1 of 74

Developer Guides

This section includes guides for interacting with Immuta through the Immuta CLI and API.

Immuta CLI

The Immuta CLI allows users to interact with their Immuta tenant using the command line to manage data sources, projects, policies, and purposes. This feature allows you to have all of your Immuta tenant information in a Git repository and use the CLI to sync your Immuta tenant with the files in your Git repository.

This section includes reference and how-to guides for using the integrations API, Immuta V1 API, and Immuta V2 API.

The Immuta CLI

Section Overview

You can navigate this section of documentation in two different ways: by workflow or by command.

Workflow

The navigation in the left pane is organized by major workflows you would use in Immuta. Each workflow contains relevant commands. Follow this chronological outline to find commands relevant to your workflow.

Commands

Below is a list of major commands available in the Immuta CLI. Click a command to navigate to its corresponding page that details subcommands, options, and arguments.

: Interact with your Immuta tenant to create data sources, projects, policies, and purposes.
: Make an authenticated Immuta API request. This command will let you hit any endpoint in the Immuta API, including . For example, immuta api /tag will hit the v1 endpoint to list tags. This allows you to use the immuta api command instead of something like Postman or cURL to interact with the V1 API.
: Clone all data sources, projects, purposes, and policies information into files.

Install and Configure the Immuta CLI

This page details how to install the Immuta CLI and tab completions.

1 - Install the Immuta CLI

macOS CLI Binary Warning: When installing the macOS CLI binary, macOS displays the warning "could not verify that this app is free from malware" when the binary is run. Navigate to the Security & Privacy section in your System Preferences to allow the binary to be run.

Download the binary that corresponds to your operating system.

The latest stable binaries can be found here:

Linux x86_64 (amd64)

Linux ARMv8 (arm64)

The latest stable binaries can be found here:

Darwin x86_64 (amd64)

Darwin ARMv8 (arm64)

The latest stable binary can be found here: .

Download and add the binary to a directory in your system's $PATH as immuta.exe.

The SHA 256 checksum is available to verify the file at .

2 - Configure the CLI with Your Immuta Tenant

Run immuta configure.
Enter the URL of your Immuta tenant in the interactive prompt.
Enter your Immuta API Key in the interactive prompt:

Below is the configuration file that will be saved at ~/.immutacfg.yaml:

3 - Install Tab Completions

To generate shell completion scripts for Immuta CLI commands, run immuta completion [bash|zsh|fish|powershell]. You can opt to specify -h or --help for instructions on installing tab completions for Bash, Zsh, Fish, and PowerShell commands and flags.

Use the tabs below for specific instructions for each of these shells.

Install bash-completion https://github.com/scop/bash-completion.
Add this to your ~/.bash_profile:

Generate an _immuta completion script and save it in your $fpath

The exact configuration file locations might vary based on your system. Make sure to restart your shell before you test whether completions are working.

Manage Your Immuta Tenant

This page details the immuta command, its subcommands and arguments, and the workflow for cloning a tenant and using the Immuta API.

Command Overview: `immuta`

This command allows you to manage your Immuta tenant by creating data sources, projects, policies, and purposes. The table below illustrates the immuta subcommands and arguments.

Subcommands

Description

Argument(s)

To view a list of the commands available in your current Immuta CLI version, run immuta with no additional arguments.

Options

Options you can specify with the immuta command include

--config string: Specify the configuration file name and where it will be saved. (The default is $HOME/.immutacfg.yaml.)
-h or --help: Get more information about the command.
-p or --profile string

Clone Your Tenant: `immuta clone`

You need the GOVERNANCE permission in Immuta to run this command.

If you have an Immuta tenant that was set up without using the API, you can use the immuta clone command to save all your data sources, projects, policies, and purposes as payloads:

This command will create valid V2 API YAML files for all your data sources, projects, policies, and purposes. Within these files, database passwords and user files (such as a BigQuery auth file) will be removed; instead passwords will appear as {{EnvVar "dbPass"}}. The CLI will then read the environment variable dbPass to fill in the password if you use the cloned payload to create or update a data source. File contents will appear as {{ReadFile "<filePath>"}}, and then the CLI will read the file at the path and replace the value when commands are run.

Options

--force: Overwrite existing output directory targets. If this flag is omitted, you will receive an error when the output directory exists and is not empty.
-h or --help: Get details about the command.

Limitations

Tags for data sources and projects are not returned.
Data sources will not have the sources field, so if these payloads are used in create commands, all possible tables will be created as data sources.

`immuta api`

This command makes an authenticated HTTP(s) request to the Immuta API and prints the response. The default HTTP request method is GET, but POST is used if any parameters were added. You can override the method with --method:

Options

-b, --body string: Unmodified string to be sent as payload body.
-d, --data key=value: Add a typed parameter in key=value format. The --data flag behaves like --raw-data, with type conversion based on the format of the value. Literal values, true

Examples

The documentation below provides descriptions and examples of immuta api options.

Manage Data Sources

This page details the immuta datasource command, its subcommands and arguments, and the workflow for creating, renaming, and deleting data sources.

Command Overview: `immuta datasource`

This command allows you to list, save, delete, and rename data sources in your instance of Immuta. The table below illustrates subcommands and arguments.

Subcommands

Description

Argument(s)

Options

Use these options to get more details about the datasource command or any of its subcommands:

-h
--help

Create a Data Source: `immuta datasource save`

Add your remote database's connection information in a valid YAML file for the V2 API. Additional payload examples for creating data sources can :
Run immuta datasource save <filepath> [--wait int] [--dryRun], referencing the file you just created. The options you can specify include
- -d or --dryRun: No updates will actually be made to the data source(s).

Example

The following example illustrates a user saving an updated datasourceInfo.yaml file, first as a dry run and then by specifying that the data sources wait 5 seconds to be created.

Rename a Data Source Connection Key: `immuta datasource rename`

Run immuta datasource list keys to view a list of data source connection keys. Options you can specify include
- -h or --help: Get more information about the command.
- -v or --verbose

Example

The following example illustrates a user renaming a data source connection key to demonstration.

Delete Data Sources: `immuta datasource delete`

This command will delete all data sources for the connection key you specify.

Run immuta datasource list keys to view a list of data source connection keys. Options you can specify include
- -h or --help: Get more information about the command.
- -v or --verbose

Example

The following example illustrates a user deleting the demonstration connection key and all its data sources.

Manage Sensitive Data Discovery

Command overview: `immuta sdd`

This command allows you to customize and run SDD in your instance of Immuta. The table below illustrates subcommands and arguments.

Subcommands

Description

Options

Use these options to get more details about the sdd command or any of its subcommands:

-h
--help

SDD workflow

Two common workflows for using SDD are outlined below. The first illustrates how to apply a global framework to all data sources, while the second outlines how users can create and apply frameworks to data sources they own.

The tutorials linked below show how to use the CLI to complete this workflow. For an overview of how sensitive data discovery works, see .

Workflow 1: Apply the global framework to all data sources

Data governor using one or more identifiers.
.
.

Workflow 2: Apply a framework to a specific data source

Data governor creates one or more .
.
and resulting tags are applied to columns where criteria were met.

Run Sensitive Data Discovery on Data Sources

Prerequisite

Command Overview: `immuta sdd run`

Manage Policies

This page details the immuta policy command, its subcommands and arguments, and the workflow for creating, renaming, cloning, and deleting Global Policies.

Command Overview: `immuta policy`

This command allows you to list, save, delete, and rename Global Policies in your instance of Immuta. The table below illustrates subcommands and arguments.

Subcommands

Manage Projects

This page details the immuta project command, its subcommands and arguments, and the workflow for creating, renaming, and deleting projects.

Command: `immuta project`

This command allows you to list, save, delete, and rename projects in your instance of Immuta. The table below illustrates subcommands and arguments.

Subcommands

Description

Argument(s)

Options

Use these options to get more details about the project command or any of its subcommands:

-h
--help

Create Project: `immuta project save`

Add your project information in a valid YAML file for the V2 API. Additional payload examples for creating projects can :
Run the following referencing the file you just created: immuta project save <filepath> [--dryRun] [--deleteWorkSpaceDataSources] The options you can specify include
- --deleteWorkSpaceDataSources: Delete all data and the data sources associated with a project workspace when the workspace is deleted.

Example

The example below illustrates a user listing all projects and then creating the project demo project.

Rename a Project Key: `immuta project rename`

Opt to list all project keys to identify which project you would like to rename by running immuta project list. Options you can specify include
- -h or --help: Get more information about the command.
- -v or --verbose

Example

The example below illustrates a user renaming the demo project project key to data analytics team.

Delete a Project: `immuta project delete`

Opt to list all project keys to determine which project key you would like to delete by running immuta project list. Options you can specify include
- -h or --help: Get more information about the command.
- -v or --verbose

Example

The example below illustrates a user first disabling and then deleting the project Data Analytics Team.

Manage Purposes

This page details the immuta purpose command, its subcommands and arguments, and the workflow for creating and deleting purposes.

Command: `immuta purpose`

This command allows you to list, save, and delete purposes in your instance of Immuta. The table below illustrates subcommands and arguments.

Subcommands

Description

Manage Audit

Public preview: This feature is public preview and available to all accounts.

Use these audit export configuration commands to manage exporting your audit logs to S3 and ADLS Gen2, including intervals the events are exported and the S3 bucket or ADLS container they are exported to.

`immuta audit exportConfig {command} <arguments> [flags]`

Inspect, disable, enable, and delete configurations for exporting your audit events to S3 and ADLS Gen 2.

The Immuta Audit CLI supports a number of flags for every command.

--config string: Specifies the configuration file name and where it will be saved. (The default is $HOME/.immutacfg.yaml.)
-h, --help: Gets more information about the command.
-p, --profile string

Commands

Command

Argument

Flags

Audit Export Configuration Example

The Immuta API

Any endpoints or attributes that are not documented are for internal purposes and should not be used.

Integrations API

The integrations API allows you to integrate your remote data platform with Immuta so that Immuta can manage and enforce access controls on your data.

Version 2 of the Immuta API allows data engineers to manage their data sources, projects, and policies as code, providing a way to track, approve, and easily update data sources and their associated policies.

The benefits of the V2 API are outlined below:

Reduces complexity: The data source API has been simplified to only require the connection information in most instances and one endpoint for all database technologies.
Maintains less state: Whether updating or creating, the same endpoint is used, and the same data is passed. No IDs are required, so no additional state is required.
Requires fewer steps: Only an API key is required; no additional authentication step is required before using the API.

Version 1 of the Immuta API is still supported and can be accessed through the Immuta CLI. However, users are encouraged to use Version 2 of Immuta's API because of all the benefits outlined above.

Integrations API

The integrations API is a REST API that allows you to integrate your remote data platform with Immuta so that Immuta can manage and enforce access controls on your data.

Getting started guide

This task-based guide includes end-to-end instructions for implementing your integration - from authenticating with the API to mapping your users into Immuta so that they can access policy-enforced data. A basic request and payload example is provided for configuring each integration.

These guides provide step-by-step instructions for creating and managing your integration and include configuration setting examples that vary in complexity.

These guides define request and body parameters, response schema, and common error messages.

How-to Guides

The how-to guides in this section illustrate how to integrate your remote data platform with Immuta so you can manage and enforce access controls on your data.

Amazon S3 integration API guide

Private preview: The Amazon S3 integration is available to select accounts. Reach out to your Immuta representative for details.

Immuta's Amazon S3 integration allows users to apply subscription policies to data in S3 to restrict what prefixes, buckets, or objects users can access. To enforce access controls on this data, Immuta creates S3 grants that are administered by S3 Access Grants, an AWS feature that defines access permissions to data in S3.

Follow this guide to configure and manage your Amazon S3 integration. Example requests and responses are provided throughout the guide so that you can quickly copy and update them with your own settings.

In this integration, Immuta generates policy-enforced views in a schema in your configured Azure Synapse Analytics Dedicated SQL pool for tables registered as Immuta data sources.

Follow this guide to configure and manage your Azure Synapse Analytics integration. Example requests and responses are provided throughout the guide so that you can quickly copy and update them with your own settings.

Immuta’s integration with Unity Catalog allows you to manage multiple Databricks workspaces through Unity Catalog while protecting your data with Immuta policies. Instead of manually creating UDFs or granting access to each table in Databricks, you can author your policies in Immuta and have Immuta manage and enforce Unity Catalog access-control policies on your data in Databricks clusters or SQL warehouses.

Follow this guide to configure and manage your Databricks Unity Catalog integration. Example requests and responses are provided throughout the guide so that you can quickly copy and update them with your own settings.

Private preview: This integration is available to select accounts. Reach out to your Immuta representative for details.

In this integration, Immuta generates policy-enforced views in your configured Google BigQuery dataset for tables registered as Immuta data sources.

Follow this guide to configure and manage your Google BigQuery integration. Example requests and responses are provided throughout the guide so that you can quickly copy and update them with your own settings.

Immuta generates policy-enforced views in your configured Redshift schema for tables registered as Immuta data sources.

Follow this guide to configure and manage your Redshift integration. Example requests and responses are provided throughout the guide so that you can quickly copy and update them with your own settings.

Immuta manages access to Snowflake tables by administering Snowflake row access policies and column masking policies on those tables, allowing users to query tables directly in Snowflake while dynamic policies are enforced.

Follow this guide to configure and manage your Snowflake integration. Example requests and responses are provided throughout the guide so that you can quickly copy and update them with your own settings.

Immuta policies are translated into Starburst rules and permissions and applied directly to tables within users’ existing catalogs.

Follow this guide to configure and manage your Starburst (Trino) integration. Example requests and responses are provided throughout the guide so that you can quickly copy and update them with your own settings.

Reference Guides

The reference guides in this section define the integrations API endpoints, request and body parameters, and response schema.

The integrations API endpoints allow you to create, update, get, and delete integrations and generate scripts to run in your data platform to manually set up or remove Immuta-managed resources.

Consult this guide for endpoint descriptions and examples.

Create Purposes API Examples

Basic Purpose

name: A basic purpose

Advanced Purpose

name: Use Purposes
acknowledgement: You promise to be good
description: For use with projects to do policy adjustments
kAnonNoiseReduction: Medium

Sub-Purpose

Immuta V1 API

This section outlines the endpoints and parameters of the V1 API and provides examples of requests, payloads, and responses. The endpoints documented in this section are for the V1 API. The V2 API is documented in the previous section.

Any endpoints or attributes that are not documented are for internal purposes and should not be used.

Section Overview

The endpoints throughout this section are organized by workflow.

Authenticate with the API

Audience: All Immuta Users
Content Summary: Calls to the Immuta API require authentication. This page includes the API key authentication endpoint, request and response parameters, and example requests and responses for API authentication.

Workflow

There are two methods for making an authenticated request to the Immuta API.

Configure Your Instance of Immuta

This section of API documentation is specific to configuring elements of your instance, such as users, tags, licenses, integrations, and webhooks.

Section Contents

: View your activity notifications.

Get Fingerprint Status

Fingerprint API reference guide

This page illustrates how to check the status of the Fingerprint service using the fingerprint endpoint.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Get the status of the fingerprint service

GET /fingerprint/status

Get the status of the Fingerprint service.

Response parameters

Attribute

Description

Request example

The following request gets the status of the Fingerprint service.

Response example

Get Job Status

Jobs API reference guide

This page describes the jobs endpoint.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Get job status and output

Connect Your Data

Audience: Data Owners
Content Summary: This section of API documentation is specific to connecting your data to Immuta and managing Data Dictionaries.

Data sources can also be created and managed using the .

Manage Data Access

This section of API documentation is specific to searching for data and audit logs, managing policies and access requests, and auditing user activity.

Policies can also be created and managed using the .

Section Contents

Search Connection Strings

Connection strings API reference guide

This page describes the connectionStrings endpoint.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Search connection strings

Search for Organizations

Organizations API reference guide

This page describes the organizations endpoint.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Search organizations

Manage Projects and Purposes

and can also be created and managed using the V2 API.

Section Contents

Policy Handler Objects

This page describes how to update policies using the Policy Handler API.

Create policy handler

Method

Path

Successful Status Code

POST

/policy/handler

Request parameters

The create policy handler endpoint must be a .

Update policy handler

Method

Path

Successful Status Code

Request parameters

The update policy handler endpoint must be a .

Policy handler object

dataSourceId (integer): ID of the data source the policy will be applied to.
- Example: 1
jsonRules (array[object]): Array of JSON rules objects.

Defining policy rules

The jsonRules array contains rules objects. The following types of policy rules are supported:

Not all combination of policy rules are valid. The examples below are supported policy rule combinations:

Prerequisite, Visibility, Masking
Prerequisite, Masking, Minimization

Prerequisite policy rule type

Prerequisite policies are used to limit usage to one or more purposes.

type (string): Policy rule type. Must be prerequisite for prerequisite policy rules.
- Example: "prerequisite"
operator (string

Example:

In this example, users will only have access to data from this data source when they are acting under the purpose named Purpose Name.

Visibility policy rule type

Visibility policies are used to enforce row-level security.

type (string): Policy rule type. Must be visibility for row-level security policy rules.
- Example: "visibility"
operator (string

Note: When adding conditions to a visibility policy rule, the field is required, and the condition value should be left empty. For example, for a group policy condition, the group name is not specified.

The user must possess the group, attribute, or purpose that matches the value stored in the field.

Example:

In this example, users will only see rows when they have an authorization that matches the value in the field department and they belong to a group that matches the value in the field organization.

Masking policy rule type

Masking policy rules will mask the value in one or more columns.

type (string): Policy rule type. Must be masking for masking policy rules.
- Example: "masking"
fields (array[string]

Note: When adding conditions to a masking policy rule, the field will be left blank, and the condition value should be populated.

When using a masking rule, there is an additional field that needs to be sent in the in the policyHandler.maskingConfiguration array field.

name (string): Name of the field being masked.
- Example: "social"
type (string): Type of masking to apply. Supported values are "Consistent Value"

Masking configuration metadata

Consistent value

constant (string|null): Constant value to mask to. If this field is not defined, the value will be hashed.
- Example: "REDACTED"

Regular expression

regex (string): Regex to match against when masking columns.
- Example: "[0-9]{3}-[0-9]{2}"
replacement (string): String used to replace the matched regex.

Grouping

bucketSize (integer): For number fields. Size of buckets to round numbers to.
- Example: 100
timePrecision (string): For time fields. Time precision to round to. Possible values: "MIN"

Example policy handler update with masking configuration metadata:

Example:

In this example, the fields email and location will be masked unless the user belongs to the group admins.

Minimization rule type

Minimization policy rules will show a limited percentage of the data, based on a high cardinality column, for everyone unless the user fulfills the policy conditions.

type (string): Policy rule type. Must be additional for minimization policy rules.
- Example: "additional"
name (string

Note: When adding conditions to a minimization policy rule the field will be left blank.

When using a minimization rule, there is an additional field that needs to be sent in the in the policyHandler.additionalFilters.minimization field.

percent (integer): Percentage of the data to show to the users. This percentage will be based off of unique values in the hashPhrase column.
- Example: 50
hashPhrase

Example policy handler rule:

In this example, 50 percent of the data, based on the name field, will be visible to users unless they fulfill the policy conditions.

Example data source update (partial):

Time-based rule type

Time-based rules will make a limited portion of the data available based on event time. The data source must contain an event time column in order for this policy type to be valid. For instance, users who do not fulfill the policy conditions will only see data from within the defined time window.

type (string): Policy rule type. Must be additional for minimization policy rules.
- Example: "additional"
name (string

Note: When adding conditions to a time based policy rule the field will be left blank.

When using a time based rule, there is an additional field that needs to be sent in the in the policyHandler.additionalFilters field.

time (integer): Age in seconds of the oldest data a user will be allowed to see. This counts backward from the present.
- Example: 14400

Example policy handler rule:

In this example, only data from the last 4 hours will be visible to users unless they fulfill the policy conditions.

Example data source update (partial):

Policy conditions

There are three types of policy conditions:

Group policy condition

The group policy condition restricts access to the condition when a user is a member of a group.

type (string): Type of policy condition. Must be "groups" for the group policy condition.
- Example: "groups"
group (object

Example:

Group object

name (string): Name of group user must belong to in order to satisfy the policy condition.
- Example: "users"
iam (string): ID of the IAM containing the group.

Attribute policy condition

The attribute policy condition restricts access to the condition when a user possesses an attribute.

type (string): Type of policy condition. Must be "authorizations" for the attribute policy condition.
- Example: "authorizations"
authorization (

Example:

Attribute object

auth (string): Name of attribute to check for attribute value.
- Example: "accesses"
value (string): Value of attribute user must possess in order to satisfy the policy condition.

Purpose policy condition

The purpose policy condition restricts access to the condition when a user is acting under a purpose.

type (string): Type of policy condition. Must be "purposes" for the purpose policy condition.
- Example: "purpopses"
value (string

Example:

Configure a Databricks Unity Catalog Integration

Use the /integrations endpoint to

configure a Databricks Unity Catalog integration
get a Databricks Unity Catalog integration

Requirements

Permissions

APPLICATION_ADMIN Immuta permission
The Databricks user running the installation script must have the following privileges:
- Account admin

See the for more details about Unity Catalog privileges and securable objects.

Authentication

Access token authentication: If using this method, generate a personal access token for the service principal that Immuta will use to manage policies in Unity Catalog. This service principal must have the for the metastore associated with the Databricks workspace.
OAuth machine-to-machine (M2M) authentication: If using this method, follow for the Immuta service principal. This service principal must have the for the metastore associated with the Databricks workspace.

Prerequisite

Click the App Settings icon in the left sidebar.
Scroll to the Global Integrations Settings section and check the Enable Databricks Unity Catalog support in Immuta checkbox.

Configure the integration

In Databricks, with the privileges below. Immuta uses this service principal continuously to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks.
1. USE CATALOG and MANAGE on all catalogs containing securables registered as Immuta data sources and USE SCHEMA on all schemas containing securables registered as Immuta data sources.
2. MODIFY

Automatic setup

Required permissions: When performing an automatic setup, the credentials provided must have the .

Copy the request example, and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Databricks", "autoBootstrap": true, "config": { "workspaceUrl": "www.example-workspace.cloud.databricks.com", "httpPath": "sql/protocolv1/o/0/0000-00000-abc123", "authenticationType": "token", "token": "REDACTED", "catalog": "immuta" } }' ```

Replace the Immuta URL and with your own.
Change the config values to your own, where

Response

The response returns the status of the Databricks Unity Catalog integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Manual setup

Required permissions: When performing a manual setup, the Databricks user running the script must have the .

To manually configure the integration, complete the following steps:

Generate the script

Copy the request example, and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations/scripts/create' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Databricks", "autoBootstrap": false, "config": { "workspaceUrl": "www.example-workspace.cloud.databricks.com", "httpPath": "sql/protocolv1/o/0/0000-00000-abc123", "authenticationType": "token", "token": "REDACTED", "catalog": "immuta" } }' ```

Replace the Immuta URL and with your own.
Change the config values to your own, where

Response

The response returns the script for you to run in your environment.

Configure the integration in Immuta

Copy the request example, and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML. The payload you provide must match the payload sent when .

See the for parameter definitions, value types, and additional configuration options.

```shell curl -X 'POST' \ 'https://www.organization.immuta.com/integrations' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -H 'Authorization: 846e9e43c86a4ct1be14290d95127d13f' \ -d '{ "type": "Databricks", "autoBootstrap": false, "config": { "workspaceUrl": "www.example-workspace.cloud.databricks.com", "httpPath": "sql/protocolv1/o/0/0000-00000-abc123", "authenticationType": "token", "token": "REDACTED", "catalog": "immuta" } }' ```

Replace the Immuta URL and with your own.
Pass the same payload you sent when , where

Response

The response returns the status of the Databricks Unity Catalog integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to get. Alternatively, you can get a list of all integrations and their IDs with the .

Response

The response returns a Databricks Unity Catalog integration configuration. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get all integrations

Copy the request example.
Replace the Immuta URL and with your own.

Response

The response returns the configuration for all integrations. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Update an integration configuration

Copy the request example, and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

This example updates the access token.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Change the config values to your own, where
- workspaceUrl

Response

The response returns the status of the Databricks Unity Catalog integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Delete an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to delete.

Response

The response returns the status of the Databricks Unity Catalog integration configuration that has been deleted. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Configure an Amazon S3 Integration

Private preview: The Amazon S3 integration is available to select accounts. Reach out to your Immuta representative for details.

The Amazon S3 resource allows you to create, configure, and manage your S3 integration. In this integration, Immuta provides coarse-grained access controls for data in S3 by performing permission grants using the Access Grants API so that users don't have to manage individual IAM policies themselves.

Use the /integrations endpoint to

Requirements

S3 integration enabled in Immuta; contact your Immuta representative to enable this integration
; contact your Immuta representative to get this feature enabled
No location is registered in your AWS Access Grants instance before configuring the integration in Immuta

Permissions

APPLICATION_ADMIN Immuta permission to configure the integration
CREATE_S3_DATASOURCE Immuta permission to register S3 prefixes
The AWS account credentials or optional AWS IAM role you provide Immuta to configure the integration must

Set up S3 Access Grants instance

. AWS supports one Access Grants instance per region per AWS account.
. You will add this role to your integration configuration in Immuta so that Immuta can register this role with your Access Grants location. The policy should include at least the following permissions, but might need additional permissions depending on other local setup factors. An example trust policy is provided below.
- sts:AssumeRole

IAM role trust policy example

with the following permissions, and attach the policy to the IAM role you created to grant the permissions to the role. The policy should include the following permissions. An example policy is provided below.

s3:GetObject
s3:GetObjectVersion
s3:GetObjectAcl

IAM policy example

Replace <bucket_arn> in the example below with the ARN of the bucket scope that contains data you want to grant access to.

If you use server-side encryption with AWS Key Management Service (AWS KMS) keys to encrypt your data, the following permissions are required for the IAM role in the policy. If you do not use this feature, do not include these permissions in your IAM policy:

kms:Decrypt
kms:GenerateDataKey

that Immuta can use to create Access Grants locations and issue grants. This role must have the S3 permissions listed in the . An example policy is provided below.

IAM policy example

Replace <role_arn> and <access_grants_instance_arn> in the example below with the ARNs of the role you created and your Access Grants instance, respectively. The Access Grants instance resource ARN should be scoped to apply to any future locations that will be created under this Access Grants instance. For example, "Resource": "arn:aws:s3:us-east-2:6********499:access-grants/default*" ensures that the role would have permissions for both of these locations:

arn:aws:s3:us-east-2:6********499:access-grants/default/newlocation1

If you use AWS IAM Identity Center, associate . Then add the permissions listed in the sample policy below to your IAM policy, and attach the policy to the IAM role you created to grant the permissions to the role.

IAM policy example

Copy the JSON below and replace the following bracketed placeholder values with your own. For details about the actions and resource values, see the .

<iam_identity_center_instance_arn>: The that is configured with the application.
<iam_identity_center_application_arn_for_s3_access_grants>: The configured with IAM Identity Center.

Configure the integration in Immuta

This request configures the integration using the AWS access key authentication method.

Copy the request example. The example uses JSON format, but the request also accepts YAML.
Replace the Immuta URL and with your own.
Change the config values to your own, where

See the for parameter definitions, value types, and additional configuration options.

Response

The response returns the status of the S3 integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to get. Alternatively, you can get a list of all integrations and their IDs with the .

Response

The response returns an S3 integration configuration. See the for details about the response schema. An unsuccessful response returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get all integrations

Copy the request example.
Replace the Immuta URL and with your own.

Response

Update an integration configuration

Copy the request example, and replace the values with your own as directed to update the integration settings. The example provided uses JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Change the config values from above to your own. The editable values listed below are the only parameters that can change from the integration's existing configuration. The required parameters listed below must match the integration's existing configuration.

Response

The response returns the status of the Amazon S3 integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Delete an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to delete.

Response

The response returns the status of the S3 integration configuration that has been deleted. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Create a Databricks Data Source

Databricks data source API reference guide

The databricks endpoint allows you to connect and manage Databricks data sources in Immuta.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Requirements

Databricks Spark integration

When exposing a table or view from an Immuta-enabled Databricks cluster, be sure that at least one of these traits is true:

The user exposing the tables has READ_METADATA and SELECT permissions on the target views/tables (specifically if Table ACLs are enabled).
The user exposing the tables is listed in the immuta.spark.acl.whitelist configuration on the target cluster.
The user exposing the tables is a Databricks workspace administrator.

Databricks Unity Catalog integration

When registering Databricks Unity Catalog securables in Immuta, use and ensure it has the privileges listed below. Immuta uses this service principal continuously to orchestrate Unity Catalog policies and maintain state between Immuta and Databricks.

USE CATALOG and MANAGE on all catalogs containing securables registered as Immuta data sources.
USE SCHEMA on all schemas containing securables registered as Immuta data sources.
MODIFY and SELECT on all securables you want registered as Immuta data sources.

MANAGE and MODIFY are required so that the service principal can apply row filters and column masks on the securable; to do so, the service principal must also have SELECT on the securable as well as USE CATALOG on its parent catalog and USE SCHEMA on its parent schema. Since privileges are inherited, you can grant the service principal the MODIFY and SELECT privilege on all catalogs or schemas containing Immuta data sources, which automatically grants the service principal the MODIFY and SELECT

Azure Databricks Unity Catalog limitation

Set all table-level ownership on your Unity Catalog data sources to an individual user or service principal instead of a Databricks group before proceeding. Otherwise, Immuta cannot apply data policies to the table in Unity Catalog. See the for details.

Databricks workflow

Create a data source

POST /databricks/handler

Save the provided connection information as a data source.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request creates two Databricks data sources.

Payload example

Response example

Get information about a data source

GET /databricks/handler/{handlerId}

Get the handler metadata associated with the provided handler ID.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request returns metadata for the handler with the ID 48.

Response example

Manage data sources

Method

Path

Purpose

Update a specific data source

PUT /databricks/handler/{handlerId}

Update the data source metadata associated with the provided handler ID. This endpoint does not perform partial updates, but will allow the dictionary to be omitted. In this case, it uses the current dictionary.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request updates the metadata for the data source with the handler ID 48.

Payload example

The payload below updates the dataSourceName to Cities.

Response example

Update multiple data sources

PUT /databricks/bulk

Update the data source metadata associated with the provided connection string.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request updates the metadata for all data sources with the connection string specified in example-payload.json.

Payload example

The payload below adds a certificate (certificate.json) to connect to the data sources with the provided connection.

Response example

Recalculate the high cardinality column for a data source

PUT /databricks/handler/{handlerId}/triggerHighCardinalityJob

Recalculate the high cardinality column for the specified data source.

Query parameters

Attribute

Description

Required

Response parameters

The response returns a string of characters that identify the high cardinality job run.

Request example

This request re-runs the job that calculates the high cardinality column for the data source with the handler ID 47.

Response example

Configure a Redshift Integration

In the Redshift integration, Immuta generates policy-enforced views in your configured Redshift schema for tables registered as Immuta data sources.

Use the /integrations endpoint to

configure a Redshift integration
get a Redshift integration

Requirements

APPLICATION_ADMIN Immuta permission
A Redshift cluster with an RA3 node is required for the multi-database integration. You must use a Redshift RA3 instance type because Immuta requires cross-database views, which are only supported in Redshift RA3 instance types. For other instance types, you may configure a single-database integration using one of the :
- Configure the integration with an existing database that contains the external tables. In the steps below, specify an existing database in Redshift as the database in which Immuta will add the Immuta-managed schemas and views instead of creating a new database.

Configure the integration

You have two options for configuring your Redshift integration:

: Grant Immuta one-time use of credentials to automatically configure your Redshift environment and the integration. When performing an automated installation, Immuta requires temporary, one-time use of credentials with the Redshift permissions listed in the .
These privileges will be used to create and configure a new Immuta-managed database within the specified Redshift instance. The credentials are not stored or saved by Immuta, and Immuta doesn’t retain access to them after initial setup is complete.
You can create a new account for Immuta to use that has these privileges, or you can grant temporary use of a pre-existing account. By default, the pre-existing account with appropriate privileges is a Superuser. If you create a new account, it can be deleted after initial setup is complete.
: Run the Immuta script in your Redshift environment yourself to configure your Redshift environment and the integration. The specified role used to run the bootstrap needs to have the Redshift permissions listed in the .

Automatic setup

Copy the request example from one of the sections below, and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

This request specifies userPassword as the authentication type for the Immuta system user. The username and password provided are credentials for a system account that can manage the database.

Replace the Immuta URL and with your own.
Change the config values to your own, where

Response

The response returns the status of the Redshift integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Manual setup

To manually configure the integration, complete the following steps:

Generate the first script

Copy the request example from one of the tabs below, and replace the values with your own as directed to generate the first script. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

This request specifies userPassword as the authentication type for the Immuta system user. The username and password provided are credentials for a system account that can manage the database.

Replace the Immuta URL and with your own.
Change the config values to your own, where

Response

The response returns the script for you to run in the Redshift initialDatabase.

Generate the second script

Copy the request example from one of the tabs below, and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML. The payload you provide must match the payload sent when .

See the for parameter definitions, value types, and additional configuration options.

This request specifies userPassword as the authentication type for the Immuta system user. The username and password provided are credentials for a system account that can manage the database.

Replace the Immuta URL and with your own.
Pass the same payload you sent when , where

Response

The response returns the script for you to run in the database created by the first script.

Configure the integration in Immuta

See the for parameter definitions, value types, and additional configuration options.

This request specifies userPassword as the authentication type for the Immuta system user. The username and password provided are credentials for a system account that can manage the database.

Replace the Immuta URL and with your own.
Pass the same payload you sent when , where

Response

The response returns the status of the Redshift integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to get. Alternatively, you can get a list of all integrations and their IDs with the .

Response

The response returns a Redshift integration configuration. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get all integrations

Copy the request example.
Replace the Immuta URL and with your own.

Response

Update an integration configuration

You have two options for updating your integration. Follow the steps that match your initial configuration of autoBootstrap:

(autoBootstrap is true)
(autoBootstrap is false)

Automatic update

Copy the request example, and replace the values with your own as directed to update the integration settings. The example provided uses JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Change the config values to your own, where
- host

Response

The response returns the status of the Redshift integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Manual update

To manually update the integration, complete the following steps:

Generate the updated script

Copy the request example, and replace the values with your own as directed to generate the script. The example provided uses JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Change the config values to your own, where
- host

Response

The response returns the script for you to run in your Redshift environment.

Update the integration in Immuta

Copy the request example, and replace the values with your own as directed to update the integration settings. The example provided uses JSON format, but the request also accepts YAML. The payload you provide must match the payload sent when .

See the for parameter definitions, value types, and additional configuration options.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Pass the same payload you sent when , where
- host

Response

The response returns the status of the Redshift integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Delete an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to delete.
If you set

Response

The response returns the status of the Redshift integration configuration that has been deleted. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Integrations API Endpoints

The integrations resource allows you to create, configure, and manage your integration. How Immuta manages and administers policies in your data platform varies by integration.

To configure or manage an integration, users must have the APPLICATION_ADMIN Immuta permission.

Endpoints

Method

Endpoint

Description

GET /integrations

Gets all integration configurations.

Response

POST /integrations

Creates an integration configuration that allows Immuta to manage access policies on data registered in Immuta.

Amazon S3 example

When you connect Immuta to your AWS account, the awsLocationPath is the base S3 location prefix that Immuta will use for this connection when registering S3 data sources.

This request configures the integration using the AWS access key authentication method.

Azure Synapse Analytics example

When you connect Immuta to your Azure Synapse Analytics account, the schema you specify is where all the policy-enforced views will be created and managed by Immuta.

Databricks Unity Catalog example

This request creates a Databricks Unity Catalog integration configuration that allows Immuta to administer Unity Catalog policies on data registered in Immuta.

Google BigQuery example

When you connect Immuta to your Google BigQuery account, the dataset you specify is where all the policy-enforced views will be created and managed by Immuta.

Redshift example

When you connect Immuta to your Redshift account, the Immuta system user will use the database you specify to manage and store metadata. The initial database (REDSHIFT_SAMPLE_DATA, in the request below) is an existing Redshift database that Immuta connects to in order to create the Immuta-managed database (immuta, in the request below).

This request specifies userPassword as the authentication type for the Immuta system user. The username and password provided are credentials for a system account that can manage the database.

Snowflake example

When you connect Immuta to your Snowflake account, the warehouse you specify is the default pool of compute resources the Immuta system user will use to run queries and perform other Snowflake operations.

This request specifies userPassword authentication type. The username and password provided are credentials of a Snowflake account attached to a role with . These credentials are not stored; they are used by Immuta to configure the integration.

Starburst (Trino) example

When you configure the Starburst (Trino) integration, Immuta generates an API key and configuration snippet on the Immuta app settings page that you will use to configure your Starburst cluster.

Body parameters

The request accepts a JSON or YAML payload with the parameters outlined below.

Parameter

Description

Required or optional

Default values

Accepted values

Query parameter

Parameter

Description

Required or optional

Response

The response returns the status of the integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

DELETE /integrations/{id}

Deletes the integration configuration you specify in the request.

Request parameter

Parameter

Description

Required or optional

Query parameter

Parameter

Description

Required or optional

Body parameters

For Amazon S3 integrations, Databricks Unity Catalog integrations, Google BigQuery integrations, Starburst (Trino) integrations, or integration configurations with autoBootstrap set to false, no payload is required to delete the integration.

For the integrations below, the request accepts a JSON or YAML payload when autoBootstrap is set to true. See the payload description for your integration for parameters and details:

Response

The response returns the status of the integration configuration that has been deleted. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

GET /integrations/{id}

Gets the integration configuration you specify in the request.

Request parameter

Parameter

Description

Required or optional

Response

The response returns an integration configuration. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

PUT /integrations/{id}

Updates an existing integration configuration.

Amazon S3 example

This request changes the name of the integration.

Azure Synapse Analytics example

This request enables user impersonation for the Azure Synapse Analytics integration.

Databricks Unity Catalog example

This request updates the access token.

Google BigQuery example

This request updates the private key for the Google BigQuery integration.

Redshift example

This request enables user impersonation for the Redshift integration.

Snowflake example

This request enables auditing queries run in Snowflake.

Body parameters

The request accepts a JSON or YAML payload with the parameters outlined below.

Parameter

Description

Required or optional

Default values

Accepted values

Query parameter

Parameter

Description

Required or optional

Response

The response returns the status of the integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

POST /integrations/{id}/regenerate

Regenerates an Immuta API key for the configured integration.

Starburst (Trino) example

This request regenerates an Immuta API key for the configured Starburst (Trino) integration. Once you make this request, your old Immuta API key will be deleted and will no longer be valid. See the for instructions on updating your Starburst (Trino) integration to use the new API key.

Response

The response returns the new Immuta API key. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

GET /integrations/{id}/status

Gets the status of the integration specified in the request.

Request parameter

Parameter

Description

Required or optional

Response

The response returns the of the specified integration. An unsuccessful request returns the HTTP status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

POST /integrations/scripts/cleanup

Creates a script to remove Immuta-managed resources from your platform. This endpoint is for Azure Synapse Analytics, Redshift, and Snowflake integrations that were not successfully created and, therefore, do not have an integration ID.

For Azure Synapse Analytics integrations, you must also make a request to the to create another script that will finish removing Immuta-managed resources from the platform.

Body parameters

The request accepts a JSON or YAML payload with the parameters outlined below.

Parameter

Description

Required or optional

Default values

Accepted values

Response

The response returns the script that you will run in your Azure Synapse Analytics, Redshift, or Snowflake environment.

Once you have run the script,

use the DELETE /integrations/{id} endpoint to delete your Redshift or Snowflake integration in Immuta:
use the

POST /integrations/scripts/create

Creates a script for you to run manually to set up objects and resources for Immuta to manage and enforce access controls on your data. This endpoint is available for Azure Synapse Analytics, Databricks Unity Catalog, Redshift, and Snowflake integrations.

Body parameters

The request accepts a JSON or YAML payload with the parameters outlined below.

Parameter

Description

Required or optional

Default values

Accepted values

Response

The response returns the script that you will run in your Azure Synapse Analytics, Databricks Unity Catalog, Redshift, or Snowflake environment.

POST /integrations/{id}/scripts/delete

Creates a script to remove Immuta-managed resources from your platform. This endpoint is for Azure Synapse Analytics, Redshift, and Snowflake integrations that were successfully created.

Response

The response returns the script that you will run in your Azure Synapse Analytics, Redshift, or Snowflake environment.

Once you have run the script, use the DELETE /integrations/{id} endpoint to delete your integration in Immuta:

POST /integrations/{id}/scripts/edit

Creates a script for you to run manually to edit objects and resources managed by Immuta in your platform. This endpoint is available for Azure Synapse Analytics, Redshift, and Snowflake integrations.

Body parameters

The request accepts a JSON or YAML payload with the parameters outlined below.

Parameter

Description

Required or optional

Default values

Accepted values

Response

The response returns the script that you will run in your Azure Synapse Analytics, Redshift, or Snowflake environment. Once you have run the script, use the PUT /integrations/{id} endpoint to finish editing your integration:

POST /integrations/scripts/initial-create

Creates the first script for you to run manually to set up objects and resources for Immuta to manage and enforce access controls on your data in Azure Synapse Analytics or Redshift integrations.

Body parameters

The request accepts a JSON or YAML payload with the parameters outlined below.

Parameter

Description

Required or optional

Default values

Accepted values

Response

The response returns the script that you will run in your Azure Synapse Analytics or Redshift environment.

Once you have run this script, use the to generate a script to finish creating the Immuta-managed resources in your platform.

POST /integrations/scripts/post-cleanup

Creates a second script to remove the final Immuta-managed resources from your Azure Synapse Analytics platform. This endpoint is for Azure Synapse Analytics integrations that were not successfully created and, therefore, do not have an integration ID.

Before making a request like the one below, you must make a request to the to create the first script that will remove the initial Immuta-managed resources from the platform.

Body parameters

The request accepts a JSON or YAML payload with the parameters outlined below.

Parameter

Description

Required or optional

Default values

Accepted values

Response

The response returns the script that you will run in your Azure Synapse Analytics environment.

Once you have run the script, use the DELETE /integrations/{id} endpoint to delete your integration in Immuta by following the instructions.

See the following how-to guides for configuration examples and steps for creating, managing, or deleting your integration:

Configure a Snowflake Integration

In the Snowflake integration, Immuta manages access to Snowflake tables by administering Snowflake row access policies and column masking policies on those tables, allowing users to query tables directly in Snowflake while dynamic policies are enforced.

Use the /integrations endpoint to

configure a Snowflake integration
get a Snowflake integration

Requirements

APPLICATION_ADMIN Immuta permission
The Snowflake user running the installation, edit, or delete script must have the following privileges:
- CREATE DATABASE ON ACCOUNT WITH GRANT OPTION

Configure the integration

You have two options for configuring your Snowflake integration:

: Grant Immuta one-time use of credentials to automatically configure your Snowflake environment and the integration. When performing an automated installation, Immuta requires temporary, one-time use of credentials with the Snowflake privileges listed in the .
These privileges will be used to create and configure a new Immuta-managed database within the specified Snowflake instance. The credentials are not stored or saved by Immuta, and Immuta doesn’t retain access to them after initial setup is complete.
You can create a new account for Immuta to use that has these privileges, or you can grant temporary use of a pre-existing account. By default, the pre-existing account with appropriate privileges is ACCOUNTADMIN. If you create a new account, it can be deleted after initial setup is complete.
: Run the Immuta script in your Snowflake environment yourself to configure your Snowflake environment and the integration. The specified role used to run the bootstrap needs to have the Snowflake privileges listed in the .

Automatic setup

Select the section below that matches your authentication method.
Copy the request example and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

Replace the Immuta URL and with your own.
Change the config values to your own, where
- host is the URL of your Snowflake account.

Response

The response returns the status of the Snowflake integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Manual setup

Best practices

The account you create for Immuta should only be used for the integration and should not be used as the credentials for creating data sources in Immuta; doing so will cause issues. Instead, create a separate, dedicated READ-ONLY account for creating and registering data sources within Immuta.

To manually configure the integration, complete the following steps:

Generate the script

Select the tab below that matches your authentication method.
Copy the request example and replace the values with your own as directed to generate the script. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

Replace the Immuta URL and with your own.
Change the config values to your own, where
- host is the URL of your Snowflake account.

Response

The response returns the script for you to run in your environment.

Configure the integration in Immuta

Select the tab below that matches your authentication method.
Copy the request example and replace the values with your own as directed to configure the integration settings. The examples provided use JSON format, but the request also accepts YAML. The parameters and values you provide in this payload must match those you provided when .

See the for parameter definitions, value types, and additional configuration options.

Replace the Immuta URL and with your own.
Pass the same payload you sent when , where
- host is the URL of your Snowflake account.

Response

The response returns the status of the Snowflake integration configuration connection. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to get. Alternatively, you can get a list of all integrations and their IDs with the .

Response

The response returns the Snowflake integration configuration. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Get all integrations

Copy the request example.
Replace the Immuta URL and with your own.

Response

Update an integration configuration

You have two options for updating your integration. Follow the steps that match your initial configuration of autoBootstrap:

(autoBootstrap is true)
(autoBootstrap is false)

Automatic update

Select the section below that matches your authentication method.
Copy the request example and replace the values with your own as directed to update the integration settings. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

This request updates the configuration to enable query audit in Snowflake.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Change the config values to your own, where

Response

The response returns the status of the Snowflake integration configuration. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Manual update

To manually update the integration, complete the following steps:

Generate the updated script

Select the tab below that matches your authentication method.
Copy the request example and replace the values with your own as directed to generate the script. The examples provided use JSON format, but the request also accepts YAML.

See the for parameter definitions, value types, and additional configuration options.

This request updates the configuration to enable query audit in Snowflake.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Change the config values to your own, where

Response

The response returns the script for you to run in your environment.

Update the integration in Immuta

Select the section below that matches your authentication method.
Copy the request example and replace the values with your own as directed to update the integration settings. The examples provided use JSON format, but the request also accepts YAML. The payload you provide must match the one you provided when .

See the for parameter definitions, value types, and additional configuration options.

This request updates the configuration to enable query audit in Snowflake.

Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to update.
Pass the same payload you sent when , where

Response

The response returns the status of the Snowflake integration configuration. See the for details about the response schema.

A successful response includes the validation tests statuses.

An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Delete an integration

Copy the request example.
Replace the Immuta URL and with your own.
Replace the {id} request parameter with the unique identifier of the integration you want to delete.
If you set

Response

The response returns the status of the Snowflake integration configuration that has been deleted. See the for details about the response schema. An unsuccessful request returns the status code and an error message. See the for a list of statuses, error messages, and troubleshooting guidance.

Manage Data and Subscription Policies

Policy API reference guide

The policy endpoint allows you to manage and review policies in Immuta. This page outlines the endpoint and its request and response parameters.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Policy workflow

Create and manage policies

Method

Path

Purpose

Create a global policy with a specified entity type

POST /policy/global

Create a Global Policy with a given entityType.

Query parameters

Attribute

Description

Required

Payload parameters

See the for payload examples and details.

Response parameters

When successful, the response returns the body of the request payload.

Request example

This example request creates a Global Policy (saved in the example-payload.json file) in the Immuta tenant.

Request payload example

Response example

Create or update a policy for a specific data source

POST or PUT /policy/handler/{dataSourceId}

Create (POST) or update (PUT) a policy for the specified data source.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request applies the policy specified in the payload to the data source with the ID 2.

Request payload example

Response example

Apply a global policy to a data source

Note: Global policies that contain the condition "with columns tagged" or "on all data sources" will automatically apply to relevant data sources when the policy is created. The endpoint detailed below can be used to apply Global Policies that contain the condition "when selected by data owners," as these policies are not automatically applied to data sources.

POST /policy/global/applyPolicy

Apply the Global Policy to the specified data source.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

None. When successful, no message will display.

Request example

This example request applies the specified Global Policy to the specified data source (saved in the example-payload.json file) in the Immuta tenant.

Request payload example

The following payload will apply the Global Policy with the ID 1 to the data source with ID 1.

Update a global policy

PUT /policy/global/{policyId}

Update the specified policy.

Query parameters

Attribute

Description

Required

Payload parameters

See the for payload examples and details.

Response parameters

When successful, the response returns the body of the request payload.

Request example

This example request updates the specified Global Policy (8) with changes to the metadata saved in the example-payload.json file.

Request payload example

In this payload, the user updated the description attribute to update the policy.

Response example

Review policies

Method

Path

Purpose

Search for policies

POST /policy/search

Searches for specified policies.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request searches for a Global Policy that contains the text mask in Immuta.

Response example

Find policies by policy ID

GET /policy/global/{policyId}

Find the policy with the specified ID.

Query parameters

Attribute

Description

Required

Response parameters

The response returns a .

Request example

This example request returns the Global Policy with the ID 1.

Response example

Find policies by entity type

GET /policy/global

Find the policy with the specified entity type.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request returns the name, type, and ID of all policies.

Response example

Find the number of data sources a specified policy applies to

GET /policy/global/appliedTo/{policyId}

Find the number of data sources the specified policy applies to.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request returns the number of data sources the Global Policy with the ID 6 applies to.

Response example

Get the policy information for a specific data source

GET /policy/dataSourcePolicies/{dataSourceId}

Get the policy information for the specified data source.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request returns the information of policies applied to the data source with the ID 2.

Response example

Get the differences between two policy versions

GET /policy/diff/{dataSourceId}

Get the differences between two policy handler versions.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request returns the information of policies applied to the data source with the ID 3.

Response example

Get the policy handler metadata for a specific data source

GET /policy/handler/{dataSourceId}

Get the policy handler metadata for a specific data source.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request returns the policy handler metadata for policies applied to the data source with the ID 1.

Response example

Delete a global policy

DELETE /policy/global/{policyId}

Delete the specified Global Policy.

Query parameters

Attribute

Description

Required

Response parameters

The response returns a of the policy that was deleted.

Request example

The following request deletes the Global Policy with ID 6.

Response example

Integration Configuration Payload

The parameters for configuring an integration in Immuta are outlined in the table below.

Parameter

Description

Required or optional

Default values

Accepted values

type string

The type of integration to configure.

Required

autoBootstrap boolean

Amazon S3 configuration object

The config object configures the S3 integration. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Azure Synapse Analytics configuration objects

The config object configures the Azure Synapse Analytics integration. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Azure Synapse Analytics impersonation object

The impersonation object enables and defines roles for user impersonation for Azure Synapse Analytics. The table below outlines its child parameters.

Parameter

Description

Default values

Accepted values

Delete Azure Synapse Analytics payload

The credentials you used when configuring your integration are required in the payload when autoBootstrap was set to true when setting up your integration. For integration configurations with autoBootstrap set to false, no payload is required when deleting the integration.

Parameter

Description

Required or optional

Accepted values

Metadata delimiters object

The metadataDelimiters object specifies the delimiters that Immuta uses to store profile data in Azure Synapse Analytics. The table below outlines its child parameters.

Parameter

Description

Default values

Accepted values

Databricks Unity Catalog configuration objects

The config object configures the Databricks Unity Catalog integration. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Databricks Unity Catalog audit object

The audit object enables Databricks Unity Catalog query audit. The table below outlines its child parameter.

Parameter

Description

Default values

Accepted values

Group pattern object

The groupPattern object excludes the listed group from having data policies applied in the Databricks Unity Catalog integration. This account-level group should be used for privileged users and service accounts that require an unmasked view of data. The table below outlines its child parameters.

Parameter

Description

Default values

Accepted values

Databricks Unity Catalog proxy options object

The proxyOptions object represents your proxy server configuration in Databricks Unity Catalog. The table below outlines the object's child attributes.

Parameter

Description

Required or optional

Default values

Accepted values

Databricks Unity Catalog OAuth configuration object

The oAuthClientConfig object represents your OAuth configuration in Databricks Unity Catalog. This object is required if you set oAuthM2M as your . The table below outlines the object's child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Google BigQuery configuration object

The config object configures the Google BigQuery integration. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Redshift configuration objects

The config object configures the Redshift integration. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Delete Redshift integration payload

The authentication type and credentials you used when configuring your integration are required in the payload when autoBootstrap was set to true when setting up your integration. For integration configurations with autoBootstrap set to false, no payload is required when deleting the integration.

Parameter

Description

Required or optional

Accepted values

Redshift impersonation object

The impersonation object enables and defines roles for user impersonation for Redshift. The table below outlines its child parameters.

Parameter

Description

Default values

Accepted values

Okta object

The okta object represents your Okta configuration. This object is required if you set okta as your authentication type in the Redshift integration configuration. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Snowflake configuration objects

The config object configures the Snowflake integration. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Audit object

The audit object enables Snowflake query audit. The table below outlines its child parameter.

Parameter

Description

Default values

Accepted values

Delete Snowflake integration payload

Parameter

Description

Required or optional

Accepted values

Snowflake impersonation object

The impersonation object enables and defines roles for user impersonation for Snowflake. The table below outlines its child parameters.

Parameter

Description

Default values

Accepted values

Lineage object

The lineage object enables Snowflake lineage ingestion. When this setting is enabled, Immuta automatically applies tags added to a Snowflake table to its descendant data source columns in Immuta so you can build policies using those tags to restrict access to sensitive data. The table below outlines its child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

Snowflake OAuth configuration object

The oAuthClientConfig object represents your OAuth configuration in Snowflake. This object is required if you set oAuthClientCredentials as your authentication type in the Snowflake integration configuration, and you must set autoBootstrap to false. The table below outlines the object's child parameters.

Parameter

Description

Required or optional

Default values

Accepted values

User role pattern object

The userRolePattern object excludes roles and users from authorization checks in the Snowflake integration. The table below outlines its child parameter.

Parameter

Description

Default values

Accepted values

Workspaces object

The workspaces object represents an Immuta project workspace configured for Snowflake. The table below outlines its child parameters.

Parameter

Description

Default values

Accepted values

Manage Sensitive Data Discovery (SDD)

Sensitive data discovery (SDD) API reference guide

Workflow

Create an identifier.
Create an identification framework containing one or more identifiers.
.
.
.
.
.

Create an identifier

To run this identifier against your data, ensure it is

POST /sdd/classifier

Create an identifier.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request creates an identifier, saved in example-payload.json.

Payload examples

Response example

Create an identification framework

POST /sdd/template

Create an identification framework.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request creates an identification framework that contains 2 identifiers, saved in example-payload.json.

Payload example

Response example

Search for identifiers or identification frameworks

Method

Path

Purpose

List or search for identifiers

GET /sdd/classifier

List or search identifiers.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request lists 5 identifiers.

Response example

List or search for identification frameworks

GET /sdd/template

List or search identification frameworks.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request lists all identification frameworks.

Response example

View an identifier by name

GET /sdd/classifier/{classifierName}

Get an identifier by name.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request gets the identifier named MY_REGEX_IDENTIFIER.

Response example

View an identification framework by name

GET /sdd/template/{templateName}

Get an identification framework by name.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request gets the identification framework named MY_FIRST_FRAMEWORK.

Response example

View the current global framework

GET /sdd/template/global

View the current global framework.

Response parameters

Attribute

Description

Request example

This request gets the current global framework information.

Response example

Apply identification frameworks to data sources

PUT /sdd/template/apply

Apply an identification framework to a set of data sources.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request applies the MY_FIRST_FRAMEWORK framework to the Public Case data source.

Payload example

Response example

Run SDD on data sources

POST /sdd/run

Run SDD on specified data sources.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example: Run SDD on a single data source

This request runs SDD on the data source Public Case.

Payload example

Response example

Request example: Run SDD on all data sources

This request runs SDD on all your data sources.

Payload example

Response example

Request example: Test run SDD on all data sources

This request runs SDD on the Medical Claims data source with the PII_REVISION framework, but will not tag any columns if matches are found.

Payload example

Response example

Update identifiers or identification frameworks

Method

Path

Purpose

Update an identifier

PUT /sdd/classifier/{classifierName}

Update an identifier. Partial updates are not supported.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request updates the name and description of the MY_REGEX_IDENTIFIER identifier.

Payload example

Response example

Clone an identification framework

POST /sdd/template/{templateName}/clone

Clone an identification framework.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request clones the MY_FIRST_FRAMEWORK identification framework.

Payload example

Response example

Update an identification framework

PUT /sdd/template/{templateName}

Update an identification framework.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request updates the name of, description of, and identifiers in the MY_FIRST_FRAMEWORK identification framework.

Payload example

Response example

Delete identifiers or identification frameworks

Method

Path

Purpose

Delete an identifier

DELETE /sdd/classifier/{classifierName}

Delete an identifier.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request deletes the REGULAR_EXPRESSION identifier.

Response example

Delete an identification framework

DELETE /sdd/template/{templateName}

Delete an identification framework.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The following request deletes the HEALTH_DATA identification framework.

Response example

Manage Projects

Projects API reference guide

This page details how to use the projects API to query projects and the data sources associated with them in Immuta.

Projects workflow

Create a project.
.
.
.
.
.
.

Create a project

POST /project

Create the project.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example request with the payload below will create a new project.

Example request payload

This example payload will create a new project named API Project.

Example response

Search projects

Method

Path

Purpose

Search all projects

GET /project

Search for projects.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request gets a list of all of the projects.

Response example

Search for projects by ID

GET /project/{projectId}

Get the project with the given ID.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example gets the project object for the project with the ID 2.

Example response

Manage projects

Method

Path

Purpose

Update project by ID

PUT /project/{projectId}

Update the project with the given ID.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example request with the payload below will update the project with the project ID 2.

Example request payload

This example payload will update the project to be named Documentation Project.

Example response

View project activity by project ID

GET /project/{projectId}/activity

Get all of the recent activity for a given project.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example gets one activity for the project with the project ID 2.

Example response

View the state of an equalized project

GET /project/{projectId}/checkEqualizationState

Get current state of an equalized project.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example gets the state of project equalization of the project with the project ID 2.

Example response

Manage project members

Method

Path

Purpose

View project members

GET /project/{projectId}/members

Get all of the members for a given project.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This request gets all of the members of the project with the project ID 2.

Example response

Check the members' equalized entitlements

POST /project/{projectId}/checkEqualizedAuths

Check that all members meet the provided equalized entitlements.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request with the payload below will check if the requesting user is in the "View Masked Values" group.

Payload example

Response example

Add a member to a project

POST /project/{projectId}/members

Add a member to the project.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Example request

This example request with the payload below will add a new member to the project with the project ID 1.

Example request payload

Example response

Update a project member

PUT /project/{projectId}/members/{subscriptionId}

Update a member of the project.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request with the payload below will update the user with the subscription ID 2 to be a subscriber of the project with the project ID 3.

Payload example

Response example

Manage project data sources

Method

Path

Purpose

View project data sources by project ID

GET project/{projectId}/dataSources

Get all of the data sources for a given project.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example gets the data source details for all of the data sources of the project with the project ID 2.

Example response

Remove data sources from a project

DELETE /project/{projectId}/dataSources

Remove supplied data sources from the project.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example request deletes the data source with the ID 8 from the project with the project ID 2.

Example response

Add data sources to a project

POST /project/{projectId}/dataSources

Adds data sources to a project.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example request with the payload below will add the data source with the data source ID 1 to the project with the project ID 1.

Example request payload

This example payload will add the data source with the data source ID 2 to the project.

Example response

Update the reason for adding a data source

PUT /project/{projectId}/dataSources/{dataSourceId}

Updates the reason for adding a data source to a project.

Query parameters

Attribute

Description

Required

Request example

This example request with the payload below will update the reason that the data source with the data source ID 1 was added to the project with the project ID 1.

Response example

None.

Use projects

Method

Path

Purpose

Unsubscribe from a project

DELETE /project/{projectId}/unsubscribe

Unsubscribe from a project.

Query parameters

Attribute

Description

Required

Request example

This example request unsubscribes the user from the project with the project ID 5.

Select the current project to act under

POST /project/current/{projectId}

Set the current project ID the current user is acting under.

Query parameters

Attribute

Description

Required

Request example

This example request sets the current project to act under as the project with the project ID 1.

Set current project to `None`

POST /project/current/null

Set the to None.

Request example

Acknowledge the project restrictions

POST /project/{projectId}/members/{subscriptionId}/acknowledge

Acknowledge all the restrictions on this project.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request acknowledges all of the purposes in the project with the project ID 1.

Payload example

Response example

Delete project by ID

DELETE /project/{projectId}

Delete the project with the given ID.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Example request

This example request will delete the project with the project ID 4.

Example response

Generate Governance Reports

Governance API reference guide

This page describes the /governance endpoint of the Immuta API and its request parameters used to generate governance reports.

Additional fields may be included in some responses you receive; however, these attributes

are for internal purposes and are therefore undocumented.

Default 9-minute timeout

Governance report queries will timeout after 9 minutes to avoid overconsumption of resources. If your governance report was not generated because of this timeout, to change the default setting.

Endpoints

Method

Endpoint

Description

`GET` `/governance/reports/user/allUserDataSources`

Generate a report of all the data sources that all users are currently subscribed to.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/user/allUserStatus`

Generate a report of all current users and details about them.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/user/{userId}/dataSource`

Generate a report of the data sources the specified user is currently subscribed to.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/user/{userId}/group`

Generate a report of the groups the specified user is currently a member of.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/user/{userId}/project`

Generate a report of the projects the specified user is currently a member of.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/user/{userId}/dataSourcePurposeAccess`

Generate a report of all the purposes the user has accessed data for during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/user/{userId}/dataSourceUserAccess`

Generate a report of all the data sources the user has directly accessed during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/user/{userId}/attribute`

Generate a report of all the attributes the specified user currently has.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/group/allGroupDataSourceAccess`

Generate a report of all the data sources that any member in any group is subscribed to.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/group/{groupId}/user`

Generate a report of all the users who are currently a member of the group.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/group/{groupId}/dataSource`

Generate a report of all the data sources that members of the group are currently subscribed to.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/group/{groupId}/project`

Generate a report of all the projects that the members of the group are currently subscribed to.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/group/{groupId}/attribute`

Generate a report of all the attributes currently assigned to the specified group.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/project/{projectId}/user`

Generate a report of all the data sources and members currently in the project.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/project/{projectId}/dataSource`

Generate a report of all the data sources currently in the specified project.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/project/{projectId}/purpose`

Generate a report of all the purposes currently assigned to the specified project.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/allDataSourceUsers`

Generate a report of every user and group currently subscribed to any data source.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/{dataSourceId}/user`

Generate a report of all the users and groups currently subscribed to the specified data source.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/{dataSourceId}/project`

Generate a report of the projects that currently have the specified data source.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/{dataSourceId}/purpose`

Generate a report of the purpose of every project that has the specified data source.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/{dataSourceId}/dataSourceUserAccess`

Generate a report of the users that have accessed the data source during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/{dataSourceId}/dataSourcePurposeAccess`

Generate a report of the purposes the data source has been accessed for during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/{dataSourceId}/subscriptionHistory`

Generate a report of the users and groups that have been subscribed to the data source during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/dataSource/{dataSourceId}/dataSourceSddScoring`

Generate a report of data discovery scoring information for every column in the specified data source.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/purpose/{purposeId}/user`

Generate a report of all current members of the projects that use the specified purpose.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/purpose/{purposeId}/dataSource`

Generate a report of all current data sources of the projects that use the specified purpose.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/purpose/{purposeId}/purpose`

Generate a report of all other purposes currently combined with the specified purpose.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/purpose/{purposeId}/project`

Generate a report of projects with the specified purpose currently assigned.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/purpose/{purposeId}/dataSourcePurposeAccess`

Generate a report of data sources that have been accessed for the specified purpose during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/tag/allDataSourceUserAccess`

Generate a report of the users who have subscribed to data sources that were tagged with any tag since the specified start date.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/tag/allProjects`

Generate a report of the projects with data sources currently tagged with any tag.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/tag/allUserDataSources`

Generate a report of every data source currently tagged with any tag.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/tag/{tagName}/dataSource`

Generate a report of the data sources currently tagged with the specified tag.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/tag/{tagName}/dataSourceUserAccess`

Generate a report of users who have accessed data sources tagged with the specified tag during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/tag/{tagName}/dataSourcePurposeAccess`

Generate a report of the purposes that have been used to access data with the specified tag during the specified date range.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/tag/{tagName}/proj`ect

Generate a report of the projects that have data sources currently tagged with this tag.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/policy/{policyType}/dataSource`

Generate a report of the data sources this data policy type is currently applied to.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/globalPolicy/globalPolicyDisabled`

Generate a report of all disabled global policies.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/globalPolicy/globalPolicyInConflict`

Generate a report of all policies currently in conflict.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/globalPolicy/{policyId}/globalPolicyNotCertified`

Generate a report of all data sources the specified policy has not been certified on.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/globalPolicy/{policyId}/globalPolicyCertified`

Generate a report of all data sources the specified policy has been certified on.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/globalPolicy/{policyId}/dataSource`

Generate a report of all data sources the specified global policy is applied to.

Request parameter

Parameter

Description

Required or optional

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/sdd/sddTagsOverview`

Generate a report of all columns with Discovered tags currently applied.

Query parameters

Parameter

Description

Required or optional

`GET` `/governance/reports/sdd/legacySddTags`

Generate a report of all columns with legacy Discovered tags currently applied.

Query parameters

Parameter

Description

Required or optional

Example request

Example response

Manage IAMs

BIM API reference guide

This page details the bim API, which allows users to programmatically access information about users, their group memberships, and authentications. Most of the actions described here require ADMIN permissions.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

BIM workflow

Because the BIM endpoint encompasses groups, users, and authentications, there are three workflows.

Users workflow

Groups workflow

Authenticate with the API workflow

Create a new user

POST /bim/iam/bim/user

Create a new BIM user.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request with the payload below will create a new BIM user with the username [email protected].

Payload example

Response example

Manage users

Method

Path

Purpose

Authenticate a user from an outside IAM

GET /bim/iam/{iamid}/user/authenticate

Authenticate a user from a 3rd-party identity provider.

Request parameters

Attribute

Description

Required

Request example

This example request

Authenticate user with username and password

POST /bim/iam/{iamid}/user/authenticate

Authenticate a user using their username and password and proxying it to the specified IAM service.

Request parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request with the payload below will authenticate the user using the bim IAM.

Payload example

Response example

Update a user profile

PUT /bim/iam/{iamid}/user/{userid}/profile

Update a specified user's profile.

Request parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will change the location to Boston, MA for the user with the username [email protected].

Payload example

Response example

Remove a user's permissions

DELETE /bim/iam/{iamid}/user/{userid}/permissions/{permission}

Remove the specified user's permission.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will delete the permission CREATE_DATA_SOURCE_IN_PROJECT from the user with the username [email protected].

Response example

Update a user's permissions

PUT /bim/iam/{iamid}/user/{userid}/permissions

Update the specified user's permission.

Request parameters

Attribute

Description

Required

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request with the payload below will change to permissions of the user with the username [email protected] to CREATE_DATA_SOURCE_IN_PROJECT, CREATE_PROJECT, and CREATE_DATA_SOURCE.

Payload example

Response example

Update a user's password

PUT /bim/iam/{iamid}/user/{userid}/password

Update the specified user's password.

Request parameters

Attribute

Description

Required

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request with the payload below will change the password of the user with the ID [email protected].

Payload example

Response example

Disable or enable a user

PUT /bim/iam/{iamid}/user/{userid}/disable/{disable}

Disable / enable the specified BIM user.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will disabled the user with the username [email protected].

Response example

Sync users from an external IAM

POST /bim/syncUsers

Sync users from an external IAM.

Payload parameters

Attribute

Description

Required

Request example

This example request will sync the users from the specified external IAM with Immuta.

Payload example

Sync LDAP users with Immuta

POST /iam/{iamId}/sync

Sync LDAP users with Immuta.

Request parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will sync the users from Jump Cloud with Immuta.

Payload example

Response example

Update a user's or group's attributes

PUT /bim/iam/{iamid}/{modelType}/{modelId}/authorizations/{attributeName}/{attributeValue}

Update the specified user's attributes.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will add the attribute Finance.Red Team to the user with the username [email protected].

Response example

Remove a user or group's attribute

DELETE /bim/iam/{iamid}/{modelType}/{modelId}/authorizations/{key}/{value}

Remove an attribute from the specified group or user.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will remove the attribute Country.JP from the user with the user ID [email protected].

Response example

Clone user

Configure SMTP: SMTP must be configured to use this endpoint. Additionally, after the users are created, they will not be active until they sign in to the Immuta UI.

POST /bim/iam/bim/user/{userid}/clone

Clones the provided user (including their permissions, groups, and attributes) to create multiple additional user accounts.

Request parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will clone the user with the username [email protected].

Payload example

Response example

Review user information

Method

Path

Purpose

Search all IAMs

GET /bim/iam

Get a listing of configured IAM services.

Response parameters

Attribute

Description

Request example

The request below will list all of the IAMs in use.

Response example

Search all users

GET /bim/user

Administrative search over the aggregated view of all users.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

The request below will search all of the users in Immuta.

Response example

View current user's information

GET /bim/rpc/user/current

Get the currently logged in user's information.

Response parameters

Attribute

Description

Request example

This request will return information on the user that is logged in.

Response example

View a user's information

GET /bim/iam/{iamid}/user/{id}

Gets the specified user's aggregated view.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will return information about the user with the ID 2.

Response example

View a user profile

GET /bim/iam/{iamid}/user/{userid}/profile

Gets the specified user's profile.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will return the profile of the user with the ID 2.

Response example

View a user's groups

GET /bim/iam/{iamid}/user/{userid}/groups

Get the specified user's list of groups.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will return information on the groups of the user with the username [email protected].

Response example

Delete a user

DELETE /bim/iam/bim/user/{userid}

Delete the specified user in Immuta.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will delete the user with the username [email protected].

Response example

Create a new group

POST /bim/group

Create a new group.

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request with the payload below will create a group through the bim IAM with the name API Group.

Payload example

Response example

Manage groups

Method

Path

Purpose

Update a group

PUT /bim/group/{groupId}

Update the specified group.

Request parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request with the payload below will update the group with the ID 2 with the name API Group #2 and with a new description.

Payload example

Response example

Remove a user from a group

DELETE /bim/group/{groupId}/user/{groupuserid}

Remove a user from a group.

Request parameters

Attribute

Description

Required

Request example

Add a user to a group

POST /bim/group/{groupId}/user

Add a new user to a group.

Request parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request with the payload below adds the user with the ID [email protected] to the group with the ID 2.

Payload example

Response example

Update a group's attributes

PUT /bim/iam/{iamid}/group/{groupid}/authorizations/{attributeName}/{attributeValue}

Update the specified group's attributes.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will add the attribute Finance.Red Team to the group with the ID 2.

Response example

Search groups

Method

Path

Purpose

Search all groups from all IAMs

GET /bim/group

Get the list of groups from all configured IAMs.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request will return all of the groups in Immuta.

Response example

Search a specific group

GET /bim/group/{groupid}

Get the specified group.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request will search for the group with the ID 2.

Response example

Search a group's users

GET /bim/group/{groupid}/user

Get group users.

Query parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This request will return information on the users in the group with the ID 2.

Response example

Delete a group

DELETE /bim/group/{groupId}

Delete the specified group.

Query parameters

Attribute

Description

Required

Request example

This request will delete the group with the ID 3.

Authenticate a user and create a project API key

POST /bim/apikey

Authenticate the user and create a project API key.

Payload parameters

Attribute

Description

Required

The payload must have one or both of the two attributes above.

Response parameters

Attribute

Description

Request example

This example request with the payload below will authenticate the user Jane Doe in the project with the ID 1 and create a new API key for her.

Payload example

Response example

Authenticate with an API key

Method

Path

Purpose

Authenticate a user with an API key

POST /bim/apikey/authenticate

Authenticate with the Immuta API using an API key.

Payload parameters

Attribute

Description

Response parameters

Attribute

Description

Request example

This example request will authenticate the user with the Immuta API.

Payload example

Response example

Impersonate a user with an API key

POST /bim/apikey/impersonate

Impersonate another user using an API key.

Payload parameters

Attribute

Description

Response parameters

Attribute

Description

Request example

This example request will allow the requesting user to impersonate the user specified in example-payload.json.

Payload example

Response example

View tokens and API keys

Method

Path

Purpose

View token information

POST /bim/token

Get information for a given token, should it exist.

Payload parameters

Attribute

Description

Response parameters

Attribute

Description

Request example

This example request will return information on the access token in the payload.

Payload example

Response example

View a user's API keys

GET /bim/iam/{iamid}/user/{userid}/apikeys

Get metadata for all of the user's API keys.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will return information on the API keys of the user with the username [email protected].

Response example

Delete an API key

DELETE /bim/apikey/{keyid}

Delete an API key, all auth tokens issued using that API key, and generate a new API key.

Request parameters

Attribute

Description

Required

Response parameters

Attribute

Description

Request example

This example request will delete the API key with the ID 323, revoke all the auth tokens issued using that API key, and generate a new API key.

Response example

Subscribe to and Manage Data Sources

Data Source API reference guide

This page describes the dataSource endpoint, through which users can subscribe to data sources and manage data source tasks. To create data sources, see the specific handler endpoints.

Additional fields may be included in some responses you receive; however, these attributes are for internal purposes and are therefore undocumented.

Data source workflow

Search data sources and data source details

Method

Path

Purpose

Search for data sources

GET /dataSource

Search for data sources that you own or are authorized to see.

Query parameters

Attribute

Description

Required

Response schema

The response will return data sources you own or are authorized to see.

Attribute

Description

Request example

The following request returns 2 data sources.

Response example

Get a data source by ID

GET /dataSource/{dataSourceId}

Get a data source based on the ID.

Query parameters

Attribute

Description

Required

Response Schema

Attribute

Description

Request example

The following request gets a data source based on the ID 22.

Response example

Get data source by name

GET /dataSource/name/{dataSourceName}

Get a data source based on the name.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets a data source based on the name Public Barfoo.

Response example

Get a data source by the short name

GET /dataSource/sqlTableName/{shortName}

Get a data source based on the SQL table name.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets a data source based on the SQL table name customer_data.

Response example

Get data source relationships

GET /dataSource/{dataSourceId}/lineage/{type}

Get parent and child relationship records for derived data sources using a specified data source ID.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets the parent relationship records for the derived data source with the data source ID 4.

Response example

Retrieve a Blob

GET /dataSource/{dataSourceId}/blob/{blobid*}

Retrieve a blob.

Query parameters

Attribute

Description

Required

Response schema

The response will download the blobs in a file you specify.

Request example

The following request retrieves a blob.

Response example

Get users by access level

GET /dataSource/{dataSourceId}/access

Get all users with the provided access level for this data source.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets all users with the provided access level for this data source.

Response example

Get user access info for a data source

GET /dataSource/{dataSourceId}/users/{profileId}/policyInfo

Retrieves the visibilities, masking information, and filters that the passed in user has access to in the specified data source.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets the visibility information for the user with the profile ID 2 on the data source with the data source ID 16.

Response example

Get user visibility info for a data source

GET /dataSource/{dataSourceId}/users/{profileId}/visibilityReport

Retrieves a summary of total records, total visibilities (the unique values contained in a column protected by a row-level security policy that allow Immuta to determine whether or not a user can see a given row if they possess an attribute that matches the visibility of that row), and visibilities a given user has access to.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets all of the visibility information for the user with the profile ID 2 on the data source with the data source ID 16.

Response example

Get current user visibility info

GET /dataSource/{dataSourceId}/visibilityReport

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets all of the visibility information for the current user on the data source with the data source ID 16.

Response example

Access data sources and make data source requests

Method

Path

Purpose

POST /dataSource/subscribe

Subscribe to a data source.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request subscribes to the data source with ID 22.

Payload example

Response example

Request to unmask values

Deprecation notice

Support for unmask requests has been deprecated.

POST /dataSource/{dataSourceId}/reverseMask

Makes a request for values to be unmasked.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following requests for values to be unmasked.

Request payload example

Response example

Add a user to a data source

POST /dataSource/{dataSourceId}/access

Add a user to a specific data source. Requestors cannot add themselves to a data source. To request access to a data source, .

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request adds a user (saved in example-payload.json) to this data source.

Request payload example

Response example

Manage data source requests

Method

Path

Purpose

Get pending tasks by user

GET /dataSource/tasks/pending

Get all pending tasks for this user and pending tasks this user has created.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets all pending tasks for a user and pending tasks the user has created.

Response example

Mark tasks as complete

GET /dataSource/tasks/{taskId}

Handles the given task and marks it as complete.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request handles the given task and marks it as complete.

Response example

Return tasks for a data source

GET /dataSource/{dataSourceId}/tasks

Returns all tasks the user has made, can approve or deny, or validate for this data source.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request returns all tasks the user has made, can approve or deny, or validate for this data source.

Response example

Change user status

PUT /dataSource/{dataSourceId}/access/{subscriptionId}

Change user status for a specific data source. Requestors cannot update their own status for a data source.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request changes the user status to subscribed for the specified data source.

Payload example

Response example

Update data sources

Method

Path

Purpose

Update a data source

PUT /dataSource/{dataSourceId}

Update a data source.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request updates the data source's documentation (saved in example-payload.json).

Request payload example

Response example

Update multiple data sources

PUT /dataSource/bulk/{type}

Update data sources.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request adds the Address.email tag to two data sources.

Payload example

Response example

Refresh views

POST /dataSource/bulkRefreshViews

Refresh views.

Payload parameters

Attribute

Description

Required

Request example

The following request with the payload below refreshes the view for the data source with the ID 202.

Payload example

Save blob metadata to Immuta

POST /dataSource/{dataSourceId}/blobs

Save blob metadata to Immuta.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request saves blob metadata to Immuta.

Payload example

Response example

Store blob metadata locally

POST /dataSource/{dataSourceId}/persistBlob

Save blob metadata to Immuta and store raw content in local blob store.

Query parameters

Attribute

Description

Required

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request saves blob metadata to Immuta and stores raw content in local blob stores.

Payload example

Response example

Trigger schema monitoring jobs

PUT /dataSource/detectRemoteChanges

Trigger the schema monitoring job for the specified detection group, or all groups if no payload parameters are given.

Payload parameters

Attribute

Description

Required

Response schema

Attribute

Description

Responses may include bulkId, schemaDetection, or columnDetection objects, depending on the payload.

Request example

The following request triggers the schema monitoring job for the specified detection group.

Payload example

The tabs below illustrate payloads for triggering schema monitoring on a host, database, or table. The request will run schema monitoring for all databases registered under the hostname provided in the payload.

The request will run schema monitoring for all databases registered under the hostname provided in the payload.

The request will run schema monitoring on the database provided in the payload. If data sources were initially registered via the V2 API, this request will locate new schemas that contain tables Immuta has the ability to access, and Immuta will create a new schema project associated with these newly discovered schemas and create data sources for each table located. If data sources were initially registered via the V1 API, this request will only update the columns and tables of registered schema and tables of the specified database; it will not register any new schemas.

The request will run column detection and update the columns on the table specified in the payload.

Response examples

The tabs below illustrate the example response for each example payload provided above.

View and Review Data Sources

Method

Path

Purpose

Refresh external catalog tags on a data source

GET /dataSource/{dataSourceId}/test

Refreshes tags from an external catalog on a data source. The external catalog must be linked to the data source.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request refreshes external catalog tags on the data source.

Response example

Retrieve blob handlers

GET /dataSource/blobHandlerTypes

Retrieve all blob handlers the current user is allowed to create.

Response schema

Attribute

Description

Request example

The following request retrieves all blob handlers the current user is allowed to create.

Response example

Get data sources by purpose

GET /dataSource/byPurposes

Get data sources that match a set of purposes.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets data sources that match a set of purposes.

Response example

Retrieve data sources by user

GET /dataSource/rpc/mine

Retrieves all the data sources the current user has access to.

Response schema

Attribute

Description

Request example

The following request retrieves all the data sources the current user has access to.

Response example

Get recent policy activities for a data source

GET /dataSource/{dataSourceId}/activities

Get all of the recent policy activities for a given data source.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets all of the recent policy activities for a given data source.

Response example

Get profiles for data source owners and experts

GET /dataSource/{dataSourceId}/contacts

Gets the profiles for the data source owners and experts.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets all the profiles for the data source owners and experts.

Response example

Get tags by data source

GET /dataSource/{dataSourceId}/tags

Get the tags for a data source.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request gets the tags for data source 4.

Response example

Get users who can unmask columns

GET /dataSource/{dataSourceId}/{columnName}/unmaskUsers

Return the users who can unmask the given column.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request returns the users who can unmask the given column.

Response example

Delete Data Sources and More

Method

Path

Purpose

Delete a data source

DELETE /dataSource/{dataSourceId}

Delete a data source. This will perform a soft delete on the first call and a hard delete the second time.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request deletes the data source 23.

Response example

Delete a task

DELETE /dataSource/tasks/{taskId}

Delete the specified task.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request deletes a specified task.

Response example

Delete a blob

DELETE /dataSource/{dataSourceId}/blob/{blobId*}

Delete a blob.

Query parameters

Attribute

Description

Required

Response schema

When the blob is successfully deleted, there will be no response.

Request example

The following request deletes a blob.

Unsubscribe from a data source

DELETE /dataSource/{dataSourceId}/unsubscribe

Unsubscribe from a data source.

Query parameters

Attribute

Description

Required

Response schema

Attribute

Description

Request example

The following request unsubscribes the user from data source 23.

Developer Guides

The Immuta CLI

Section Overview

Workflow

Commands

Install and Configure the Immuta CLI

1 - Install the Immuta CLI

2 - Configure the CLI with Your Immuta Tenant

3 - Install Tab Completions

Manage Your Immuta Tenant

Command Overview: immuta

Options

Clone Your Tenant: immuta clone

Options

Limitations

immuta api

Options

Examples

Manage Data Sources

Command Overview: immuta datasource

Options

Create a Data Source: immuta datasource save

Example

Rename a Data Source Connection Key: immuta datasource rename

Example

Delete Data Sources: immuta datasource delete

Example

Manage Sensitive Data Discovery

Command overview: immuta sdd

Options

SDD workflow

Workflow 1: Apply the global framework to all data sources

Workflow 2: Apply a framework to a specific data source

Run Sensitive Data Discovery on Data Sources

Prerequisite

Command Overview: immuta sdd run

Manage Policies

Command Overview: immuta policy

Manage Projects

Command: immuta project

Options

Create Project: immuta project save

Example

Rename a Project Key: immuta project rename

Example

Delete a Project: immuta project delete

Example

Manage Purposes

Command: immuta purpose

Manage Audit

immuta audit exportConfig {command} <arguments> [flags]

Commands

Audit Export Configuration Example

The Immuta API

Integrations API

How-to Guides

Reference Guides

Create Purposes API Examples

Basic Purpose

Advanced Purpose

Sub-Purpose

Immuta V1 API

Section Overview

Authenticate with the API

Workflow

Configure Your Instance of Immuta

Section Contents

Get Fingerprint Status

Get the status of the fingerprint service

Response parameters

Request example

Response example

Get Job Status

Get job status and output

Connect Your Data

Manage Data Access

Section Contents

Search Connection Strings

Search connection strings

Search for Organizations

Command Overview: `immuta`

Clone Your Tenant: `immuta clone`

`immuta api`

Command Overview: `immuta datasource`

Create a Data Source: `immuta datasource save`

Rename a Data Source Connection Key: `immuta datasource rename`

Delete Data Sources: `immuta datasource delete`

Command overview: `immuta sdd`

Command Overview: `immuta sdd run`

Command Overview: `immuta policy`

Command: `immuta project`

Create Project: `immuta project save`

Rename a Project Key: `immuta project rename`

Delete a Project: `immuta project delete`

Command: `immuta purpose`

`immuta audit exportConfig {command} <arguments> [flags]`

Command overview: `immuta sdd`

Command Overview: `immuta sdd run`

Command: `immuta purpose`

Create a Purpose: `immuta purpose save`

Delete a Purpose: `immuta purpose delete`

`immuta audit exportConfig {command} <arguments> [flags]`