Permission and Authorization Overview
Audience: System Administrators
Content Summary: System Administrators are responsible for managing users and their permissions, authorizations, and groups. This page defines and explains how permissions, authorizations, and groups work in Immuta.
For tutorials on managing users, permissions, authorizations, and groups, navigate to the Identity Managers section.
Permissions are a system-level mechanism that control what actions a user is allowed to take. These are applied to
both the API and UI actions.
Permissions can be added to any user by a System Administrator (any user with the
ADMIN permission), but the permissions
themselves are managed by Immuta and cannot be added or removed in the Immuta UI; however, custom permissions
can be created in the Immuta Configuration Builder.
- APPLICATION_ADMIN: Gives the user access to administrative actions for the configuration of Immuta. These actions include
- Adding external IAMs.
- Adding ODBC drivers.
- Adding external catalogs.
- Configuring email settings.
- USER_ADMIN: Gives the user access to administrative actions for managing users in Immuta. These include
- AUDIT: Gives the user access to the audit logs.
- CREATE_DATA_SOURCE: Gives the user the ability to create data sources.
- CREATE_DATA_SOURCE_IN_PROJECT: Gives the user the ability to create data sources within a project.
- CREATE_S3_DATASOURCE: Gives the user the ability to create an S3 data source.
- CREATE_S3_DATASOURCE_WITH_INSTANCE_ROLE: When creating an S3 data source, this allows the user to the handler to assume an AWS Role when ingesting data.
- CREATE_FILTER: Gives the user the ability to create and save a search filter.
- CREATE_PROJECT: Gives the user the ability to create projects.
- FETCH_POLICY_INFO: Gives the user access to an endpoint that returns visibilities, masking information, and filters for a given data source.
- GOVERNANCE: Gives the user the ability to act as a Governor, including setting Global Policies, creating purpose-based usage restrictions on projects, and managing tags.
- IMPERSONATE_HDFS_USER: When creating an HDFS data source, this allows the user to enter any HDFS user name to use when accessing data.
Authorizations are custom tags that can be added to a user or group to restrict what data users can see. When creating a policy on a data source, you can apply the policy to any user that possesses an authorization. Authorizations can be added manually as well as mapped in from LDAP or Active Directory.
Groups function similarly to those in Active Directory and LDAP, allowing System Administrators to group a set of users together. Users can belong to any number of groups and can be added or removed from groups at any time. Similar to authorizations, groups can be used to restrict what data a set of users has access to. When creating a policy on a data source, you can apply the policy to a group, which would affect any user that belongs to the said group. Permissions cannot be applied to groups.