Subscription Policies
Audience: Data Owners and Governors
Content Summary: Subscription Policies in Immuta are managed and applied to data sources and projects by Data Owners and Governors to restrict access to data. Subscription Policies can be applied as Local Policies or Global Policies.
This page outlines the types of Subscription Policies users can create and manage in Immuta.
To access a data source, Immuta users must first be subscribed to that data source. A Subscription Policy determines who can request access and has one of four possible restriction levels:
- Anyone: Users will automatically be granted access (Least Restricted).
- Anyone Who Asks (and is Approved): Users will need to request access and be granted permission by the configured approvers (Moderately Restricted).
- Users with Specific Groups/Attributes: Only users with the specified groups/attributes will be able to see the data source and subscribe (Moderately Restricted).
- Individual Users You Select: The data source will not appear in search results; data owners must manually add/remove users (Most Restricted).
For a tutorial on managing Subscription Policies, navigate to the Data Owner Guide.
Combining Global Subscription Policies
In some cases, multiple Global Subscription Policies created by a Data Governor may apply to a single data source. Rather than having the two policies conflict, the conditions of the Subscription Policies are combined using complex boolean logic, as illustrated in the example below.
Consider the following two Global Subscription Policies created by a Data Governor:
Sub 1: Allow users to subscribe when user is a member of group
Legal
on data sources taggedPII.SSN
Sub 2: Allow users to subscribe when user is a member of group
Medical Claims
on data sources taggedPII.SSN
and taggedPII.DOB
If a Data Owner creates a data source and applies both the PII.SSN
and PII.DOB
tags, both of these Global
Subscription Policies will apply. Instead of having a conflict, the Subscription Policies are combined:
In this example, users must be a member of both the Legal
and Medical Claims
groups to subscribe to Demo Data
Source 3, which contains the PII.SSN
and PII.DOB
tags.
By default, users must meet all the conditions outlined in each Global Subscription policy that has been combined on a
data source to get access (i.e., the conditions of the policies are combined with
AND
). However, Governors can opt to check the On merge, allow shared policy responsibility box if they would like
users to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined
with OR
). Additionally, and Application Administrator can make this condition selected by default for Global
Subscription policies on the
App Settings page.
Once enabled on a data source, Global Subscription Policies can be edited and disabled by Data Owners. See the Local Policy Builder Tutorial for instructions.
See Importing and Exporting Policies to export and import policies as JSON files so they can seamlessly be moved from one system to another, as long as the systems have identical configurations.