Protecting Data

When a subscription policy is applied to a Teradata data source, Immuta administers Teradata privileges on the view that is registered in Immuta. Then, Immuta users who have been granted access to the view can query it with policies enforced.

The sequence diagram below outlines the events that occur when an Immuta user who is subscribed to a data source queries it in Teradata.

Registering a connection

Teradata is configured and data is registered through connections, an Immuta feature that allows administrators to register data objects in a technology through a single connection to make data registration more scalable for your organization.

Once the Teradata connection is registered, you can author subscription and data policies in Immuta to enforce access controls.

See the Teradata integration reference guide for more details about registering a connection.

Protecting data

Subscription policies

After views are registered in Immuta, you can author subscription policies in Immuta to enforce access controls.

When a subscription policy is applied to a data source, users who meet the conditions of the policy will be automatically subscribed to the data source. Then, Immuta issues a SQL statement in Teradata that grants the SELECT privilege to users on those views.

Consider the following example that illustrates how Immuta enforces a subscription policy that only allows users in the analysts group to access the yellow-view. When this policy is authored and applied to the data source, Immuta issues a SQL statement in Teradata that grants the SELECT privilege on yellow-view to users (registered in Immuta) that are part of the analysts group.

In the image above, the user in the analysts group accesses yellow-view, while the user who is a part of the research group is denied access. See the Author a subscription policy page for guidance on applying a subscription policy to a data source. See the Subscription policy access types page for details about the subscription policy types supported and Teradata privileges Immuta grants on views registered as Immuta data sources.

Data policies

After views are registered in Immuta, you can author data policies in Immuta to enforce access controls.

When a data policy is first applied to a data source, Immuta copies the original view definition into an Immuta-managed immuta_views database to preserve it. Then, Immuta replaces the original view with a new Immuta-managed view definition with the same name and uses that new view to enforce data policies. As data policies are created, updated, or removed, Immuta dynamically updates the view definition so that users querying the view see policy-enforced results.

In the case where both a data and a subscription policy apply, Immuta ensures data policies are enforced before users are granted access to the views.

See the Data policies page for guidance on authoring data policies in Immuta. See the Teradata integration reference guide for details about supported data policies.