Approve and Promote a Global Policy
Audience: Data Governors and Data Owners
Content Summary: This page outlines how to approve and promote Global Policies in a development environment to be activated in a production environment. For instructions on enabling this feature, see Enable Approve to Promote. For an overview of the feature, see the Approve to Promote Overview page.
Prerequisite: Approve to Promote enabled on a development instance of Immuta.
Additional Tutorial
Use Case
Compliance Requirement: Policies must be written in Dev and then approved by the compliance team before they are moved into the Prod environment. Additionally, all personal data must be made null.
After enabling Approve to Promote, this organization can use this feature to allow for their approval workflow: Data Governors create Global Policies in Dev that are then reviewed before being approved and promoted to Prod.
This tutorial uses this example to illustrate the Approve to Promote feature.
1 - Configure the Dev and Prod Instance in the Immuta CLI
Production Instance Cannot Have Approve to Promote Enabled
The production instance of Immuta cannot have the Approve to Promote feature enabled on the App Settings page. This configuration should only be applied to the development instance.
Before you can add promoted policies to the production environment, you need to configure the production environment
as an additional profile in the Immuta CLI.
- Run
immuta configure -p dev. Note:devis the profile name of the development instance in this example. You can use a different name. -
Enter the URL and your API Key for your development Immuta instance in the interactive prompt.
$ immuta configure -p dev ? What is the url of the immuta instance you use?: https://your.dev.instance.url.com/ ? What is the api key of your immuta user account?: *************************** Updated the config at /Users/user/.immutacfg.yaml -
Run
immuta configure -p prod. Note:prodis the profile name of the production instance in this example. You can use a different name. -
Enter the URL and your API Key for your production Immuta instance in the interactive prompt.
$ immuta configure -p prod ? What is the url of the immuta instance you use?: https://your.prod.instance.url.com/ ? What is the api key of your immuta user account?: *************************** Updated the config at /Users/user/.immutacfg.yaml
Below is the configuration file that will be saved at ~/.immutacfg.yaml:
dev:
api_key: <api key>
host: https://your.dev.instance.url.com
prod:
api_key: <apiKey>
host: https://your.prod.instance.url.com
2 - Build the Global Policy in Dev
-
Create a Global Data Policy in the development instance. In the example below, the policy masks by hashing:
-
Request a review from approvers by clicking Start Approval Process in the Immuta policy builder.
Once under review, the policy will will be marked as In Review and will display the approval history and progress.
3 - Review the Policy
After reviews are requested, other Data Governors and users who own affected data sources will be notified that a Global Policy is ready for their review.
-
Navigate to the policy on the Policies page.
-
Opt to approve the policy or request changes. Use the tabs below to view both of these options.
Approve the Policy
-
Click the policy to expand the In Review window and click the dropdown button to expand the list of options.
-
Click Approve, and opt to provide a comment in the modal that appears.
- Click Send Approval to confirm.
Once the configured number of users (set on the App Settings page) approves the policy, the policy moves out of review and can be promoted.
Request Changes
-
Click the policy to expand the In Review window and click the dropdown menu to expand the list of options.
-
Click Request Changes and provide a comment in the modal that appears.
-
Click Send Request to confirm.
If changes are requested, a Data Governor must revise the Global Policy to apply the changes. Once these changes are made, the policy wil need to be reviewed again by the specified number of users. Users will receive another notification that their review is required.
-
4 - Revise the Policy
-
Navigate to Global Policy and select Edit from the dropdown menu.
-
Update the policy to reflect the changes requested. In this example, the Data Governor updates the policy to mask personal identifiers by making null.
-
When ready, click Start Approval Process in the Immuta policy builder.
Users will receive another notification that their review is required.
5 - Promote the Policy
System Policies Not Included in Export
System policies (such as New Column Added) will not be included in the export described below, as no changes can be made to them by users and they already exist in production instances. Once the staging or activating of these policies in development is approved, a Data Governor can stage or activate the policy in production.
Additionally, you cannot delete active system policies in the development environment.
To promote the policy, run the following command that clones the policy and saves it in a policy folder in the path
you specify. Note: If you run this command more that one time, you need to change the names of (or delete) the files
that were already cloned to avoid an error; this process preserves the cloning history.
immuta policy clone --promote ./approved-policies-folder
Once a policy is promoted, the Immuta UI displays the Promoted status.
6 - Save the Policy in Prod
To add the Global Policy to the production environment, save the policy through the Immuta CLI, specifying the name of the profile you created for the production environment in this step, the file path, and the policy name.
immuta policy save --profile prod ./approved-policies/policy/Mask--PII.yaml
The policy will be applied to data sources in the production environment.
Additional Tutorials
Rescind Your Approval
Users can also rescind their approval of a policy.
- Click the policy to expand the In Review window.
- Click Undo Your Approval and opt to provide a comment in the modal that appears.
-
Click Rescind to confirm.
