Protecting Data

In the Amazon Redshift integration, Immuta administers Amazon Redshift privileges on data registered in Immuta. Then, Immuta users who have been granted access to the data sources can query them.

The sequence diagram below outlines the events that occur when an Immuta user who is subscribed to a data source queries it in Amazon Redshift.

Registering a connection

The Amazon Redshift integration is configured and data is registered through connections, an Immuta feature that allows administrators to register data objects in a technology through a single connection to make data registration more scalable for your organization.

Once the Amazon Redshift connection is registered, you can author subscription and data policies in Immuta to enforce access controls.

See the Amazon Redshift integration reference guide for more details about registering a connection.

Protecting data

After data is registered in Immuta, you can author subscription and data policies in Immuta to enforce access controls.

When a subscription policy is applied to a data source, users who meet the conditions of the policy will be automatically subscribed to the data source. Immuta creates roles for those users (if an Immuta-generated role for them does not already exist) and grants Amazon Redshift privileges to that role. Once a data policy is applied to a data source, Immuta generates a masking or row-level policy in Amazon Redshift and attaches that policy to the data object it applies to.

Consider the following example that illustrates how Immuta enforces a subscription policy that only allows users in the analysts group to access the yellow-table. When this policy is authored and applied to the data source, Immuta issues a SQL statement in Amazon Redshift that grants the SELECT privilege on yellow-table to users registered in Immuta that are part of the analysts group.

In the image above, the user in the analysts group accesses yellow-table , while the user who is a part of the research group is denied access. See the Subscription policies page or the Data policies page for guidance on applying policies to a data source. See the Amazon Redshift integration page for details about the supported policy types.