Skip to content

You are viewing documentation for Immuta version 2022.4.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

Immuta Permissions and Personas

Permissions are a system-level mechanism that control what actions a user is allowed to take through the Immuta API and UI. Permissions can be added to any user by a User Admin (any user with the USER_ADMIN permission), but the permissions themselves are managed by Immuta and cannot be added or removed in the Immuta UI; however, custom permissions can be created on the App Settings page.

The table below illustrates what Immuta permissions map to specific Immuta personas.

Persona Permissions Description
Application Admins APPLICATION_ADMIN These users have access to the administrative actions for the configuration of Immuta. They can
Auditors AUDIT These users can access audit logs for their entire organization.
Data Governors GOVERNANCE Data Governors set Global Policies within Immuta, meaning they can restrict the ways that data is used within Immuta across multiple projects and data sources. Governors can also set purpose-based usage restrictions on projects, which can help limit the ways that data is used within Immuta. By default, Governors can subscribe to data sources; however, this setting can be disabled in the Immuta Configuration, removing the Governor's ability to create or subscribe to data sources. Additionally, users can be a Governor and Admin simultaneously by default, but this setting can also be changed in permissions, rendering the Governor and Admin roles mutually exclusive.
Data Owners
  • CREATE_DATA_SOURCE: Gives the user the ability to create data sources.
  • CREATE_DATA_SOURCE_IN_PROJECT: Gives the user the ability to create data sources within a project.
  • CREATE_S3_DATASOURCE_WITH_INSTANCE_ROLE: When creating an S3 data source, this allows the user to the handler to assume an AWS Role when ingesting data.
  • CREATE_FILTER: Gives the user the ability to create and save a search filter.
  • CREATE_PROJECT: Gives the user the ability to create projects.
    		 For data to be available in the Immuta platform, a Data Owner — the individual or team responsible for the data — needs to connect their data to Immuta. Once data is connected to Immuta, that data is called a data source. In the process of creating a data source, Data Owners are able to set policies on their data that restrict which users can access the data source, which rows within the data a user can access, and which columns within the data a user can see or be restricted. Data Owners can also decide whether to make their data source public, which makes it available for discovery to all users in the Immuta Web UI, or make it private, so that only the Data Owner and its assigned subscribers know it exists.
    Data Users
    • CREATE_FILTER: Gives the user the ability to create and save a search filter.
    • CREATE_PROJECT: Gives the user the ability to create projects.
    • IMPERSONATE_HDFS_USER: When creating an HDFS data source, this allows the user to enter any HDFS user name to use when accessing data.
    • IMPERSONATE_USER: Allows the user to impersonate another user when accessing data.
    		 Data Users query data that’s been made available through Immuta.
    Project Managers PROJECT_MANAGEMENT Project Managers oversee projects by creating, approving, or denying purposes in projects and adding and removing project data sources.
    User Admins USER_ADMIN These users have access to the administrative actions for managing users in Immuta. They can
    • create and manage users and groups
    • add and remove user permissions
    • create and manage user attributes

    See Manage Personas and Permissions for a tutorial on adding and removing permissions.