subscription policies to data sources when you create them. This behavior ensures that existing policies in your remote data platform remain on that data and that current workflows stay intact. However, you can change this default setting on the App Settings page so that data sources are immediately locked down when data is registered in Immuta.
For details, see the default subscription policy page.
Global Subscription Policy Conflicts
In some cases, multiple global subscription policies created by a data governor may apply to a single data source.
When two or more global subscription policies of the restriction levels listed below apply to the same data source they may conflict:
- Anyone
- Anyone who asks (and is approved)
- Individual users you select
When such conflicts occur, data owners can manually choose which policy will apply. To do this the data owner must
-
Disable the applied global subscription policy in the policies tab on a data source.
-
Provide a reason the global policy should be disabled.
-
Select which conflicting global subscription policy they want to apply.
ABAC Global Subscription Policies
You can build ABAC global subscription policies in Immuta by selecting the users with specific groups or attributes restriction level. These policies will automatically subscribe users who possess the user entitlements specified in the policy.
For instructions on creating these policies, see the ABAC subscription policy guide.
Combining ABAC Global Subscription Policies
In some cases, multiple ABAC global policies may apply to a single data source. Rather than allowing the two policies to conflict, Immuta combines the conditions of the subscription policies.
When creating a users with specific groups or attributes global policy, data governors select whether the global subscription policy should be
-
Always Required: Users must meet all the conditions outlined in each policy to get access (i.e., the conditions of the policies are combined with
AND
). -
Share Responsibility: Users need to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined with
OR
).
Consider the following global subscription policies created by a data governor:
- Policy 1: (Always Required) Allow users to subscribe to the data source when user is a member of group HR; otherwise, allow users to subscribe when approved by an Owner of the data source.
- Policy 2: (Shared Responsibility) Allow users to subscribe to the data source when user is a member of group Analytics; otherwise, allow users to subscribe when approved by anyone with permission Governance.
- Policy 3: (Shared Responsibility) Allow users to subscribe to the data source when user has attribute Office Location Ohio; otherwise, allow users to subscribe when approved by anyone with permission Audit.
If a data owner creates a data source and all of these policies apply, the subscription policies are combined, so the subscribing user must meet the requirements of the Always Required policy and the requirements of at least one of the Shared Responsibility policies to get access to the data source.
By default, users must meet all the conditions outlined in each global subscription policy that has been combined on a
data source to get access (i.e., the conditions of the policies are combined with
AND
). However, governors can opt to check the Shared Responsibility box if they would like
users to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined
with OR
).
Once enabled on a data source, combined global subscription policies can be edited and disabled by data owners.
ABAC Global Subscription Policies Using Advanced DSL
Users can create more complex policies using functions and variables in the advanced DSL policy builder than the subscription policy builder allows.
After an application admin has enabled Enhanced Subscription Policy Variables (Public Preview), data governors and owners can create global subscription policies using all the functions and variables outlined below.
Variable/Function | Description | Example |
---|---|---|
@database | Users who have an attribute key that matches a database will be subscribed to the data source(s) within the database. | @hasAttribute('SpecialAccess', '@hostname.@database.*'): If a user had the attribute SpecialAccess.us-east-1-snowflake.default.* , they would get subscribed to all the data sources in the default database. |
@hasAttribute('Attribute Name', 'Attribute Value') | Users who have the specified attribute are subscribed to the data source. | @hasAttribute('Occupation', 'Manager'): Any user who has the attribute Occupation and the attribute key Manager will be subscribed to the data source(s). |
@hasTagAsAttribute('Attribute Name', 'dataSource' or 'column' ) | Users who have an attribute key that matches a tag on a data source or column will be subscribed to that data source. | @hasTagAsAttribute('PersonalData', 'dataSource'): Users who have the attribute key PersonalData with the values Discovered.PII ,Discovered.Entity would be subscribed to Data Source 1, which is tagged:[Discovered.Identifier Direct ,Discovered.PHI ,Discovered.PII ] and Data Source 2, which is tagged:[Discovered.Identifier Direct ,Discovered.PCI ,Discovered.Entity ]. However, they would not be subscribed to Data Source 3, which is tagged: [Discovered.Identifier Direct ,Discovered.PHI ,Discovered.Country ]. |
@hasTagAsGroup('dataSource' or 'column' ) | Users who are members of a group that matches a tag on a data source or column (respectively) will be subscribed to that data source. | @hasTagAsGroup('dataSource'): If Data Source 1 has the tags NewHire and Interns applied, users who are members of the groups New Hire or Interns would be subscribed to Data Source 1. |
@hostname | Users who have an attribute key that match a hostname will be subscribed to the data source(s) with that hostname. | @hasAttribute('SpecialAccess', '@hostname.*'): If a user had the attribute SpecialAccess.us-east-1-snowflake.* , they would get subscribed to all the data sources with the us-east-1-snowflake hostname. |
@iam | Users who sign in with the IAM with the specified ID (ID that displays on the App Settings page) will be subscribed to the data source. | @iam == 'oktaSamlIAM': Any user whose IAM ID is oktaSamlIAM can be subscribed to the data source. |
@isInGroups('List', 'of', 'Groups') | Users who are members of the specified group(s) can be subscribed to the data source. | @isInGroups('finance','marketing','newhire'): Users who are members of the groups finance , marketing , or newhire can be subscribed to the data source. |
@schema | Users who have an attribute key that match this schema will be subscribed to the data source(s) under that schema. | @hasAttribute('SpecialAccess', '@hostname.@database.@schema'): If a user had the attribute SpecialAccess.us-east-1-snowflake.default.public.* , they would get subscribed to all the data sources under the public schema. |
@table | Users who have an attribute key that match this table will be subscribed to the data source(s). | @hasAttribute('SpecialAccess', '@hostname.@database.@schema.@table'): If a user had the attribute SpecialAccess.us-east-1-snowflake.default.public.credit_transactions , they would get subscribed to the credit_transactions data source. |
Manual Approvals
Users can specify more than one level of criteria for the ABAC global subscription policy. Specifically, users can combine manual approvals with an ABAC subscription policy.
After a user selects Users with Specific Groups/Attributes in the global subscription policy builder, they can also enable Request Approval to Access. Selecting this option allows users to request access to a data source and be manually approved by a specified user, even if the requesting user does not meet the group or attribute conditions in the policy. By allowing an approval workflow as an alternative method of access if a user does not meet the ABAC conditions, this feature can reduce the number of policies required and allow more flexibility in approval workflows.
See Global Subscription Policy Merging for a tutorial.
Manually added users will now see data regardless of meeting policy conditions.
In previous versions of Immuta, users who had been manually subscribed to a data source could not see any data. Now, these manually added users will see data even though they don't meet the ABAC conditions in the policy. Governors can change the behavior by switching the subscription policy to auto-subscribe (which removes any users who don't meet the subscription policy) or by adding a data policy that redacts rows for users who do not have the groups or attributes specified in the subscription policy.
Additional Policy Options
Beyond Request Approval to Access, these options are also available:
-
Allow Data Source Discovery: Users can still see that this data source exists in Immuta, even if they do not have these attributes and groups. This option will automatically be selected and locked if users select Request Approval to Access.
Note: When these policies merge, if one or more policies do not have discovery enabled, then approvals will be removed from the final merged policy.
-
Require Manual Subscription: Users will not be automatically subscribed to the data source. They must manually subscribe to gain access.
Conditions for Policy Merges
Governors must also select how this policy should be merged with other policies that apply to the same data source:
-
Always Required: Users must always meet this condition, no matter what other policies apply (it will be AND'ed with other policies that apply to the data source) or
-
Share Responsibility: Users need to meet the conditions in this policy OR another share responsibility policy that applies to the data source. (It will be OR'ed with other shared responsibility policies that apply.)