Managing Personas and Permissions
Audience: Data Governors and System Administrators
Content Summary: This document outlines step-by-step instructions for creating users, adding permissions to a user, removing users' permissions , and configuring user impersonation in Immuta. For more information on user permissions, see the Personas and Permissions Overview.
Additional Tutorials Contents:
- Disable Users
- Manage User Impersonation in Immuta
- Migrate Users from Another IAM
- Remove Permission from User
- Download Metrics
Use Case
Compliance Requirement: Users can only interact with Dev data.
For this requirement, the User Admin should assign the GOVERNANCE permission to users on the Compliance team. This permission will allow them to create and assign tags that identify Dev, Test, and Prod data and write Global Policies that restrict data access to Dev for users.
Best Practice: Use External and Internal IAM
Use an external IAM for authentication and Immuta's internal IAM to manage attributes.
1 - Create Users
- Click the Admin icon in the left sidebar, and select the Users tab.
-
Click the Add User button in the top right of the page.
-
Fill out the Full Name and Email fields in the dialog. Note: The user's email address will be used as the username and must be unique.
-
Click the Create button.
2 - Add Permission to User
-
Click the Admin icon in the left sidebar, and select Team Lead 1 from the Users tab.
-
Scroll to the Permissions section on the user details page, and click Add Permissions.
-
Click the Select Permission dropdown, and select the GOVERNANCE permission.
-
Click Close.
Results
Now all Compliance team members have been added to Immuta, and they have the GOVERNANCE permission added in addition to the default permissions to create a project and create a data source in a project.
Additional Tutorials
Disable Users
-
Click the Admin icon in the left sidebar, and then select the Users tab.
-
Select the user you would like to disable, and click the dropdown menu button in the upper right of the user details page.
-
Select Disable.
-
Click Disable in the confirmation dialog.
User Impersonation Use Cases
- The Project Path: In this case, the user wants multiple users to use the same dashboard and needs everyone to see the same data. An Immuta project is created and equalized. Then it is exposed to a PostgreSQL connection for projects; this gives the project a single connection for all the users to impersonate. A dashboard can then be created with the project's connection. After this creation multiple users can see the same data with the correct policies enforced.
- The Impersonation Path: This feature allows a user to identify themselves while watching a dashboard that is not their own. An identifier of the user requesting the data is presented with a special, sensitive access token. With this information the data on the dashboard can be personalized to the person viewing it, while still remaining a multi-user connection.
Configuration and Usage
- Grant a selected Immuta user the
IMPERSONATE_USER
permission. - Use a tool capable of establishing a PostgreSQL-based SQL (see Analytic Tools
for specifics on which tool to use) connection to connect to
Immuta's Query Engine using the Immuta SQL credentials of the user with the
IMPERSONATE_USER
permission. -
Enter into the Immuta Query Engine the
iamid
that is associated with the Immuta user account you want to impersonate.The
iamid
is the name of the Identity and Access Management (IAM) provider that the Immuta user you want to impersonate is associated with. The image below shows where theiamid
can be located.For example, if using the
iamid
of "Okta
" from above, the full SQL command would beSET immuta.impersonation_iamid = 'Okta';
Note: The
iamid
is a case-sensitive value. -
Enter into the Immuta Query Engine the
userid
that is associated with the Immuta user account you want to impersonate.The
userid
could be an email address (if using Immuta's built-in identity manager - orbim
), or it could be a shortened form of the username like a sAMAccountName in Active Directory.For example, to specify a
userid
ofjdoe
, runSET immuta.impersonation_userid = 'jdoe';
Note: The
userid
is a case-sensitive value. -
In certain cases, it may be necessary to convert a shortened form of the username, like a sAMAccountName, to an email address in order to match it to an Immuta account. To handle this special case, Immuta has added a template capability such that the
userid
can be augmented by a specified template.For example, a sAMAccountName of
jdoe
can be converted into an email address atmycompany.com
using a string template that substitutes the value of{userid}
with theuserid
provided. The resulting value would bejdoe@mycompany.com
.SET immuta.impersonation_userid_template = '{userid} @mycompany.com';
-
Now that your Immuta Query Engine session is configured to impersonate the desired Immuta user, as long as your session remains active, you queries will be executed as the impersonated user.
Notes and Caveats
- The Immuta user account with the
IMPERSONATE_USER
permission must have valid SQL credentials configured in order to conduct user impersonation via the Immuta Query Engine. - Once impersonation is set, all subsequent SQL calls will be made as the impersonated user.
- User impersonation lasts the duration of the SQL connection. To stop impersonating a user simply close the connection.
- It is not possible to switch impersonated users within a single SQL connection. Each connection supports at most one impersonation setting. After user impersonation has been enabled, attempts to set a different user to impersonate will fail.
Migrate Users from Another IAM
- Click the Admin icon in the left sidebar, and select the user from the Users tab.
-
Click the dropdown menu to the right of their name and select Migrate User.
-
Enter their username in the modal that appears and click Migrate User.
Remove Permission from User
-
Click the Admin icon in the left sidebar, and select the user from the Users tab.
-
Scroll to the Permissions section, and click the delete icon on the permission you want to remove.
Download Metrics
- Navigate to the Admin page.
-
Click the dropdown menu in the top right corner of the page and select Download Metrics for Immuta.
-
Complete the Number of Days field in the dialog that appears, and then click Download to download the JSON file
What's Next
Now that you've managed the user's permissions, continue to the next page or to this tutorial: Manage Attributes and Groups.