Skip to content

App Settings Tutorial

Audience: Application Admins

Content Summary: This page details how to use the App Settings page to configure settings for Immuta for your organization.

  1. Click the App Settings icon in the left sidebar.

    App Settings

  2. Click the link in the Configuration panel to navigate to that section.

    App Settings Sidebar Default

Use Existing Identity Access Manager

See the identity manager pages for a tutorial to connect an Azure Active Directory, Okta, or OneLogin identity manager.

To configure Immuta to use all other existing IAMs,

  1. Click the Add IAM button.
  2. Complete the Display Name field and select your IAM type from the Identity Provider Type dropdown: LDAP/Active Directory, SAML, or OpenID.

    Config IAM

Once you have selected LDAP/Active Directory from the Identity Provider Type dropdown menu,

  1. Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Credentials and Options sections. Note: Either User Attribute OR User Search Filter is required, not both. Completing one of these fields disables the other.
  2. Opt to have Case-insensitive user names by clicking the checkbox.
  3. Opt to Enable Debug Logging or Enable SSL by clicking the checkboxes.
  4. In the Profile Schema section, map attributes in LDAP/Active Directory to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
  5. Opt to Link SQL Account.
  6. Opt to Enable scheduled LDAP Sync supprt for LDAP/Active Directory and Enable pagination for LDAP Sync. Once enabled, confirm the sync schedule written in Cron rule; the default is every hour. Confirm the LDAP page size for pagination; the default is 1,000.
  7. Opt to Sync groups from LDAP/Active Directory to Immuta. Once enabled, map attributes in LDAP/Active Directory to automatically pull information about the groups into Immuta.
  8. Opt to Sync attributes from LDAP/Active Directory to Immuta. Once enabled, add attribute mappings in the attribute schema. The desired attribute prefix should be mapped to the relevant schema URN.

    Attribute Schema

  9. Opt to enable External Groups and Attributes Endpoint, Make Default IAM, or Migrate Users from another IAM by selecting the checkbox.

  10. Then click the Test Connection button.

    Note: If you select Link SQL Account, you will need to update the Query Engine configuration.

  11. Once the connection is successful, click the Test User Login button.

  12. Click the Test LDAP Sync button if scheduled sync has been enabled.

Once you have selected SAML from the Identity Provider Type dropdown menu,

  1. Take note of the ID. You will need this value to reference the IAM in the ACS URL in your identity provider with the format <base url>/bim/iam/<id>/user/authenticate/callback.

    SAML ID

  2. Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Client Options section.

  3. Opt to Enable SCIM support for SAML by clicking the checkbox, which will generate a SCIM API Key.
  4. In the Profile Schema section, map attributes in SAML to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
  5. Opt to Link SQL Account, Allow Identity Provider Initiated Single Sign On, Sync groups from SAML to Immuta, Sync attributes from SAML to Immuta, External Groups and Attributes Endpoint, or Migrate Users from another IAM by selecting the checkboxes, and then click the Test Connection button.
  6. Once the connection is successful, click the Test User Login button.

Once you have selected OpenID from the Identity Provider Type dropdown menu,

  1. Take note of the ID. You will need this value to reference the IAM in the callback URL in your identity provider with the format <base url>/bim/iam/<id>/user/authenticate/callback.
  2. Adjust Default Permissions granted to users by selecting from the list in this dropdown menu.
  3. Note the Redirect URL shown. Navigate out of Immuta and register the client application with the OpenID provider. If prompted for client application type, choose web.

    App Settings OpenID Redirect URL

  4. Back in Immuta, enter the Client ID, Client Secret, and Discover URL in the form field.

  5. Configure OpenID provider settings. There are two options:
    1. Set Discover URL to the /.well-known/openid-configuration URL provided by your OpenID provider.
    2. If you are unable to use the Discover URL option, you can fill out Authorization Endpoint, Issuer, Token Endpoint, JWKS Uri, and Supported ID Token Signing Algorithms.
  6. If necessary, add additional Scopes.
  7. Opt to Enable SCIM support for OpenID by clicking the checkbox, which will generate a SCIM API Key.
  8. In the Profile Schema section, map attributes in OpenID to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
  9. Opt to Allow Identity Provider Initiated Single Sign On or Migrate Users from another IAM by selecting the checkboxes.
  10. Click the Test Connection button.
  11. Once the connection is successful, click the Test User Login button.

Immuta Accounts

To set the default permissions granted to users when they log in to Immuta, click the Default Permissions dropdown menu, and then select permissions from this list.

Default Permissions

Most External Catalogs use this tutorial to connect to Immuta. If you want to link Alation, Collibra, Waterline, Google Data, or a REST catalog, navigate to the corresponding tab below.

To link Immuta to your organization's enterprise data catalog system,

  1. Click Add Catalog.
  2. Enter the Display Name and select the Catalog Type from the dropdown menu.
  3. Enter the HTTP endpoint of the catalog in the URL field.
  4. Complete the Username and Password fields. Note: This is the username and the password that Immuta can use to connect to the external catalog.
  5. Opt to select Upload Certificates.
    1. Upload the Certificate Authority, Certificate File, and Key File.
    2. Opt for strict SSL by selecting the checkbox.
  6. Click the Test Connection button.

To link Immuta to an Alation data catalog,

  1. Click Add Catalog.
  2. Enter the Display Name and select Alatian from the dropdown menu.
  3. Complete the URL and API fields.
  4. Opt to select Upload Certificates.
    1. Upload the Certificate Authority, Certificate File, and Key File.
    2. Opt for strict SSL by selecting the checkbox.
  5. Click the Test Connection button.

To link Immuta to a Collibra data catalog,

  1. Click Add Catalog.
  2. Enter the Display Name and select Collibra from the dropdown menu.
  3. Enter the HTTP endpoint of the catalog in the URL field.
  4. Complete the Username and Password fields. Note: This is the username and the password that Immuta can use to connect to the external catalog.
  5. Opt to Require the data source name in Collibra to contain both the schema and table name by selecting the checkbox.
  6. Complete the Asset Mappings modal to set which asset types in collibra should align to Immut's data sources and columns.
  7. Complete the Attributes as Tags modal to specify which Collibra attributes you would like to pull in as tags in Immuta.
  8. Opt to select Upload Certificates.
    1. Upload the Certificate Authority, Certificate File, and Key File.
    2. Opt for strict SSL by selecting the checkbox.
  9. Click the Test Connection button.

Prerequisite: Create a service account by following Google Cloud Platform's instructions and download the JSON file containing your Google Service Account key.

  1. Click Add Catalog.
  2. Enter the Display Name and select Google Data Catalog from the dropdown menu.
  3. Upload your Google Service Account key.

    Google Data Catalog

  4. Opt to select any of the following checkboxes:

    • Keep true and false values as leaf tags
      • Don't import tags that have numeric values
      • Don't import tags that have datetime values
  5. Click Test Connection and Save the updated configuration.

Now, when a data source is created from a table in BigQuery , Immuta will import any tags that have been applied to the table in Google Data Catalog.

To link Immuta to a Waterline data catalog,

  1. Click Add Catalog.
  2. Enter the Display Name and select Waterline from the dropdown menu.
  3. Enter the HTTP endpoint of the catalog in the URL field.
  4. Complete the Username and Password fields. Note: This is the username and the password that Immuta can use to connect to the external catalog.
  5. Complete the Domain Mapping modal to map the Waterline Domains to a root tag in Immuta.
  6. Complete the Categories modal to add Waterline Categories that Immuta should search when linking data sources in Waterline.
  7. Use the dropdown menu to select between ACCEPTED or SUGGESTED the tag states Immuta will use.
  8. Opt to select Upload Certificates.
    1. Upload the Certificate Authority, Certificate File, and Key File.
    2. Opt for strict SSL by selecting the checkbox.
  9. Click the Test Connection button.

To link Immuta to a REST data catalog,

  1. Click Add Catalog.
  2. Enter the Display Name and select Rest from the dropdown menu.
  3. Select the Internal Plugin checkbox if the catalog has been uploaded to Immuta as a custom server plugin.
  4. Complete the following fields:
    1. Enter the HTTP endpoint of the catalog in the URL field.
    2. Complete the Username and Password fields.
    3. Enter the path of the Tags Endpoint.
    4. Enter the path of the Data Source Endpoint.
    5. Enter the path to the information page for a data source in the Data Source Link Template field.
  5. Opt to enter the path to the information page for a column in the Column Link Template field.
  6. Opt to upload a Catalog Image.
  7. Opt to select Upload Certificates.
    1. Upload the Certificate Authority, Certificate File, and Key File.
    2. Opt for strict SSL by selecting the checkbox.
  8. Click the Test Connection button.
  9. Click the Test Data Source Link.

Work with Tags from Multiple Google Cloud Platform Projects

By default, service accounts only have access to resources (such as tags) in the project where they are created. However, tags from different projects can be applied to a single table by using a tag template in Google Data Catalog.

To allow Immuta to import tags from other projects,

  1. In Google Data Catalog, navigate to an additional project with tags that have been applied to a table.
  2. Select the IAM & Admin tab from the navigation menu.
  3. Click the Add User button in the top left of the screen.
  4. Enter the email associated with the created service account. This address can be found in the downloaded JSON key file or in the IAM section of the original project.
  5. Select the TagTemplateUser role from the dropdown menu to allow access to tags.

Immuta will now import tags from this project. Further details and instructions about the TagTemplateUser role and tag templates can be found in Google Cloud Platform documentation.

Enable External Masking

To enable external masking,

  1. Navigate to the App Settings page and click External Masking in the left sidebar.
  2. Click Add Configuration and specify an external endpoint in the External URI field.

    External URI

  3. Click Configure, and then add at least one tag by selecting from the Search for tags dropdown menu. Note: Tag hierarchies are supported, so tagging a column as Sensitive.Customer would drive the policy if external masking was configured with the tag Sensitive).

    Search Tags

  4. Select Authentication Method and then complete the authentication fields (when applicable).

  5. Click Test Connection and then Save.

Add a Native Workspace

  1. Select Add Workspace.
  2. Use the dropdown menu to select the Workspace Type and refer to the corresponding tab below.

Use the dropdown menu to select the Schema and refer to the corresponding tab below.

Cloudera HDFS Workspace

  1. Enter the Workspace Base Directory (any project workspaces created will be sub-directories of this path).

  2. Click Test Workspace Directory.

  3. Once the credentials are successfully tested, click Save.

Cloudera S3A Workspace

  1. Use the dropdown menu to select the AWS Region.

  2. Enter the S3 Bucket.

  3. Opt to enter the S3 Bucket Prefix.

  4. Opt to Configure S3 Credentials.

    1. Use the dropdown menu to select Authentication Method, and enter the required information.

      1. AWS Access Key: Enter your AWS Access Key ID and AWS Secret Key. Required Permissions: s3:ListBucket, s3:GetObject, and s3:GetObjectTagging.

        Best Practices: Read-only Access Recommended

        It is best practice to use an AWS account with limited read-only access to the data in question, but not necessary.

      2. AWS IAM Instance Role: Opt to Assume AWS IAM Instance Role if you have ListRoles IAM permission or enter the AWS IAM Role ARN manually.

  5. Click Test Workspace Bucket.

  6. Once the credentials are successfully tested, click Save.

Use the dropdown menu to select the Schema and refer to the corresponding tab below.

  1. Enter the Name.

  2. Click Add Workspace

    Databricks S3A Workspace

  3. Enter the Hostname.

  4. Opt to enter the Workspace ID (required with Azure Databricks).

  5. Enter the Databricks API Token.

  6. Use the dropdown menu to select the AWS Region.

  7. Enter the S3 Bucket.

  8. Opt to enter the S3 Bucket Prefix.

  9. Click Test Workspace Bucket.

  10. Once the credentials are successfully tested, click Save.

  1. Enter the Name.

  2. Click Add Workspace.

    Databricks ABFSS Workspace

  3. Enter the Hostname, Workspace ID, Account Name, Databricks API Token, and Storage Container.

  4. Enter the Workspace Base Directory.

  5. Click Test Workspace Directory.

  6. Once the credentials are successfully tested, click Save.

Enable Dynamic Presto/Trino Integration (Public Preview)

To enable Dynamic Presto/Trino, see the Dynamic Presto page.

Manage Data Providers

You can enable or disable the types of data sources users can create in this section. Some of these types will require you to upload an ODBC driver before they can be enabled. The list of currently supported drivers is on the ODBC Drivers page.

To enable a data provider,

  1. Click the menu button in the lower right corner of the provider icon you want to enable.

    Enable

  2. Select Enable from the dropdown.

If an ODBC driver needs to be uploaded,

  1. Click the menu button in the lower right corner of the provider icon, and then select Upload Driver from the dropdown.

    Upload Driver Menu

  2. Click in the Add Files to Upload box and upload your file.

    Driver Upload

  3. Click Close.

  4. Click the menu button again, and then select Enable from the dropdown.

Enable Email

Application Admins can configure the SMTP server that Immuta will use to send emails to users. If this server is not configured, users will only be able to view notifications in the Immuta console.

To configure the SMTP server,

  1. Complete the Host and Port fields for your SMTP server.
  2. Enter the username and password Immuta will use to log in to the server in the User and Password fields, respectively.
  3. Enter the email address that will send the emails in the From Email field.
  4. Opt to Enable TLS by clicking this checkbox, and then enter a test email address in the Test Email Address field.
  5. Finally, click Send Test Email.

    Config Email

Once SMTP is enabled in Immuta, any Immuta user can request access to notifications as emails, which will vary depending on the permissions that user has. For example, to receive email notifications about group membership changes, the receiving user will need the GOVERNANCE permission. Once a user requests access to receive emails, Immuta will compile notifications and distribute these compilations via email at 8-hour intervals.

Initialize Kerberos

To configure Immuta to protect data in a kerberized Hadoop cluster,

  1. Upload your Kerberos Configuration File, and then you can add modify the Kerberos configuration in the window pictured below.

    KDC Configuration

  2. Upload your Keytab File.

  3. Enter the principal Immuta will use to authenticate with your KDC in the Username field. Note: This must match a principal in the Keytab file.
  4. Adjust how often (in milliseconds) Immuta needs to re-authenticate with the KDC in the Ticket Refresh Interval field.
  5. Click Test Kerberos Initialization.

Configure HDFS Cache Settings

To improve performance when using Immuta to secure Spark or HDFS access, a user's access level is cached momentarily. These cache settings are configurable, but decreasing the Time to Live (TTL) on any cache too low will negatively impact performance.

To configure cache settings, enter the time in milliseconds in each of the Cache TTL fields.

HDFS Cache Settings

Generate System API Key

If you are using Immuta to protect data in a Hadoop cluster, you will need to configure the HDFS name node with a system API key.

To do so,

  1. Click the Generate Key button.
  2. Save this API key in a secure location, and then follow the instructions in the Hadoop Installation Guide to set the immuta.system.api.key property in the name node configuration.

Set Public URLs

You can set the URL users will use to access the Immuta Application and Query Engine. Note: Proxy configuration must be handled outside Immuta.

  1. Complete the Public Immuta URL, Public Query Engine Hostname, and Public Query Engine Port fields.
  2. Opt to Enable SSL by clicking this checkbox.

    Public URLs

Enable Sensitive Data Detection

Feature Demo: Sensitive Data Detection

Select the Enable Sensitive Data Detection checkbox to automatically discover and tag columns with sensitive data when users create data sources. Then, choose Internal Sensitive Data Detection or External Sensitive Data Detection.

Sensitive Data Detection

Allow Policy Exemptions

Click the Allow Policy Exemptions checkbox to allow users to specify who can bypass all policies on a data source.

Policy Exemptions

Configure Governor and Admin Settings

These options allow you to restrict the power individual users with the GOVERNANCE and USER_ADMIN permissions have in Immuta. Click the checkboxes to enable or disable these options.

Gov and Admin Settings

Create Custom Permissions

You can create custom permissions that can then be assigned to users and leveraged when building subscription policies. Note: You cannot configure actions users can take within the console when creating a custom permission, nor can the actions associated with existing permissions in Immuta be altered.

To add a custom permission, click the Add Permission button, and then name the permission in the Enter Permission field.

Custom Permissions

Create Custom Data Source Access Requests

To create a custom questionnaire that all users must complete when requesting access to a data source, fill in the following fields:

  • Key: Any unique value that identifies the question.
  • Header: The text that will display on reports.
  • Label: The text that will display in the questionnaire for the user.

Data Source Access Request Questionnaire

Create Custom Login Message

To create a custom message for the login page of Immuta, enter text in the Enter Login Message box. Note: The message can be formatted in markdown.

Opt to adjust the Message Text Color and Message Background Color by clicking in these dropdown boxes.

Login Message

Enable Native Snowflake Workspace

  1. Check the Enable checkbox in the Native Snowflake Workspace section.
  2. Complete the Host, Port, and Default Warehouse fields.

    Snowflake Config Modal

  3. Select Automatic or Manual by clicking the toggle.

    • Automatic: provide Immuta with privileged user credentials for an automatic installation.
    • Manual: download the linked bootstrap.sql file and manually configure Snowflake environment.

    Note: When performing an automated installation, the credentials provided must have the ability to both CREATE databases and CREATE, GRANT, REVOKE, and DELETE roles. In a typical Snowflake environment the only users with access to the necessary permissions are those who have the ACCOUNTADMIN role.

  4. Click Test Snowflake Connection.

  5. Once the credentials are successfully tested, click Save.

Users will now have the option to create new Projects with Native Snowflake Workspaces and enable Snowflake Workspaces on existing equalized Projects.

Advanced Settings

Beta Features

If you enable any Beta features, please provide feedback on how you would like these features to evolve.

Enable Policy Import/Export

  1. Click Advanced Settings in the left panel, and scroll to the Beta Features section.
  2. Check the Allow Policy Import/Export checkbox.

    Policy Import/Export

  3. Click Save.

Advanced Configuration

Advanced configuration options provided by the Immuta Support team can be added in this section. The configuration must adhere to the YAML syntax.

Advanced Configuration

Update the K-Anonymity Cardinality Cutoff

To increase the default cardinality cutoff for columns compatible with k-anonymity,

  1. Expand the Advanced Settings section and add the following text to the Advanced Configuration:

    plugins:
      postgresHandler:
        maxKAnonCardinality: 10000000
      snowflakeHandler:
        maxKAnonCardinality: 10000000
    

    K-Anon High Cardinality

  2. Click Save.

  3. To regenerate the data source's fingerprint, navigate to that data source's Policy tab.
  4. Click the dropdown menu to the right of Data Policies and select Policy Availability.

    Policy Availability

  5. Click Recalculate in the Fingerprint section of the window that appears.

    Recalculate Fingerprint

Note: Recalculating the fingerprint is only necessary for existing data sources. New data sources will be generated using the new maximum cardinality.

Deploy Configuration Changes

When you are ready to finalize your configuration changes, click the Save button at the bottom of the left panel

Config Builder Save

What's Next

Now that you've configured the settings, continue to the next page or to one of these tutorials:

Query Engine Authentication Identity Manager Index External Catalogs