Skip to content

You are viewing documentation for Immuta version 2021.2.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Subscription Policies

Audience: Data Owners and Governors

Content Summary: Subscription Policies in Immuta are managed and applied to data sources and projects by Data Owners and Governors to restrict access to data. Subscription Policies can be applied as Local Policies or Global Policies.

This page outlines the types of Subscription Policies users can create and manage in Immuta.

Video Tutorial: Subscription Policies

To access a data source, Immuta users must first be subscribed to that data source. A Subscription Policy determines who can request access and has one of four possible restriction levels:

  • Anyone: Users will automatically be granted access (Least Restricted).
  • Anyone Who Asks (and is Approved): Users will need to request access and be granted permission by the configured approvers (Moderately Restricted).
  • Users with Specific Groups/Attributes: Only users with the specified groups/attributes will be able to see the data source and subscribe (Moderately Restricted).
  • Individual Users You Select: The data source will not appear in search results; data owners must manually add/remove users (Most Restricted).

For a tutorial on managing Subscription Policies, navigate to the Data Owner Guide.

Combining Global Subscription Policies

In some cases, multiple Global Subscription Policies created by a Data Governor may apply to a single data source. Rather than having the two policies conflict, the conditions of the Subscription Policies are combined using complex boolean logic, as illustrated in the example below.

Consider the following two Global Subscription Policies created by a Data Governor:

Sub 1: Allow users to subscribe when user is a member of group Legal on data sources tagged PII.SSN

Sub 2: Allow users to subscribe when user is a member of group Medical Claims on data sources tagged PII.SSN and tagged PII.DOB

If a Data Owner creates a data source and applies both the PII.SSN and PII.DOB tags, both of these Global Subscription Policies will apply. Instead of having a conflict, the Subscription Policies are combined:

Sub Policy Combined

In this example, users must be a member of both the Legal and Medical Claims groups to subscribe to Demo Data Source 3, which contains the PII.SSN and PII.DOB tags.

By default, users must meet all the conditions outlined in each Global Subscription policy that has been combined on a data source to get access (i.e., the conditions of the policies are combined with AND). However, Governors can opt to check the On merge, allow shared policy responsibility box if they would like users to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined with OR). Additionally, and Application Administrator can make this condition selected by default for Global Subscription policies on the App Settings page.

Once enabled on a data source, Global Subscription Policies can be edited and disabled by Data Owners. See the Local Policy Builder Tutorial for instructions.

See Importing and Exporting Policies to export and import policies as JSON files so they can seamlessly be moved from one system to another, as long as the systems have identical configurations.