The same security restrictions regarding data sources are applied to projects: project members still need to be subscribed to data sources to access data, and only users with appropriate attributes and credentials can see the data if it contains any row-level or masking security.
However, project equalization improves collaboration by ensuring that the data in the project looks identical to all members, regardless of their level of access to data. When enabled, this feature automatically equalizes all permissions so that no project member has more access to data than the member with the least access. For a tutorial on enabling equalization, navigate to the Manage equalization guide. Note: Only project owners can add data sources to the project if this feature is enabled.
Once project equalization is enabled, the subscription policy for the project is locked and can only be adjusted by the project owner by changing the equalized entitlements. For users to access data sources within the project (and for the equalization to take effect), users must switch their context to the project.
This setting adjusts the minimum entitlements (i.e., users' groups and attributes) required to join the project and to access data within the project. When project equalization is enabled, equalized entitlements default to Immuta's recommended settings, but project owners can edit these settings by adding or removing parts of the entitlements. However, making these changes entails two potential disadvantages:
If you add entitlements, members might see more data as a whole, but at least some members of the project will be out of compliance. The status of users' compliance is visible from the members tab within the project.
If you remove entitlements, the project will be open to users with fewer privileges, but this change might make less data visible to all project members. Removing entitlements is only recommended if you foresee new users joining with less access to data than the current members.
This setting determines how often user credentials are validated, which is critical if users share data with project members outside of Immuta, as they need a way to verify that those members' permissions are still valid.
Once project equalization is enabled, the project subscription policy builder locks and can only be adjusted by manually editing the equalized entitlements. Then, the subscription policy will combine with the entitlement settings, depending on the policy type.
The way entitlements and approvals combine differs depending on the policy type; for clarity, the table below illustrates various scenarios for each type. Every row demonstrates how a specific project subscription policy changes after project equalization is enabled (when an equalized entitlement is set and when no entitlement is set) and how the policy reverts if project equalization is subsequently disabled.
Original policy | Equalized policy (example entitlement: member of group Accounting) | Equalized policy (no entitlement) | Policy after disabling equalization |
---|---|---|---|
For example, consider the subscription policy of the following sample project, Fraud Prevention, before project equalization is enabled:
Fraud prevention
Subscription policy: Allow users to subscribe when approved by anyone with permission owner (of this project).
After enabling project equalization, the following equalized entitlement is recommended by Immuta: User is a member of group Claims and Billing Department.
In this particular example, the equalized subscription policy contains the equalized entitlement and the approval of the original policy, so users must satisfy both conditions to subscribe:
the user must be a member of the group Claims and Billing Department
the user must be approved by anyone with permission Owner (of this project).
Anyone
Allow user to subscribe when user is a member of group Accounting
Individual users you select
Individual users you select
Allow users to subscribe when approved by anyone with permission owner (of this project)
Allow users to subscribe when they satisfy all of the following: is a member of group Accounting and is approved by anyone with permission owner (of this project)
Allow users to subscribe when approved by anyone with permission owner (of this project)
Allow users to subscribe when approved by anyone with permission owner (of this project)
Allow users to subscribe to the project when user is a member of group Legal
Allow users to subscribe to the project when user is a member of group Accounting
Individual users you select
Individual users you select
Individual users you select
Allow users to subscribe to the project when user is a member of group Accounting
Individual users you select
Individual users you select