Immuta Permissions and Personas
Permissions are a system-level mechanism that control what actions a user is allowed to take through the Immuta
Permissions can be added to any user by a user admin (any user with the
USER_ADMIN permission), but the permissions
themselves are managed by Immuta and cannot be added or removed in the Immuta UI; however, custom permissions
can be created on the app settings page.
The table below illustrates what Immuta permissions map to specific Immuta personas.
|These users have access to the administrative actions for the configuration of Immuta. They can
|These users can access audit logs for their entire organization. Data owners can view audit logs for the data sources they own.
|Data governors set global policies within Immuta, meaning they can restrict the ways that data is used within Immuta across multiple projects and data sources. Governors can also set purpose-based usage restrictions on projects, which can help limit the ways that data is used within Immuta. By default, governors can subscribe to data sources; however, this setting can be disabled on the app settings page to remove the governor's ability to create or subscribe to data sources. Additionally, users can be a governor and admin simultaneously by default, but this setting can also be changed to render the governor and admin roles mutually exclusive.
|To be a data owner, a user must have one of the following Immuta permissions or be manually assigned ownership of a data source:
|For data to be available in the Immuta platform, a data owner — the individual or team responsible for the data — needs to connect their data to Immuta. Once data is connected to Immuta, that data is called a data source. In the process of creating a data source, data owners are able to set policies on their data that restrict which users can access the data source, which rows within the data a user can access, and which columns within the data a user can see. Data owners can also view the audit page in Immuta, but they are limited to only viewing records related to the data sources they own.
|Users do not need any permissions assigned to them to subscribe to data sources. However, they can have any of the Immuta permissions described below:
|Data users query data that’s been made available through Immuta.
|Project Managers oversee projects by creating, approving, or denying purposes in projects and adding and removing project data sources.
|These users have access to the administrative actions for managing users in Immuta. They can
See Manage personas and permissions for guidance on adding and removing permissions.