Skip to content

Approve and Promote a Global Policy

Audience: Data Governors and Data Owners

Content Summary: This page outlines how to approve and promote Global Policies in a development environment to be activated in a production environment. For instructions on enabling this feature, see Enable Approve to Promote. For an overview of the feature, see the Approve to Promote Overview page.

Prerequisite: Approve to Promote enabled on a development instance of Immuta.

Additional Tutorial

Use Case

Compliance Requirement: Policies must be written in Dev and then approved by the compliance team before they are moved into the Prod environment. Additionally, all personal data must be made null.

After enabling Approve to Promote, this organization can use this feature to allow for their approval workflow: Data Governors create Global Policies in Dev that are then reviewed before being approved and promoted to Prod.

This tutorial uses this example to illustrate the Approve to Promote feature.

1 - Configure the Dev and Prod Instance in the Immuta CLI

Production Instance Cannot Have Approve to Promote Enabled

The production instance of Immuta cannot have the Approve to Promote feature enabled on the App Settings page. This configuration should only be applied to the development instance.

Before you can add promoted policies to the production environment, you need to configure the production environment as an additional profile in the Immuta CLI.

  1. Run immuta configure -p dev. Note: dev is the profile name of the development instance in this example. You can use a different name.
  2. Enter the URL and your API Key for your development Immuta instance in the interactive prompt.

    $ immuta configure -p dev
    ? What is the url of the immuta instance you use?: https://your.dev.instance.url.com/
    ? What is the api key of your immuta user account?:  ***************************
    
    Updated the config at /Users/user/.immutacfg.yaml
    
  3. Run immuta configure -p prod. Note: prod is the profile name of the production instance in this example. You can use a different name.

  4. Enter the URL and your API Key for your production Immuta instance in the interactive prompt.

    $ immuta configure -p prod
    ? What is the url of the immuta instance you use?: https://your.prod.instance.url.com/
    ? What is the api key of your immuta user account?:  ***************************
    
    Updated the config at /Users/user/.immutacfg.yaml
    

Below is the configuration file that will be saved at ~/.immutacfg.yaml:

dev:
  api_key: <api key>
  host: https://your.dev.instance.url.com
prod:
  api_key: <apiKey>
  host: https://your.prod.instance.url.com

2 - Build the Global Policy in Dev

Create a Global Data Policy in the development instance that masks all columns tagged Discovered.PII. In the example below, the policy masks by hashing:

Create a Policy

Once the policy is created, it will be marked as In Review and applied to data sources in the development environment, allowing Data Owners to evaluate whether or not the policy is enforcing restrictions appropriately.

Policy in Review

3 - Review the Policy

After the policy is created, other Data Governors and users who own affected data sources will be notified that a Global Policy is ready for their review.

User Receives Request

  1. Navigate to the policy by

    • clicking the Review button in the Activity Dropdown or on the Requests tab of your user profile page.
    • clicking the Policies icon in the left sidebar and selecting the Data Policies tab.
  2. Opt to approve the policy or request changes. Use the tabs below to view both of these options.

    Approve the Policy

    1. Click the policy to expand the In Review window.

      Approve or Request Changes

    2. Click Approve, and opt to provide a comment in the modal that appears.

    3. Click Approve to confirm.

    Once the configured number of users (set on the App Settings page) approves the policy, the policy moves out of review and can be promoted.

    Policy Approved

    Request Changes

    1. Click the policy to expand the In Review window.

      Approve or Request Changes

    2. Click Request Changes and provide a comment in the modal that appears.

    3. Click Request to confirm.

      Request Changes

    If changes are requested, a Data Governor must revise the Global Policy to apply the changes. Once these changes are made, the policy wil need to be reviewed again by the specified number of users. Users will receive another notification that their review is required.

    Action Required

4 - Revise the Policy

If changes are requested, a Data Governor must revise the Global Policy to apply the changes.

  1. Navigate to Global Policy and select Edit from the dropdown menu.

    Edit the Policy

  2. Update the policy to reflect the changes requested. In this example, the Data Governor updates the policy to mask personal identifiers by making null.

    Make Null

Users will receive another notification that their review is required. The policy must be approved by the required number of users before it can be promoted.

5 - Promote the Policy

System Policies Not Included in Export

System policies (such as New Column Added) will not be included in the export described below, as no changes can be made to them by users and they already exist in production instances. Once the staging or activating of these policies in development is approved, a Data Governor can stage or activate the policy in production.

Additionally, you cannot delete active system policies in the development environment.

To promote the policy, run the following command that clones the policy and saves it in a policy folder in the path you specify. Note: If you run this command more that one time, you need to change the names of (or delete) the files that were already cloned to avoid an error; this process preserves the cloning history.

immuta policy clone --promote ./approved-policies-folder

Once a policy is promoted, the Immuta UI displays the Promoted status.

Policy Promoted

6 - Save the Policy in Prod

To add the Global Policy to the production environment, save the policy through the Immuta CLI, specifying the name of the profile you created for the production environment in this step, the file path, and the policy name.

immuta policy save --profile prod ./approved-policies/policy/Mask--PII.yaml

The policy will be applied to data sources in the production environment.

Policy Added in Prod

Additional Tutorials

Rescind Your Approval

Users can also rescind their approval of a policy.

  1. Click the policy to expand the In Review window.
  2. Click Rescind Your Approval and opt to provide a comment in the modal that appears.
  3. Click Rescind to confirm.

    Rescind