Skip to content

Immuta Best Practices

These suggestions provide general guidance for implementing scalable policies across your organization. Although every use case is different and each organization has unique needs and complexities, consider these best practices for your organization, regardless of scale or size.

  1. Use Immuta's SaaS Platform: Use Immuta SaaS to automate installation, backups, and disaster recovery.

  2. Write policies using Attribute-Based Access Control (ABAC): Write a single policy that enforces access controls based on who users are and why they're accessing data.

  3. Use the power of your IAM and SCIM: Most users will not log in to Immuta directly; they will log in to a native system that you want to enforce data governance on (Snowflake, Databricks, etc.). SCIM provisions users in Immuta and adds their attributes and groups so that Immuta can enforce policies for these users.

  4. Plan to capture metadata:

    • Allow Immuta to discover and tag sensitive data with our Sensitive Data Discovery capabilities.
    • Integrate Immuta with your existing data catalog to scale policy creation quickly.
    • Coordinate closely with teams controlling this metadata. Writing policies relies on a good understanding of the tags that will be on the data. The same goes for the team that is tagging data. If they remove a tag, what effect does that have on access?

  5. Weigh policy complexity against performance. It’s a trade-off:

    • Consider using null (or a static value such as "REDACTED") in your masking policies instead of hashing. Nulling is a much simpler operation than hashing, so it will actually reduce overhead from a query with no policy at all. Hashing, on the other hand, will increase overhead slightly because of its complexity.
    • Avoid row-level security that relies on thousands or millions of attributes per user for filtering. Policies will be more difficult to understand, you will have the complexity of managing those attributes, and potential for performance impacts during query run-time.
    • Consider hashing when a “join” condition is required. Hashing allows for an end-user to join on that column when using Immuta projects.

Learn More

For more best practices around securing your data, process workflows, and organizing your data governance team, visit