Immuta Permissions and Personas
Permissions are a system-level mechanism that control what actions a user is allowed to take through the Immuta
API and
UI.
Permissions can be added to any user by a user admin (any user with the USER_ADMIN
permission), but the permissions
themselves are managed by Immuta and cannot be added or removed in the Immuta UI; however, custom permissions
can be created on the app settings page.
The table below illustrates what Immuta permissions map to specific Immuta personas.
Persona | Permissions | Description |
---|---|---|
Application admins | APPLICATION_ADMIN |
These users have access to the administrative actions for the configuration of Immuta. They can
|
Auditors | AUDIT |
These users can access audit logs for their entire organization. Data owners can view audit logs for the data sources they own. |
Data governors | GOVERNANCE |
Data governors set global policies within Immuta, meaning they can restrict the ways that data is used within Immuta across multiple projects and data sources. Governors can also set purpose-based usage restrictions on projects, which can help limit the ways that data is used within Immuta. By default, governors can subscribe to data sources; however, this setting can be disabled on the app settings page to remove the governor's ability to create or subscribe to data sources. Additionally, users can be a governor and admin simultaneously by default, but this setting can also be changed to render the governor and admin roles mutually exclusive. |
Data owners | To be a data owner, a user must have one of the following Immuta permissions or be manually assigned ownership of a data source:
|
For data to be available in the Immuta platform, a data owner — the individual or team responsible for the data — needs to connect their data to Immuta. Once data is connected to Immuta, that data is called a data source. In the process of creating a data source, data owners are able to set policies on their data that restrict which users can access the data source, which rows within the data a user can access, and which columns within the data a user can see. Data owners can also view the audit page in Immuta, but they are limited to only viewing records related to the data sources they own. |
Data users | Users do not need any permissions assigned to them to subscribe to data sources. However, they can have any of the Immuta permissions described below:
|
Data users query data that’s been made available through Immuta. |
Project managers | PROJECT_MANAGEMENT |
Project Managers oversee projects by creating, approving, or denying purposes in projects and adding and removing project data sources. |
User admins | USER_ADMIN |
These users have access to the administrative actions for managing users in Immuta. They can
|
See Manage personas and permissions for guidance on adding and removing permissions.