Author Policy How-to Guide
3 - Author policy how-to guide
Authoring global subscription policies to automate access controls involves using the data metadata and user metadata in Immuta to identify the data that should be governed and the users the policy should target.
This how-to guide demonstrates how to author a global subscription policy in Immuta to automat access decisions.
For detailed explanations and examples of how to author subscription policies, see the Author policy guide.
Requirements
Immuta permission: GOVERNANCE global permission, Manage Policies domain permission, or own the data source
Prerequisites
Understand your metadata
How you author policies is dictated by how your user and data metadata is organized to grant access:
Fact-based (ABAC): Many variables determine access, and data sources are tagged at the column and table level.
Logic-based (orchestrated RBAC): A single variable determines access, and data sources are tagged at the table level. With orchestrated RBAC you have established one-to-one relationships with how your users are tagged (attribute or group) and what that single tag explicitly gives them access to.
Author a subscription policy
ABAC policy authoring
Determine why someone should be given access to data. For example, let’s say that to have access to
Strictly Confidential, you have determined that someone should bean employee (not contractor)
in the US
part of the Legal team
Build individual subscription policies for each piece of logic associated with why someone should have access. Examples are provided below.
Example policy 1: employee access
Author a subscription policy that grants read access to users who are a member of group Employees that applies to columns tagged Strictly Confidential:
Allow users to subscribe with read access when user is a member of group
Employeeson data sources with columns taggedStrictly Confidential.
Example policy 2: country access
Author a subscription policy that grants read access to users with attribute Country.US that applies to columns tagged Strictly Confidential:
Allow users to subscribe with read access when user possesses attribute
Countrywith valueUSon data sources with columns taggedStrictly Confidential.
Example policy 3: legal team access
Author a subscription policy that grants read access to users who are a member of group Legal Team that applies to columns tagged Strictly Confidential:
Allow users to subscribe with read access when user is a member of group
Legal Teamon data sources with columns taggedStrictly Confidential.
Orchestrated RBAC policy authoring
Determine how user metadata and data metadata is organized. What variable determines access?
Build grant subscription policies using special functions in the advanced DSL builder to target tables. Since orchestrated RBAC is all about one-to-one matching of user metadata to data metadata, use the special functions in the subscription policy builder for managing this:
@hasTagAsAttribute('Attribute Name','dataSource' | 'column')@hasTagAsGroup('dataSource' | 'column')
Example
Let’s say there are Strictly Confidential tables and Public tables. Everyone has access to Public, and only special people have access to Strictly Confidential.
Users are tagged with their access under the Access attribute key:
Bob:
Access: Strictly ConfidentialSteve:
Access: Public
Tables are also tagged with the same metadata:
Table 1:
Strictly ConfidentialTable 2:
Public
You would build a grant subscription policy that targets all tables like this:
Allow users to subscribe with read access when @hasTagAsAttribute(
Access,dataSource) on all data sources.
Next steps
Learn
Explore this use case to learn more about using Immuta to mask sensitive data.
Compliantly open more sensitive data for ML and analytics: This section focuses on how to safely and compliantly open more sensitive data for your organization to support machine learning and analytics needs.
Implement
Follow these guides to test your policies and use Immuta to enforce fine-grained access controls.
Optionally test and deploy policy.
Last updated
Was this helpful?