Approve to Promote Overview
Approve to Promote allows users to incorporate an approval process in their policy workflow. For instructions to enable this feature, see Enable Approve to Promote. To use the feature, see the Approve and Promote Policies to Production tutorial.
Approve to Promote Process
Approve to Promote allows users to create and review policies in a development environment before activating them on data sources in production environments. Any Global Policies that are created, edited, or staged will go through the approval process outlined below:
- A Data Governor creates a Global Policy in the development environment.
- The policy is reviewed by Data Owners and other Data Governors, who either request changes or approve the policy.
- Once the policy is approved, a Data Governor promotes the policy through the Immuta CLI.
- A Data Governor saves the policy to the production environment though the Immuta CLI.
Policy Created in Development Environment
When a Global Policy is created or updated (including staging and activating the policy) in a development environment, the status of the policy is labeled as In Review and other Data Governors and Data Owners are notified that their review is needed.
Data Governors and Data Owners can click a policy to see its status in the review process, approve it, or request changes to it.
User Requests Changes
When users request changes to a policy, they are required to provide an explanation for the revision. Then, the request freezes the approval process until an update is made to the policy by a Data Governor. Users who previously approved the policy will need to re-approve the changes before the policy can be promoted.
User Approves a Policy
When users approve a policy, they are prompted to provide an optional comment. After their approval, the policy status updates to show how many more approval are required.
Policy is Promoted and Added to Production
After the policy is fully approved, a Data Governor must promote it through the Immuta CLI before the policy can be added to the production environment through the CLI.
User Roles in Approval Process
Instead of requiring users to have a specific permission to approve policies, APT requires that a minimum number (which can be adjusted to fit your organizations' needs) of users approve a policy before it can become active on data sources in production.
Three different personas are involved in the Approve to Promote process:
- System Administrators: These users must enable Approve to Promote in the Advanced Configuration section of the App Settings page.
- Data Governors: Data Governors create Global Policies, which are the only policies that can be approved and promoted. Additionally, other Governors review and approve Global Policies, but they cannot approve their own policies.
- Data Owners: Since Data Owners can evaluate whether or not policies are applied correctly, these users can also review Global Policies, but only those that are active on data sources they own.
Users who have participated in the approval process (either by creating a policy or reviewing it) will receive notifications when an approval action is made.
- This workflow relies on the proper use of the development and production environments. There is nothing in place that stops users from editing policies directly in prod, so users will need to adhere to the workflow of editing policies in dev and then saving to prod through the Immuta CLI.
- To delete a policy in production, a user needs to stage the policy in development, and then go through the approval process, promote that policy, and save it to production so that it is no longer in effect in the production instance.