Skip to content

Subscription Policies

Audience: Data Owners and Governors

Content Summary: Subscription Policies in Immuta are managed and applied to data sources and projects by Data Owners and Governors to restrict access to data. Subscription Policies can be applied as Local Policies or Global Policies.

This page outlines the types of Subscription Policies users can create and manage in Immuta.

Video Tutorial: Subscription Policies

To access a data source, Immuta users must first be subscribed to that data source. A Subscription Policy determines who can request access and has one of four possible restriction levels:

  • Anyone: Users will automatically be granted access (Least Restricted).
  • Anyone Who Asks (and is Approved): Users will need to request access and be granted permission by the configured approvers (Moderately Restricted).
  • Users with Specific Groups/Attributes: Only users with the specified groups/attributes will be able to see the data source and subscribe (Moderately Restricted).
  • Individual Users You Select: The data source will not appear in search results; data owners must manually add/remove users (Most Restricted).

For a tutorial on managing Subscription Policies, navigate to the Data Owner Guide.

Combining Global Subscription Policies

In some cases, multiple Global Subscription Policies created by a Data Governor may apply to a single data source. Rather than having the two policies conflict, the conditions of the Subscription Policies are combined, as illustrated below.

Data Governors select whether the Global Subscription policy should be

  • Always Required: Users must meet all the conditions outlined in each policy to get access (i.e., the conditions of the policies are combined with AND).

  • Share Responsibility: Users need to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined with OR).

Consider the following Global Subscription Policies created by a Data Governor on the same data source:

  • Policy 1: (Always Required) Allow users to subscribe to the data source when user is a member of group HR; otherwise, allow users to subscribe when approved by an Owner of the data source.
  • Policy 2: (Shared Responsibility) Allow users to subscribe to the data source when user is a member of group Analytics; otherwise, allow users to subscribe when approved by anyone with permission Governance.
  • Policy 3: (Shared Responsibility) Allow users to subscribe to the data source when user has attribute Office Location Ohio; otherwise, allow users to subscribe when approved by anyone with permission Audit.

If a Data Owner creates a data source and all of these policies apply, the user must meet the requirements of the Always Required policy and the requirements of at least one of the Shared Responsibility policies. Instead of having a conflict, the Subscription Policies are combined:

Sub Policy Combined

By default, users must meet all the conditions outlined in each Global Subscription policy that has been combined on a data source to get access (i.e., the conditions of the policies are combined with AND). However, Governors can opt to check the Shared Responsibility box if they would like users to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined with OR).

Once enabled on a data source, Global Subscription Policies can be edited and disabled by Data Owners. See the Local Policy Builder Tutorial for instructions.

Global Subscription Policy Conflicts

When two or more Global Subscription policies from the following list apply to the same data source they may conflict: Anyone, Anyone Who Asks (and is Approved), and Individual Users You Select. Because the Data Owners know their data the best, each has the ability to manually choose which policy will apply when there is a conflict. To do this the Data Owner must

  1. Disable the applied Global Subscription policy in the Policies Tab on a data source.

    Disable Global Subscription Policy

  2. Provide a reason the Global Policy should be disabled.

    Disable Global Subscription Policy Reasoning

  3. Select which conflicting Global Subscription policy they want to apply.

    Choose Global Subscription Policy