Global Policies in Immuta
Audience: Data Governors
Content Summary: Policies in Immuta are managed and applied to data sources and projects by Data Owners and Governors to restrict access to data. Global Policies are created by Data Governors and apply to all data sources across an organization. In contrast, Local Policies can be created by Data Owners or Data Governors and apply to a specific data source. This page details the types of Global Policies in Immuta: Global Subscription Policies and Global Data Policies.
Best Practice: Access Controls
It is important to remember that, in most cases, the goal is to share as much data as possible while still being compliant with privacy regulations. Immuta recommends a scale of wide Subscription Policies and specific Data Policies to give as much access as possible.
Governors control how subscribers gain access to a data source through Subscription Policies.
These policies comprise four levels of restriction:
- Anyone: Users are automatically granted access.
- Anyone Who Asks (and is Approved): Users must request access and then be approved. This restriction supports multiple approving parties, meaning that Data Owners can allow more than one approver or users with specified permission types to approve other users who subscribe to the data source.
- Users with Specific Groups/Attributes: Only users with the groups/attributes Data Owners specify will be able to see and access the data source.
- Individual Users You Select: Only users Data Owners manually select will be able to see and access the data source.
See Write a Global Subscription Policy for a tutorial.
Best Practice: Writing Policies
Use the minimum number of policies possible to achieve the data privacy needed.
Data Policies determine what data users see when they've gained access to a data source. The types of Data Policies are defined below, but for a detailed explanation of each type, see the Appendix.
|Masking||Masking policies hide values in data, providing various levels of utility while still preserving privacy.|
|Row Redaction||For query-backed data sources, Governors can restrict which rows in the data source tables are visible to which users. This redaction is done by matching values in a specific column against a user's groups, attributes, or purposes.|
|Minimization||These policies hide a specified percentage of query results from a user, based on a column with high cardinality (e.g., an employee ID number or other unique identifier).|
|Time-based Restrictions||If a data source has time-based restriction policies, queries run against the data source by a user will only return rows/blobs with a date in its
|Purpose-based Restrictions||Governors in Immuta can restrict usage of any data source to one or more purposes. If a user wishes to run SQL queries against a purpose-restricted data source, they must use the SQL credentials provided by a project containing that purpose.|
|Differential Privacy||Data sources with Differential Privacy policies will only return results for a certain type of SQL query: aggregates, such as the
See Write a Global Data Policy for a tutorial.
For all policies except purpose-based restriction policies, inclusionary logic allows Governors to vary policy actions with an Otherwise clause.
For example, Governors could mask values using hashing for users acting under a specified purpose while masking those same values by making null for everyone else who accesses the data.
This variation can be created by selecting for everyone who when available from the condition dropdown menus and then completing the Otherwise clause.
SQL Support Matrix
The SQL Support Matrix button in the top right corner of the Data Policy Builder allows users to view all masking policy types and details what is supported for each access pattern.
Global Data Policy Custom Certifications
When building a Global Data Policy, Governors can create custom certifications, which must then be acknowledged by Data Owners when the policy is applied to data sources.
When a Global Data Policy with a custom certification is cloned, the certification is also cloned. If the user who clones the policy and custom certification is not a Governor, the policy will only be applied to data sources that user owns.
Templated Global Data Policies
Immuta includes two templated Global Policies: the HIPAA De-identification Policy and the California Consumer Privacy Act (CCPA) Policy. Governors can activate these Global Policies to automatically enforce restrictions on data sources that have had relevant tags applied to them by users or Sensitive Data Discovery.
To learn how to activate a templated policy, navigate to the tutorial.
Staged Global Policies
Governors stage Global Policies to safely review and edit them without affecting data sources. Once a policy is ready, Governors can activate it to immediately enforce the policy on relevant data sources. See Clone, Activate, or Stage a Global Policy for a tutorial.
Note: Policies that contain the circumstance When selected by data owners cannot be staged.