System Administrator Introduction to Immuta
Audience: System Administrators
Content Summary: This section introduces System Administrators, both User Admins and Application Admins, to the Immuta platform and supports them in managing users, groups, attributes, permissions, and installation and configuration of Immuta.
This page introduces Immuta as a whole, while the rest of this section includes conceptual pages, which define major features, terms, and tutorial pages, which provide step-by-step instructions for managing users, groups and attributes, permissions, and installation.
- User Impersonation Tutorial
- Application Settings Tutorial
- Query Engine Authentication
- Immuta HDFS Principals Tutorial
- ODBC Drivers Tutorial
- HA Database Configuration Changes Tutorial
- External Catalogs Configurations
- Identity Managers Tutorials
Immuta: A Single Access Point
The Immuta platform solves two of the largest issues facing data-driven organizations: access and governance. In large organizations, it can be difficult, if not impossible, for data scientists to access all the data they need. Once they do get access, it’s often difficult to make sure they use the data in ways that are compliant.
The Immuta platform is meant to solve both problems by providing a single, unified access point for data across an organization and ensuring that all restrictions placed on data are dynamically enforced through the platform. Because the Immuta platform unifies access to data, governing that access is of primary concern. Implemented properly, the Immuta platform can ensure that only the right people see the right data under the right conditions.
Immuta User Roles
User roles in Immuta are fluid and interdependent, and understanding these different roles is essential to effectively sharing, analyzing, and protecting data and maintaining compliance.
Data Owners: In order for data to be available in the Immuta platform, a Data Owner — the individual or team responsible for the data — needs to connect their data to Immuta. Once data is connected to Immuta, that data is called a data source. In the process of creating a data source, Data Owners are able to set policies on their data source that restrict which users can access it, which rows within the data a user can access, and which columns within the data source are visible or masked. Data Owners can also decide whether to make their data source public, which makes it available for discovery to all users in the Immuta Web UI, or made private, which means only the Data Owner and its assigned subscribers know it exists.
Data Users: Data Users consume the data that’s been made available through Immuta. Data Users can browse the Immuta Web UI seeking access to data and easily connect their third-party data science tools to Immuta.
Project Owners: These users can create their own project to restrict how their data will be utilized using purpose-based restrictions or to efficiently organize their data sources.
Governors: Governors set Global Policies within Immuta, meaning they can restrict the ways that data is used within Immuta across multiple projects and data sources. Governors can also set purpose-based usage restrictions on projects, which can help limit the ways that data is used within Immuta. By default, Governors can subscribe to data sources; however, this setting can be disabled in the Immuta Configuration, removing the Governor's ability to create or subscribe to data sources. Additionally, users can be a Governor and Admin simultaneously by default, but this setting can also be changed in the Configuration Builder, rendering the Governor and Admin roles mutually exclusive.
Application Admins: Application Admins manage the configuration of Immuta for their organization. These users can configure Immuta to use external identity managers and catalogs, enable or disable data handlers, adjust email and cache settings, generate system API keys, and manage various other advanced settings.
User Admins: Another type of System Administrator is the User Admin, who is able to manage the permissions, attributes, and groups that attach to each user. Permissions are only managed locally within Immuta, but groups and attributes can be managed locally or derived from user management frameworks such as LDAP or Active Directory that are external to Immuta. By default, Admins can subscribe to data sources; however, this setting can be disabled in the Immuta Configuration, removing the Admin's ability to create or subscribe to data sources. Additionally, users can be an Admin and Governor simultaneously by default, but this setting can also be changed in the Configuration Builder, rendering the Admin and Governor roles mutually exclusive.
Application Admin UI
The App Settings page is visible only to users with the APPLICATION_ADMIN permission and allows them to configure Immuta to use external identity managers and catalogs, enable or disable data handlers, adjust email and cache settings, generate system API keys, and manage various other advanced settings.
User Admin UI
The User Admin page is visible only to users with the USER_ADMIN permission and allows them to manage license keys, users, permissions, attributes, and groups from three different tabs: Users, Groups, and Licenses. The major features of these tabs are outlined below.
On this tab, User Admins can add users, filter the list of users, or navigate to users' profiles by clicking on their name in the sidebar on the left.
After clicking on an individual user from this list, the user's email, position, and last login and update appear in the center of the page. From here, Admins can manage the user's Permissions, Attributes, and Groups.
External User ID Mapping
External IDs for native integrations can be mapped in for Databricks, HDFS, and Snowflake based on attributes from an external IAM system, allowing you to link an external account to the corresponding Immuta account even when usernames do not match between Immuta and the external system.
For IAMs where no mapping has been defined (including the BIM), the external user ID mappings can be set manually here on the user details page by clicking the dropdown menu in the top right corner of the user's page.
After clicking one of the options in the dropdown (which is only visible if the ID is not mapped to an IAM schema value), a modal will allow you to manually set the value for a user.
All external IDs are displayed on the user profile page.
Similar to the Users tab, the Groups tab includes a list of groups in the left sidebar. After clicking on a specific group, User Admins can view the group details, add and remove group members, and manage attributes for the group.
This tab includes a list of licenses and details the unique user ID (UUID), the features associated with specific licenses, the expiration dates, the total number of seats, and the date the keys were added. Administrators can also add and delete license keys from this page.