Skip to content

Identity Managers

Audience: System Administrators

Content Summary: Any number of identity managers can be configured and enabled for an instance of Immuta. Each identity manager has a specific set of configurations that enable it to communicate with the IAM and map the users, permissions, groups, and authorizations into Immuta.

This page contains general information about configuring default permissions and supported actions for IAMs, configuring enterprise identity managers for authentication and authorization in Immuta, hiding the built-in Immuta IAM, and implementing custom IAM integrations.

For information about specific identity managers, navigate to the following sections: Built-in (Immuta) Identity Manager, Active Directory, LDAP, and OAuth2.

Default Permissions

Each identity manager supports the configuration of default permissions. This configuration setting controls what permissions each user who logs in receives by default. These permissions are applied the first time each user logs in, and any changes to the default permissions will only apply to new users.

The list can contain any valid permissions or can be empty. In the case where the default permissions are empty, new users will receive no special permissions in Immuta and an administrator will need to grant them any permissions that they need.

In the example below, users logging in to Immuta for the first time using the LDAP IAM will be granted two permissions: CREATE_DATA_SOURCE and CREATE_PROJECT.

plugins:
  ldap:
    id: ldap
    plugin: ldap
    displayName: LDAP IAM
    type: ldap

    defaultPermissions:
      - CREATE_DATA_SOURCE
      - CREATE_PROJECT

Supported Actions

Identity managers can be configured for authentication only, group synchronization, authorization synchronization, or group and authorization synchronization:

  • supportedActions: []: Authentication only. User will log in with the identity manager backend. User profile information (name, email, location, etc.) can be populated, but no groups or authorizations will be synced back. Immuta's built-in groups and authorizations can be assigned to the user.
  • supportedActions: ['syncGroups']: In addition to authentication and profile information, user groups will be populated from the identity manager, and Immuta's built-in authorizations can be assigned to the user.
  • supportedActions: ['syncAuthorizations']: User authentication, profile, and authorizations will be synced from the identity manager backend.
  • supportedActions: ['syncGroups', syncAuthorizations']: User authentication, profile, groups, and authorizations will be synced from the identity manager backend.

In the example below, the IAM will be used for authentication and group syncing.

plugins:
  ldap:
    id: ldap
    plugin: ldap
    displayName: LDAP IAM
    type: ldap
    supportedActions: ['syncGroups']

Using an Enterprise Identity Manager for Authentication and Authorization

Identity Managers that support groups and authorizations can be used as a full-scope solution in Immuta. To configure your identity manager for authentication and authorization, set the supportedActions field in your Immuta config.yml file to include syncGroups and syncAuthorizations. With this configuration, groups and authorization values from your identity manager can be used to broker access to Projects and Data Sources in Immuta. They can also be used to drive Policies.

If you wish, you can set supportedActions to only include syncGroups or syncAuthorizations. If excluded from supportedActions, groups or authorizations can still be managed separately through the built-in Immuta Identity Manager.

Example Configuration Snippets

Groups and Authorizations:

# config.yml
# ...
plugins:
  activeDirectoryIAM:
    displayName: Active Directory
    type: ldap
    supportedActions: ['syncGroups', 'syncAuthorizations']

Groups Only:

# config.yml
# ...
plugins:
  activeDirectoryIAM:
    displayName: Active Directory
    type: ldap
    supportedActions: ['syncGroups']

Authorizations Only:

# config.yml
# ...
plugins:
  activeDirectoryIAM:
    displayName: Active Directory
    type: ldap
    supportedActions: ['syncAuthorizations']

Using an Enterprise Identity Manager for Authentication and the Immuta Identity Manager for Authorization

If an enterprise identity manager does not support groups or authorizations, or the administrator simply wants to manage those entities within Immuta, the Immuta IAM can be combined with the enterprise identity manager authentication to provide a custom solution.

To configure your identity manager for authentication and authorization, set the supportedActions field in your Immuta config.yml file to be empty. With this configuration, groups and authorization values within Immuta can be used to broker access to Projects and Data Sources. They can also be used to drive Policies.

Example Configuration Snippet

# config.yml
# ...
plugins:
activeDirectoryIAM:
    displayName: Active Directory
    type: ldap
    supportedActions: []

Using the Immuta Identity Manager for Authentication and Authorization

The Immuta IAM can be used as a complete solution for authentication and authorization. groups and authorization values within the Immuta IAM can be used to broker access to Projects and Data Sources. They can also be used to drive Policies.

The Immuta IAM is enabled by default, so there are no additional configuration options needed to support this mode.

Hiding the Built-in Identity Manager

Once you have configured Immuta with an additional identity manager, you may want to hide the built-in Immuta option from the login screen. You can do this by setting the hideBim option in the Immuta configuration.

client:
  hideBim: true

If your only admin account was created using the built-in identity manager, make sure that you assign the ADMIN permission to a user from your configured IAM.

Custom IAM Integrations

Immuta's IAM connections are built with a pluggable NodeJS architecture. This architecture allows rapid development of a custom IAM integration to suit your specific needs.

If you plan to implement a custom IAM integration, contact your Immuta support professional for required source code access, full API documentation, and implementation guidance.