Subscription Policies Reference Guide
Subscription Policies in Immuta are managed and applied to data sources and projects by Data Owners and Governors to restrict access to data. Subscription Policies can be applied as Local Policies or Global Policies.
To access a data source, Immuta users must first be subscribed to that data source. A Subscription Policy determines who can request access and has one of four possible restriction levels:
- Anyone: Users will automatically be granted access (Least Restricted).
- Anyone Who Asks (and is Approved): Users will need to request access and be granted permission by the configured approvers (Moderately Restricted).
- Users with Specific Groups/Attributes: Only users with the specified groups/attributes will be able to see the data source and subscribe (Moderately Restricted).
- Individual Users You Select: The data source will not appear in search results; data owners must manually add/remove users (Most Restricted).
For a tutorial on managing Subscription Policies, navigate to the Data Owner Guide.
Combining Global Subscription Policies
In some cases, multiple Global Subscription Policies created by a Data Governor may apply to a single data source. Rather than having the two policies conflict, the conditions of the Subscription Policies are combined, as illustrated below.
Data Governors select whether the Global Subscription policy should be
-
Always Required: Users must meet all the conditions outlined in each policy to get access (i.e., the conditions of the policies are combined with
AND
). -
Share Responsibility: Users need to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined with
OR
).
Consider the following Global Subscription Policies created by a Data Governor on the same data source:
- Policy 1: (Always Required) Allow users to subscribe to the data source when user is a member of group HR; otherwise, allow users to subscribe when approved by an Owner of the data source.
- Policy 2: (Shared Responsibility) Allow users to subscribe to the data source when user is a member of group Analytics; otherwise, allow users to subscribe when approved by anyone with permission Governance.
- Policy 3: (Shared Responsibility) Allow users to subscribe to the data source when user has attribute Office Location Ohio; otherwise, allow users to subscribe when approved by anyone with permission Audit.
If a Data Owner creates a data source and all of these policies apply, the user must meet the requirements of the Always Required policy and the requirements of at least one of the Shared Responsibility policies. Instead of having a conflict, the Subscription Policies are combined:
By default, users must meet all the conditions outlined in each Global Subscription policy that has been combined on a
data source to get access (i.e., the conditions of the policies are combined with
AND
). However, Governors can opt to check the Shared Responsibility box if they would like
users to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined
with OR
).
Once enabled on a data source, Global Subscription Policies can be edited and disabled by Data Owners. See the Local Policy Builder Tutorial for instructions.
Global Subscription Policy Conflicts
When two or more Global Subscription policies from the following list apply to the same data source they may conflict: Anyone, Anyone Who Asks (and is Approved), and Individual Users You Select. Because the Data Owners know their data the best, each has the ability to manually choose which policy will apply when there is a conflict. To do this the Data Owner must
-
Disable the applied Global Subscription policy in the Policies Tab on a data source.
-
Provide a reason the Global Policy should be disabled.
-
Select which conflicting Global Subscription policy they want to apply.