Skip to content

Native Integration User Impersonation

Audience: Data Governors, Data Users with the IMPERSONATE_USER permission, and System Administrators

Content Summary: This page outlines the user impersonation options within Immuta with tutorials for specific native integrations.

Overview

Native impersonation allows users to natively query data as another Immuta user.

User impersonation is supported with

Enabling User Impersonation for a Native Integration

Native Impersonation is enabled from the App Settings page within the Native Integration workflow for Snowflake, Amazon Redshift, and Azure Synapse Analytics. For Trino/Presto it is automatically enabled when the native integration is connected to Immuta.

User Impersonation with Snowflake

1 - Grant Users the IMPERSONATE_USER Permission

After enabling user impersonation with your Snowflake integration, there are two ways to give a user permission to use the feature: in the Immuta UI or in Snowflake. Use the tabs below to select one method.

Permission in Immuta

As an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click Add Permissions.

    Add Permission Link

  4. Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.

    Select Permission

  5. Click Close.

Permission in Snowflake

As a Snowflake user with the ACCOUNTADMIN role,

  1. Navigate to your Snowflake instance.

  2. In a worksheet run GRANT ROLE <<Impersonation_Role>> TO USER "<<Snowflake User>>".

    Grant Snowflake Role

    In this example, the Impersonation Role is the name entered on the Immuta App Settings page when the feature was enabled. The default is IMMUTA_IMPERSONATION, but the admin may have customized it. The Snowflake User is the username of the Snowflake user that will now have permission to impersonate other users.

2 - Impersonate a User

To impersonate another user in Snowflake,

  1. Open a New Worksheet and set your role to the impersonation role specific to your organization.
  2. Run SET immuta_user = '<<Immuta username of the user to impersonate>>'.

    Grant Snowflake Role

  3. Run queries within that worksheet.

3 - Revoke Users' IMPERSONATE_USER Permission

To revoke permission to impersonate users,

Revoke Permission in Immuta

As an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click the delete icon on the IMPERSONATE_USER permission.

Remove Permission

Revoke Permission in Snowflake

As a Snowflake user with the ACCOUNTADMIN role,

  1. Navigate to your Snowflake instance.

  2. In a worksheet run REVOKE ROLE <<Impersonation Role>> FROM USER "<<Snowflake User>>".

    Revoke Snowflake Role

    In this example, the Impersonation Role is the name entered on the Immuta App Settings page when the feature was enabled. The default is IMMUTA_IMPERSONATION, but the admin may have customized it. The Snowflake User is the username of the Snowflake user that will now have permission to impersonate other users.

Snowflake Specific Caveats

  • Native impersonation is specific to the workspace and session in which it was set. Opening a new worksheet will revert the user back to themselves.
  • Snowflake auditing will show the user running the queries as the user logged in to Snowflake not as the user they are impersonating.

User Impersonation with Amazon Redshift

1- Grant Users the IMPERSONATE_USER Permission

After enabling user impersonation with your Amazon Redshift integration, there are two ways to give a user permission to use the feature: in the Immuta UI or in Amazon Redshift. Use the tabs below to select one method.

Permission in Immuta

As an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click Add Permissions.

    Add Permission Link

  4. Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.

    Select Permission

  5. Click Close.

Permission in Amazon Redshift

As a Redshift superuser,

  1. Navigate to your Redshift instance.

  2. Run ALTER GROUP <Impersonation Group> ADD USER <Redshift User>.

    In this example, the Impersonation Group is the name entered on the Immuta App Settings page when the feature was enabled. The default is immuta_impersonation, but the admin may have customized it. The Redshift User is the username of the Redshift user that will now have permission to impersonate other users.

2 - Impersonate a User

To impersonate another user in Redshift,

  1. Run CALL immuta_procedures.impersonate_user(<Immuta username of the user to impersonate>).

  2. Run queries.

3 - End User Impersonation

To end user impersonation in Redshift, run CALL immuta_procedures.impersonate_user(<NULL>).

4 - Revoke Users' IMPERSONATE_USER Permission

To revoke permission to impersonate users,

Revoke Permission in Immuta

As an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click the delete icon on the IMPERSONATE_USER permission.

Remove Permission

Permission in Amazon Redshift

As a Redshift superuser,

  1. Navigate to your Redshift instance.

  2. Run ALTER GROUP <Impersonation Group> DROP USER <Redshift User>.

    In this example, the Impersonation Group is the name entered on the Immuta App Settings page when the feature was enabled. The default is immuta_impersonation, but the admin may have customized it. The Redshift User is the username of the Redshift user that will now have permission to impersonate other users.

Redshift Specific Caveats

  • User impersonation is specific to the session that it was set. If the Redshift process ID is refreshed it will revert the user back to themselves.

User Impersonation with Azure Synapse Analytics

1 - Grant Users the IMPERSONATE_USER Permission

After enabling user impersonation with your Azure Synapse Analytics integration, there are two ways to give a user permission to use the feature: in the Immuta UI or in Azure Synapse Analytics. Use the tabs below to select one method.

Permission in Immuta

As an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click Add Permissions.

    Add Permission Link

  4. Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.

    Select Permission

  5. Click Close.

Permission in Azure Synapse Analytics

As a Synapse user,

  1. Navigate to your Synapse instance.

  2. Run EXEC sp_addrolemember N'<Impersonation Role>', N'<Synapse User>'.

    In this example, the Impersonation Role is the name entered on the Immuta App Settings page when the feature was enabled. The default is IMMUTA_IMPERSONATION, but the admin may have customized it. The Synapse User is the username of the Synapse user that will now have permission to impersonate other users.

2 - Impersonate a User

To impersonate another user in Synapse,

  1. Run the following command:

    EXEC sys.sp_set_session_context @key = N'Immuta username of the user to impersonate',
    @value = '<Immuta username of the user to impersonate>';
    
  2. Run queries.

3 - End User Impersonation

To end user impersonation in Synapse, run EXEC sys.sp_set_session_context @key = N'NULL', @value = '<NULL>'.

4 - Revoke Users' IMPERSONATE_USER Permission

To revoke permission to impersonate users,

Revoke Permission in Immuta

As an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click the delete icon on the IMPERSONATE_USER permission.

Remove Permission

Revoke Permission in Azure Synapse Analytics

As a Synapse user,

  1. Navigate to your Synapse.

  2. Run EXEC sp_droprolemember N'<Impersonation Role>', N'<Synapse User>'.

    In this example, the Impersonation Role is the name entered on the Immuta App Settings page when the feature was enabled. The default is IMMUTA_IMPERSONATION, but the admin may have customized it. The Synapse User is the username of the Synapse user that will now have permission to impersonate other users.

Synapse Specific Caveats

  • User impersonation is specific to the script and session in which it was set. Opening a new script will revert the user back to themselves.

User Impersonation with Presto/Trino

1 - Grant Users the IMPERSONATE_USER Permission

User impersonation is automatically enabled with your Presto/Trino integration, but the user must be given the IMPERSONATE_USER permission in Immuta.

To grant the user IMPERSONATE_USER permission, as an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click Add Permissions.

    Add Permission Link

  4. Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.

    Select Permission

  5. Click Close.

2 - Impersonate a User

To impersonate another user in Presto/Trino,

  1. Run SET SESSION immuta.immuta_user = <Immuta username of the user to impersonate>.

  2. Run queries.

3 - Check User Impersonation

To view the user you are impersonating in Presto/Trino, run SHOW SESSION like 'immuta.immuta_user'.

4 - End User Impersonation

To end user impersonation in Trio, run RESET SESSION immuta.immuta_user.

5 - Revoke Users' IMPERSONATE_USER Permission

To revoke permission to impersonate users, as an Immuta user with the permission USER_ADMIN,

  1. Navigate to your Immuta homepage.

  2. Click the Admin icon in the left sidebar, and select the user from the Users tab.

  3. Click the delete icon on the IMPERSONATE_USER permission.

    Remove Permission

Presto/Trino Specific Caveats

  • The user's permissions to impersonate users are not checked until the query is run. If the user does not have the IMPERSONATE_USER permission in Immuta, they will be able to run the command to impersonate a role, but will not be able to query as that role.

User Impersonation Caveats

  • User impersonation is not supported for Databricks SQL Analytics.