Policy History and Changes

Prerequisites: Before using this walkthrough, please ensure that you’ve first done

• Parts 1-5 of the POV Data Setup
• the Schema Monitoring and Automatic Sensitive Data Discovery walkthrough and

• at least one of the following:

  • Separating policy definition from role definition: dynamic attributes
  • Policy boolean logic
  • Exception-based policy authoring
  • Hierarchical tag-based policy definitions

Overview

Understandability of policy, as discussed in the previous walkthrough, Natural Language Represented Policy, is critically important to create a prove and verify environment. This should be further augmented by change history around policy, and being able to monitor and attribute change.

Immuta provides this capability through our extensive audit logs and takes it a step further by providing history views and diffs in the user interface.

Business Value

Once you have created a trust and verify environment WITH full auditability, all stakeholders can rest easy and monitoring change can be enabled.

Because of this, the business reaps

• Increased revenue: accelerate data access / time-to-data because the legal and compliance teams trust that data is being protected correctly because they can verify that is the case.
• Decreased risk: Changes are obvious to all and can be reacted to quickly.

Viewing Policy Audit

Assumptions: Your user has the following permissions in Immuta (note you should have these by default if you were the initial user on the Immuta installation):

• GOVERNANCE: in order to view policy audit OR
• “Data Owner” of the registered tables. (You likely are the Data Owner and have GOVERNANCE permission.)

First, let's examine a Global Policy.

1. Log in to Immuta.
2. Click the Audit icon in the left sidebar.
3. In the facets section on the left, expand the time bar to full history.
4. Under Record Type, click the Global Policy Applied checkbox.
5. This will list all Global Policies that have been applied; click on one to inspect it.

Now let’s leave the audit history and go to an actual table in the UI to see its specific history.

1. Click the Data Sources icon in the left sidebar.
2. Click into any of your data sources (where you’ve applied policy).
3. Click the Policies tab.
4. On the right, there is an Activity menu; if it is not expanded, expand it.
5. Examine it. Depending on how many policies you’ve applied, it will show the running history.

Lastly, let’s take a look at all activity in Immuta and examine a policy “diff."

1. Click the Governance icon in the left sidebar.
2. Click the Notifications tab at the top of the page.
3. Scroll through the notifications until you see one that starts with something like The following global policy has been applied/updated on… This is a global policy applied event.
4. Click on the green Governance icon on the left of that row to View Details.
5. This will provide a GitHub-like diff pop-up that will show the previous policy as compared to the prior policy. (Prior policy is likely empty because we created policies from scratch in these walkthroughs.)

Note that all notifications can be grabbed as webhooks, so you can take Immuta notifications and plug them into something like Slack, if desired.

Anti-Patterns

The anti-pattern is to build policy based on tasking an engineer in an ad-hoc manner. When this occurs, there is no history of the change, nor is it possible to see the difference between the old and new policies. That makes it impossible to take a historical look at change and understand where an issue may have arisen. If you have a standardized platform for making policy changes, then you are able to understand and inspect those changes over time.

Next Steps

Feel free to return to the POV Guide to move on to your next topic.