Governance Use Cases

Select your use case

Immuta allows you to secure your data through various access control policies you configure.

The guides throughout this section discuss organizing and managing data and user metadata to enforce access controls, focusing specifically on the Immuta features highlighted in the image below:

You will learn about each of these features, how they interact, and how to use them within your data ecosystem to effectively govern your data and meet your business objectives. The illustration above shows the relationships among the major features and components of Immuta.

Choose your path: orchestrated RBAC or ABAC

Before selecting a use case, you need to decide which access control category you fall in. This decision drives how you will manage user and data metadata as well as policies, so it's a critical decision.

Is access determined by a single variable with no overlap?

Orchestrated RBAC: one-to-one

This method is for organizations whose access decision typically depends on a single variable:

If you have x, you have access to everything tagged y.

Furthermore, the access decision to objects tagged y never strays beyond x. In other words, there’s only ever one way to get access to objects tagged y - a 1:1 relationship. A good real-world example of orchestrated RBAC is

You must have signed data use agreement x to have access to data y.

Is access determined by many variables?

ABAC: many-to-many

This method is for organizations that may have many differing x’s for access to objects y. Furthermore, x and y may actually be many different variables, such as

If you have a, b, and c you get access to objects tagged x, y, and z.

or

If you have d, you get access to objects tagged x.

Notice in this example that access to objects tagged x can happen through different decisions.

ABAC is also important when you have federated governance in play, where many different people are making policy logic decisions and that logic may stack on the same objects. A good real world example of ABAC is

you must reside in the US and be a full time employee to see data tagged US and Highly Sensitive.

If you aren’t sure which category you fall in, you should strive for ABAC. While it may seem more complicated to get started, in the long run it will provide you powerful flexibility and scalability of policy management. In this method, you tag your users and data with facts and prescribe policies that leverage those facts to make real-time decisions. ABAC supports both use cases below.

Orchestrated RBAC puts more strain on managing access decisions outside of your access logic (Immuta) because you need all access decisions in a single attribute on the user. Because of this, it more closely resembles the role explosion problem, and if you incorrectly select this path you will end up there over time. Orchestrated RBAC is tag-orchestrated RBAC and is supported by Immuta (in fact, many organizations stick to this because of the benefits of the tag-orchestration). Orchestrated RBAC can be used in the automate data access control decisions use case below.

Use cases

Immuta allows you to build complex access control policies in a simple, scalable manner. However, there are many different ways organizations think about access control. Because of this, following one of the common use cases below can speed up your onboarding process. Choose the use case below that best fits your goals. If no use case fits, contact your Immuta representative for a more personalized onboarding experience:

  • Automate data access control decisions: This is the most common use case. It walks you through how to build table access control policies in a scalable manner and clarifies how to think about table access and adjust existing paradigms. ABAC and orchestrated RBAC are supported in this use case.

  • Compliantly open more sensitive data for ML and analytics: This is an approach where every user has access to every table, yet you mask the sensitive columns appropriately using data policies. You can apply some of the concepts from the automate data access control decisions use case to how you think about masking policy rules. Immuta recommends using ABAC for this use case.

Last updated

Was this helpful?