Advanced Use of Special Functions
There are several different advanced functions that are available for building subscription policies. Some of these functions, listed below, are narrowly focused on orchestrated RBAC use cases. Orchestrated RBAC is when an organization has many roles that represent access, and rather than switching to using the ABAC model provided by Immuta, they use these special functions to orchestrate existing roles using Immuta.
Specifically, the functions to enable orchestrated-RBAC are:
@hostname@database@schema@table@hasTagAsAttribute('Attribute Name', 'dataSource' or 'column')@hasTagAsGroup('dataSource' or 'column')
Example 1
Policy:
@hasAttribute('SpecialAccess', '@hostname.@database.*')
User:
has the attribute
SpecialAccesswith the valueus-east-1-snowflake.default.*
The user would be subscribed to all the data sources in the default database. Note this has nothing to do with tags, it is based purely on the physical name of the host, database, schema, and table in the native data platform. Also note that the user attribute contains an asterisk * to denote everything under the default database hierarchy. Asterisks are supported only for the infrastructure special functions:
@hostname@database@schema@table
This is because, since it's an infrastructure view, Immuta can assume a 4-level hierarchy (hostname.database.schema.table) and an asterisk can be placed between any two objects in that 4-level hierarchy to represent any object, such as
us-east-1-snowflake.*.hr. That would give the user access to any schema named hr in host us-east-1-snowflake no matter the database.
However, that is not possible when using the tag-based special functions:
@hasTagAsAttribute('Attribute Name', 'dataSource' or 'column')@hasTagAsGroup('dataSource' or 'column')
This is because Immuta cannot rely on a 4-level hierarchy always being the case. For example, *.Age could mean many things in a tag hierarchy. However it does support using parent attributes to apply to child attributes as described in Example 2.
Lastly, the asterisk represents any object, but cannot be used for a concatenated wildcard like so: snowfl*.tpc.*.*
Example 2
Policy:
@hasTagAsAttribute('PersonalData', 'dataSource')
User:
has the attribute key
PersonalDatawith the values
Discovered.PIIDiscovered.Entity
Data source 1:
tagged:
Discovered.Identifier IndirectDiscovered.PHIDiscovered.PII
Data source 2:
tagged:
Discovered.Identifier DirectDiscovered.PCIDiscovered.Entity.Social Security Number
Data source 3:
tagged:
Discovered.Identifier DirectDiscovered.PHI
The user would be subscribed to data source 1 and 2, but the user would not be subscribed to data source 3. This is because access moves from left-to-right in the hierarchy based on what the user possesses (the wildcard asterisk is implied).
So if a user had a more specific attribute key PersonalData with the values Discovered.Entity.Social Security Number, they would only get access to hypothetical data source 2, because their attribute is further left or matches (in this case matches) Discovered.Entity.Social Security Number.
The below table provides more examples:
| User Attributes | Data Source Tags | Subscribed? | Notes |
|---|---|---|---|
| 'PersonalData': ['Discovered.PII', 'Discovered.Entity'] | ['Discovered.Identifier Indirect', 'Discovered.PII'] | Yes | Exact match on 'Discovered.PII' |
| 'PersonalData': ['Discovered.Entity'] | ['Discovered.PHI', 'Discovered.Entity.Age'] | Yes | User attribute 'Discovered.Entity' is a hierarchical parent of data source tag 'Discovered.Entity.Age' |
| 'Access': ['Discovered.PII', 'Discovered.Entity'] | ['Discovered.Identifier Indirect', 'Discovered.PII'] | No | The policy is written to only match values under the 'PersonalData' attribute key. Not 'Access'. |
| 'PersonalData': ['Discovered'] | ['Discovered.Entity.Age'] | Yes | User attribute 'Discovered' is a hierarchical parent of data source tag 'Discovered.Entity.Age' |
| 'PersonalData': ['Discovered.Entity.Social Security Number'] | ['Discovered.Entity'] | No | Hierarchical matching only happens in one direction (user attribute contains data source tag). In this case, the user attribute is considered hierarchical child of the data source tags. |
Merging special functions
It is also possible to build subscription policies separately that use these special functions and have them merge appropriately on data sources.
This could be helpful for use cases with a policy like the following:
If user has the attribute “Allowed_Domain.Domain A” they get access to generic data that is part of domain A.
If user has the attribute “Badge_Allowed.Badge X” they should gain access to both “generic data + any additional data (only in domain A because they only have “Data Domain A General Access”) that has been tagged as “Badge X”.
In this case it can be two separate subscription policies, such as
Policy 1:
@hasTagAsAttribute(Allowed_Domain, ‘datasource’) this would limit to the domains where they are allowed to see generic data.
Policy 2:
@hasTagAsAttribute(Badge_Allowed, ‘datasource’) this would limit to the badges they are allowed to see.
Then, when the data sources are tagged with table tags that represent access, if the table only has the domain tag, only policy 1 will apply; however, if it has a domain tag and a badge tag, both policies will be applied and merged successfully by Immuta.
Use with caution
While this approach is extremely powerful, in many cases, it will continue to leave you dealing with policy complexity associated with RBAC. Please read the Automate data access control decisions use case for more details, specifically The two paths guide.