Below is a comprehensive list of frequently asked questions. For detailed instructions and information for each question, click on the links provided to redirect to the corresponding section in our Documentation.
To view questions categorized by user role, select one of these links:
The Immuta data control plane does not require users to learn a new API or language to access data exposed there. Immuta plugs into existing tools and ongoing work while remaining completely invisible to downstream consumers by exposing the data through these foundational access patterns: Databricks, the Immuta Query Engine, HDFS, S3, Snowflake, and SparkSQL.
Immuta is easy to integrate with many analytic and Business Intelligence tools. Click the link above to access guides for hooking Immuta into your preferred tools.
Use of Data
No. Immuta only exposes existing data to enforce policies. Immuta does not make a copy of this data, but creates a virtual reference to the data.
Immuta can leverage metadata tools, such as Collibra, Atlas, or Waterline, to pull in external catalog tags and drive global policies. For example, instead of building a local policy that masks a specific column in a specific table, Data Governors can build a global policy that is broader, such as "Mask anywhere there's PII data." In this scenario, Immuta uses the external catalog tags to determine where that PII data exists to then enforce the policy in corresponding data sources.
Data Sources and Projects
A data source is a virtual representation of data, which is exposed by Immuta according to settings created by Data Owners. These settings enable data to be accessed in a consistent manner across analytics and visualization tools.
- Click the (+) icon in the lower left corner of Immuta.
- Click the Data Sources icon.
- Follow instructions for query-backed data sources or object-backed data sources, depending on your chosen storage technology.
A list of available data sources is provided in Immuta's Web UI. Users can search for data sources by keyword, tag, organization and category in the search bar in the top left corner.
Disabling a data source essentially hides it from all users except the Data Owner.
To disable a data source, navigate to the Data Source Overview page, click on the menu icon in the upper right corner, and select Disable.
After disabling a data source, Data Owners may choose to Restore or Delete the data source.
Projects enable users to discuss their work, collaborate on data analysis, and link multiple data sources. Projects can be created by users who are interested in efficiently and logically organizing their work (Data Consumers) or users who are interested in restricting how their data is used (Data Owners).
Settings and restrictions for projects are edited from the Immuta Governance page. Only users with the
Governancepermission can access these features.
Acknowledgement Statements ensure that project members are aware of (and agree to) all Purpose-Based Restrictions before accessing the project's content. Each Purpose is associated with its own Acknowledgement Statement, so a project with multiple Purposes would require users to accept more than one Acknowledgement Statement. Immuta records whether each project member has agreed to the Acknowledgement Statement(s), the Purpose associated with the acknowledgement, the time of the acknowledgement, and the text of the acknowledgement itself. All Purposes are associated with the Default Acknowledgement Statement unless their statement has been customized.
Policies and Privacy Restrictions
Created by Governors, Global policies define how users can access all data sources across an organization. These policies can be applied to all data sources in Immuta or to specific data sources that contain tags defined by the Governor.
Created by Data Owners or Governors, Local policies define how users can access specific data sources within an organization.
Policies can be built using two methods:
Click one of the links above for detailed instructions.
Governors have the ability to create tags in the Governance section of the Immuta UI. Data Owners can apply these tags to their data sources and/or specific columns within data sources.
You can pull external tags that you had previously defined in an external catalog (e.g. Collibra, Apache Atlas, etc.) from the Governance page.
Purpose-based restrictions can be created by the Immuta Governor or Project Owners. For Data Governors, these restrictions are managed on the Governance page. For Project Owners, these restrictions are created on the My Projects page.
Data Owners can manage user roles by clicking the Manage tab on the Data Source Overview page.
Any number of Identity Managers can be configured and enabled for an instance of Immuta. Each Identity Manager has a specific set of configurations that enable it to communicate with the IAM and map the users, permissions, groups, and attributes into Immuta. Available Identity Managers include Built-in (Immuta), Active Directory, LDAP, and OAuth2.
Typically management is delegated to your organization's existing IAM system through Immuta's pluggable interface. However, if your organization opts to use the default Immuta Identity Manager, this IAM is managed in the
Adminsection of the Immuta UI.
Audit Logs and Immuta Reports
Immuta provides a detailed audit record of all user activity in the Immuta UI and query activity through Immuta's data access patterns. A basic UI is available for Audit Log analysis. However, most customers forward audit records to an enterprise system for monitoring, analysis, and visualization.
Immuta gives users with the
Auditpermission access to all of these logs through the Audit page. To view all of the audit logs, click on the Audit icon in the left side panel. To filter results, follow the instructions provided in the link above.
Immuta's Reports function allows instantaneous creation of reports that detail user activity across Immuta. Only users with the
Governancepermission can access this feature.
Installation and Integration
Immuta can run on a single Linux server or on a cluster of such servers. Cluster management is built into Immuta, and administering an Immuta cluster is more like managing a virtual appliance than a distributed system. Additionally, the standard cluster installation is preconfigured with high availability, scalability, and resource scheduling. For full technical details on the standard installation and other installation types, click on the link above.
Most calls to the HTTP API require authentication. All requests must include a valid token in the
AuthorizationHTTP header in order to be considered an authenticated request. In order to obtain a bearer token, you must first authenticate with Immuta using an enabled authentication method. This token should be used for multiple requests until it expires. Once a token has expired, you must authenticate again to get a new token. For authentication request examples, parameters, and endpoints, click the link above.
The built-in IAM HTTP API allows you to programmatically access information about users, group memberships, and attributes. Click the link above to redirect to the section of Documentation that describes the API to manage these settings. Please note that most of the actions described in this section require ADMIN permissions.
The Immuta data source metadata contains all of the details about your data sources. Click the link above to redirect to the section of Documentation that describes the API to search all of your data sources.
A custom policy handler allows you to create complex data access rights that aren’t supported through the Immuta UI policy builder. Click on the link above for a description of how to create policy handlers.