Approve and Promote a Global Policy
Audience: Data Governors and Data Owners
Content Summary: This page outlines how to approve and promote Global Policies in a development environment to be activated in a production environment. For instructions on enabling this feature, see Enable Approve to Promote. For an overview of the feature, see the Approve to Promote Overview page.
Compliance Requirement: Policies must be written in Dev and then approved by the compliance team before they are moved into the Prod environment. Additionally, all personal data must be made null.
After enabling Approve to Promote, this organization can use this feature to allow for their approval workflow: Data Governors create Global Policies in Dev that are then reviewed before being approved and promoted to Prod.
This tutorial uses this example to illustrate the Approve to Promote feature.
1 - Configure the Dev and Prod Instance in the Immuta CLI
Production Instance Cannot Have Approve to Promote Enabled
The production instance of Immuta cannot have the Approve to Promote feature enabled on the App Settings page. This configuration should only be applied to the development instance.
Before you can add promoted policies to the production environment, you need to configure the production environment
as an additional
profile in the Immuta CLI.
immuta configure -p dev. Note:
devis the profile name of the development instance in this example. You can use a different name.
Enter the URL and your API Key for your development Immuta instance in the interactive prompt.
$ immuta configure -p dev ? What is the url of the immuta instance you use?: https://your.dev.instance.url.com/ ? What is the api key of your immuta user account?: *************************** Updated the config at /Users/user/.immutacfg.yaml
immuta configure -p prod. Note:
prodis the profile name of the production instance in this example. You can use a different name.
Enter the URL and your API Key for your production Immuta instance in the interactive prompt.
$ immuta configure -p prod ? What is the url of the immuta instance you use?: https://your.prod.instance.url.com/ ? What is the api key of your immuta user account?: *************************** Updated the config at /Users/user/.immutacfg.yaml
Below is the configuration file that will be saved at
dev: api_key: <api key> host: https://your.dev.instance.url.com prod: api_key: <apiKey> host: https://your.prod.instance.url.com
2 - Build the Global Policy in Dev
Create a Global Data Policy in the development instance that masks all columns tagged
In the example below, the policy masks by hashing:
Once the policy is created, it will be marked as In Review and applied to data sources in the development environment, allowing Data Owners to evaluate whether or not the policy is enforcing restrictions appropriately.
3 - Review the Policy
After the policy is created, other Data Governors and users who own affected data sources will be notified that a Global Policy is ready for their review.
Navigate to the policy by
- clicking the Review button in the Activity Dropdown or on the Requests tab of your user profile page.
- clicking the Policies icon in the left sidebar and selecting the Data Policies tab.
Opt to approve the policy or request changes. Use the tabs below to view both of these options.
Approve the Policy
Click the policy to expand the In Review window.
Click Approve, and opt to provide a comment in the modal that appears.
- Click Approve to confirm.
Once the configured number of users (set on the App Settings page) approves the policy, the policy moves out of review and can be promoted.
Click the policy to expand the In Review window.
Click Request Changes and provide a comment in the modal that appears.
Click Request to confirm.
If changes are requested, a Data Governor must revise the Global Policy to apply the changes. Once these changes are made, the policy wil need to be reviewed again by the specified number of users. Users will receive another notification that their review is required.
4 - Revise the Policy
If changes are requested, a Data Governor must revise the Global Policy to apply the changes.
Navigate to Global Policy and select Edit from the dropdown menu.
Update the policy to reflect the changes requested. In this example, the Data Governor updates the policy to mask personal identifiers by making null.
Users will receive another notification that their review is required. The policy must be approved by the required number of users before it can be promoted.
5 - Promote the Policy
System Policies Not Included in Export
System policies (such as New Column Added) will not be included in the export described below, as no changes can be made to them by users and they already exist in production instances. Once the staging or activating of these policies in development is approved, a Data Governor can stage or activate the policy in production.
Additionally, you cannot delete active system policies in the development environment.
To promote the policy, run the following command that clones the policy and saves it in a
policy folder in the path
you specify. Note: If you run this command more that one time, you need to change the names of (or delete) the files
that were already cloned to avoid an error; this process preserves the cloning history.
immuta policy clone --promote ./approved-policies-folder
Once a policy is promoted, the Immuta UI displays the Promoted status.
6 - Save the Policy in Prod
To add the Global Policy to the production environment, save the policy through the Immuta CLI, specifying the name of the profile you created for the production environment in this step, the file path, and the policy name.
immuta policy save --profile prod ./approved-policies/policy/Mask--PII.yaml
The policy will be applied to data sources in the production environment.
Rescind Your Approval
Users can also rescind their approval of a policy.
- Click the policy to expand the In Review window.
- Click Rescind Your Approval and opt to provide a comment in the modal that appears.
Click Rescind to confirm.