Immuta Permissions and Personas
Permissions are a system-level mechanism that control what actions a user is allowed to take through the Immuta
Permissions can be added to any user by a user admin (any user with the
USER_ADMIN permission), but the permissions
themselves are managed by Immuta and cannot be added or removed in the Immuta UI; however, custom permissions
can be created on the app settings page.
The table below illustrates what Immuta permissions map to specific Immuta personas.
||These users have access to the administrative actions for the configuration of Immuta. They can|
||These users can access audit logs for their entire organization. Data owners can view audit logs for the data sources they own.|
||Data governors set global policies within Immuta, meaning they can restrict the ways that data is used within Immuta across multiple projects and data sources. Governors can also set purpose-based usage restrictions on projects, which can help limit the ways that data is used within Immuta. By default, governors can subscribe to data sources; however, this setting can be disabled on the app settings page to remove the governor's ability to create or subscribe to data sources. Additionally, users can be a governor and admin simultaneously by default, but this setting can also be changed to render the governor and admin roles mutually exclusive.|
|Data owners||To be a data owner, a user must have one of the following Immuta permissions or be manually assigned ownership of a data source:
||For data to be available in the Immuta platform, a data owner — the individual or team responsible for the data — needs to connect their data to Immuta. Once data is connected to Immuta, that data is called a data source. In the process of creating a data source, data owners are able to set policies on their data that restrict which users can access the data source, which rows within the data a user can access, and which columns within the data a user can see. Data owners can also view the audit page in Immuta, but they are limited to only viewing records related to the data sources they own.|
|Data users||Users do not need any permissions assigned to them to subscribe to data sources. However, they can have any of the Immuta permissions described below:
||Data users query data that’s been made available through Immuta.|
||Project Managers oversee projects by creating, approving, or denying purposes in projects and adding and removing project data sources.|
||These users have access to the administrative actions for managing users in Immuta. They can|
See Manage personas and permissions for guidance on adding and removing permissions.