Skip to content

Approve to Promote Overview

Audience: Data Governors, System Administrators, and Data Owners

Content Summary: Approve to Promote allows users to incorporate an approval process in their policy workflow. For instructions to enable this feature, see Enable Approve to Promote section. To use the feature, see the Approve and Promote Policies to Production tutorial.

Approve to Promote Process

Approve to Promote allows users to create and review policies in a development environment before activating them on data sources in production environments. Any Global Policies that are created, edited, or staged will go through the approval process outlined below:

  1. A Data Governor creates a Global Policy in the development environment.
  2. The policy is reviewed by Data Owners and other Data Governors, who either request changes or approve the policy.
  3. Once the policy is approved, a Data Governor promotes the policy through the Immuta CLI.
  4. A Data Governor saves the policy to the production environment though the Immuta CLI.

Policy Created in Development Environment

When a Global Policy is created or updated (including staging and activating the policy) in a development environment, the status of the policy is labeled as In Review and other Data Governors and Data Owners are notified that their review is needed.

Policy in Review

Data Governors and Data Owners can click a policy to see its status in the review process, approve it, or request changes to it.

User Requests Changes

When users request changes to a policy, they are required to provide an explanation for the revision. Then, the request freezes the approval process until an update is made to the policy by a Data Governor. Users who previously approved the policy will need to re-approve the changes before the policy can be promoted.

Request Changes

User Approves a Policy

When users approve a policy, they are prompted to provide an optional comment. After their approval, the policy status updates to show how many more approval are required.

Policy Approved

Policy is Promoted and Added to Production

After the policy is fully approved, a Data Governor must promote it through the Immuta CLI before the policy can be added to the production environment through the CLI.

Policy Promoted

User Roles in Approval Process

Instead of requiring users to have a specific permission to approve policies, APT requires that a minimum number (which can be adjusted to fit your organizations' needs) of users approve a policy before it can become active on data sources in production.

Three different personas are involved in the Approve to Promote process:

  • System Administrators: These users must enable Approve to Promote in the Advanced Configuration section of the App Settings page.
  • Data Governors: Data Governors create Global Policies, which are the only polices that can be approved and promoted. Additionally, other Governors review and approve Global Policies, but they cannot approve their own policies.
  • Data Owners: Since Data Owners can evaluate whether or not policies are applied correctly, these users can also review Global Policies, but only those that are active on data sources they own.

Users who have participated in the approval process (either by creating a policy or reviewing it) will receive notifications when an approval action is made.

Limitations

  • This workflow relies on the proper use of the development and production environments. There is nothing in place that stops users from editing policies directly in prod, so users will need to adhere to the workflow of editing policies in dev and then saving to prod through the Immuta CLI.
  • To delete a policy in production, a user needs to stage the policy in development, and then go through the approval process, promote that policy, and save it to production so that it is no longer in effect in the production instance.