Skip to content

Release Notes 2022

November 2022

November 22, 2022

Bug Fixes

  • Azure Synapse Analytics: If a user was granted access to about 1300 data sources, access to those tables was delayed.
  • Deleting an integration on the App Settings page and saving the configuration caused the Immuta UI to crash.

November 17, 2022

Enhancements

  • Collibra integration performance improvements.
  • Immuta's Collibra integration recognizes the implicit relationship between the Database View in Collibra and Immuta data source columns so that tags are properly applied to those columns in Immuta.
  • The Immuta V1 API /dataSource endpoint returns the remote table name so that users can get the schema and table name of a data source in one API call.

Bug Fixes

  • The data source Relationships tab only displayed up to 10 associated projects.
  • If creating the Immuta database failed in the Snowflake without Snowflake Governance Controls or Databricks SQL integration, the error returned was incorrect.
  • Removed historical schema monitoring metrics that contained database connection strings.
  • Subqueries that referenced a table that didn't exist never resolved.
  • Policies:
    • Disabling a Global conditional masking policy on a data source could sometimes disable all policies or none of the policies on the data source.
    • If users submitted a Global Policy payload to the API that was missing the subscriptionType from the actions, the Global Policies page broke when trying to display Subscription Policies.
    • Global Subscription Policies that contained the @hasTagAsAttribute variable caused errors and degraded performance.
    • Snowflake with Snowflake Governance Features: Changing a column's masking policy type resulted in errors until users manually synced the policy in Immuta.
  • Redshift:
    • Users were unable to query tables that had a policy with a Limit usage to purpose(s) <ANY PURPOSE> applied to them.
    • There were error-handling inconsistencies between the Immuta UI and the database logs.
  • Vulnerabilities:
    • CVE-2022-3517
    • CVE-2022-3602
    • CVE-2022-37616
    • CVE-2022-39353

Known Bugs

  • Editing a schema project to a database that already exists fails.

October 2022

October 19, 2022

Bug Fixes

  • Deleting a tag hierarchy deleted any tags with a like name. For example, deleting the tag department would also delete the tag department_marketing.
  • The Refresh External Tags button appeared on the Tag page even if no external catalogs were configured.
  • Users couldn't change the schema detection owners for schema projects.
  • Collibra: If multiple values were assigned to an attribute in Collibra, they were added as a single tag in Immuta. For example, if an attribute list called Color contained values Blue, Green, and Yellow, and Blue and Green were selected in Collibra, Immuta displayed the data tag as Color.Blue,Green. Instead, Immuta should have created two tags: Color.Blue and Color.Green.
  • Webhooks that were listening to setUserAuthorizations were not triggered.
  • Deleting a Data Policy did not enable the Save Policy button.
  • With Approve to Promote enabled, adding a comment to a policy did not enable the Save Policy button.

Known Bugs

  • Editing a schema project to a database that already exists fails.

September 2022

September 27, 2022

Features and Enhancements

  • Use the latest Databricks Runtime with Immuta. Databricks Runtime 11.0 is now supported in Immuta.
  • Connect Snowflake data to Immuta without providing your account credentials. Immuta supports Snowflake External OAuth as a non-password authentication mechanism when configuring the Snowflake integration or creating Snowflake data sources.

Public Preview

  • Let Immuta manage privileges on your Snowflake tables instead of manually granting table access to users. With Snowflake table grants enabled, Snowflake Administrators no longer have to manually grant table access to users; instead, Immuta manages privileges on Snowflake tables and views according to the subscription policies on the corresponding Immuta data sources.

  • Ensure that policies are adequately reviewed and approved before they are eligible for production environments. Instead of creating policies directly in production, Approve to Promote allows policy authors to create, assess, and revise policies in a policy-authoring environment. Then, the policy must be approved by a configured number of users before it is promoted to the production environment and enforced on data sources.

Deprecations and Breaking Changes

  • The undocumented deletedHandlerSubscribers attribute, which indicates a subscription policy changed, was removed from the data source notifications webhook payload. If you were depending on that attribute in your customized webhooks, that code won't work.

Bug Fixes

  • IAMs:
    • Azure Active Directory: When SCIM was enabled for Azure Active Directory, sometimes user attributes were removed from users in Immuta when they should not have been.
  • Policies:
    • Global Subscription Policies that were applied “When selected by data owners” could not be deleted when using Approve to Promote.
    • If a Global Subscription Policy was disabled for a data source, staging that Global Policy on the policies page caused the Subscription policy to change on the data source.
    • Local Policies using @columnTagged() were not properly applied to data in Databricks when the column was tagged.
  • Projects:
    • Project owners could not edit projects with approved purposes and data sources.
    • The baseline percent null values could not be adjusted for k-anonymized columns on the Expert Determination tab in projects.
  • Snowflake:
    • Instances that used the Snowflake integration without Snowflake Governance features were sometimes automatically migrated to using Snowflake Governance features when Immuta upgraded.
  • Vulnerability:
    • CVE-2022-25647
  • Tags sometimes did not update on data sources if those tags were quickly added or removed, which could cause policies to not be updated.
  • The data source page sometimes took several minutes to load if there were over 100,000 data sources registered in Immuta.
  • If a user was a member of a large number of groups (about 2,000), the UI search was sometimes slow.
  • When searching for data sources on an instance with over 30,000 data sources and tables with complex struct columns, the search could take several minutes to return or freeze the Immuta instance.
  • An Adobe Font requirement caused timeout issues in the Immuta UI.

Known Bugs

  • Editing a schema project to a database that already exists fails.

August 2022

August 17, 2022

Enhancements

  • Application Admins can enable Policy Adjustments separately from HIPAA Expert Determination on the App Settings page.

Bug Fixes

  • Snowflake Integration:
    • Schema detection caused non-date columns to be incorrectly tagged "New" for data sources that were added in bulk.
    • Migrating from a Snowflake Using Snowflake Governance Controls integration to a Snowflake Without Using Snowflake Governance Controls integration failed.
    • Enabling a Snowflake Using Snowflake Governance Controls integration using the automatic setup method failed.
  • Sensitive Data Discovery did not automatically run when users bulk created data sources.
  • If Immuta was unable to communicate with an external IAM provider because of a connection failure, groups were removed from Immuta, even if the IAM was still active.
  • When creating 100,000 tables, the data source creation job sometimes expired.
  • User Admins could not delete attributes assigned to an Immuta Accounts user.
  • After configuring SAML and OpenID IAMs, users could not initially log in.
  • In Databricks runtime 10.4, ShowPartitions commands on Delta tables failed.
  • Users were unable to edit Global policies that were not on the first page of results.
  • Automatic Subscription policies could cause out of memory issues if they added about 300 users to a data source.

Known Bugs

  • Editing a schema project to a database that already exists fails.
  • Project owners are unable to edit projects with approved purposes and data sources.

August 4, 2022

Breaking Change

  • IAM Signing Certificate Required for SAML. You are required to upload your IAM signing certificate to Immuta to add or edit SAML-based IAMs. If you are already using Immuta's SAML integration, provide a signing certificate to existing configured IAMs for them to continue working.

Bug Fixes

  • In the Snowflake Governance features integration, unmasked data was sometimes visible for a fraction of a second while data policies were being applied.
  • Databricks user impersonation did not work if backticks enclosed the username.
  • Clicking the Sync User Metadata button in the Immuta UI could queue an infinite number of profile refresh background jobs.
  • The enriched audit logs created an error if data policies did not exist on a data source.
  • The attributes type for users was inconsistent with policy attributes type in the audit logs.
  • Advanced Subscription Policies: If an advanced Subscription policy that did not contain special variables was created, customers with over 100,000 users could experience OOM issues.
  • Okta/SCIM: When adding users to Okta to sync with Immuta, TypeError: attributeValues is not iterable appeared in the logs.
  • LDAP users with parentheses in their common name caused authentication to fail when group sync was enabled.

Known Bugs

  • Editing a schema project to a database that already exists fails.
  • Project owners are unable to edit projects with approved purposes and data sources.
  • Databricks Runtime 10.4: Show partitions on delta table fails.

July 2022

July 7, 2022

New Features

  • Access background jobs with enhanced visibility. This feature allows you to access information to debug issues and identify the cause.

  • Use the latest Databricks Runtime with Immuta. Databricks Runtime 10.4 LTS is now supported in Immuta.

  • Prove compliance with Databricks audit trails that include denial events. When Immuta users query Databricks tables that have been registered in Immuta, the query audit logs will include denial events and the policies associated with the decision. Such audit trails are required by some information security teams to prove compliance with secure data access.

Private Preview

  • Snowflake:

    • Share policy-protected data in Snowflake with other Snowflake accounts using Snowflake Data Sharing. This integration allows you to author policies in Immuta and protect data shared with other Snowflake accounts in real time. For example, if a pharmaceutical company needed to share trial results outside their Snowflake account and needed to protect PHI, they could share that data outside their account and still have Immuta policies enforced.

Removed Features

Removed features are no longer available in the product.

Feature Deprecation Notice End of Life (EOL)
Advanced Rules DSL for Data Policies 2022.1.0 2022.2
Differential Privacy 2022.1.0 2022.2
The Custom / External Policy Handler 2022.1.0 2022.2
Policy export/import 2021.4 2022.2

Alternative Solutions

Bug Fixes

  • Creating a policy using the Advanced DSL Data policy builder in the view-based Snowflake integration sometimes caused errors.
  • When a user's entitlements changed, Immuta did not properly send notification to the integration to GRANT or REVOKE access to tables in the remote system.
  • Entering a single quotation mark in the search bar sometimes caused an error.
  • After an Alation or Collibra catalog were configured, new data sources were not linked to the catalogs automatically.
  • Logging in to Immuta after being logged out due to inactivity sometimes displayed a blank page.
  • Local policies sometimes appeared on the Global policies page.
  • Activity panel covered the policy builder when long SQL statements were entered for conditional policies.
  • Clicking the Policies icon in the left sidebar while editing a Subscription policy displayed an empty Data Policy Builder instead of the Policies page.
  • When configuring an External REST Catalog, users could not click the Test Connection button if the No Authentication option was selected.
  • The Immuta login page did not display for some older browser versions of Edge.

Known Bugs

  • LDAP users with parentheses in CN cause authentication to fail if group sync is enabled.
  • Databricks Runtime 10.4: Show partitions on delta table fails.

June 2022

June 9, 2022

Enhancements

  • The visual styles in the application have been updated.
  • Users can add multiple alternative owners to data sources at once.
  • Users can now specify column tags instead of just data source tags with the @hasTagAsAttribute Enhanced Subscription Policy variable.

Feature Removal

  • Policy Import/Export

Bug Fixes

  • When attributes were added to groups that affected an Automatic Subscription policy, users were added or removed from the data source(s) appropriately, but these changes were not audited.
  • Deleting the last values or all values from user or group attributes caused errors when processing Automatic Subscription policies.
  • Local policies that were created or updated sometimes displayed on the Global Policy page.
  • Writing a Global ABAC Subscription policy using @username in the Advanced DSL builder did not subscribe the user to the data source.
  • Changing a Global Allow Individually Selected Users Subscription policy back to a Global ABAC policy that used special functions caused an error: Error: "actions[0].exceptions.conditions[0]" does not match any of the allowed types.
  • If a policy was added through the Immuta CLI, editing that policy in the Immuta UI sometimes caused an error.
  • After being added to a data source through an Automatic Subscription policy, users sometimes encountered an error when making unmasking requests.
  • Creating a Global conditional masking policy in the Advanced DSL builder that used @iam or @username caused an error when the policy was applied to a data source.
  • Redshift:
    • Regex masking policies that used metacharacters with backslashes (\d, \s, etc.) did not mask columns.
    • Users' metadata was not updated in the integration if their usernames contained apostrophes.

May 2022

May 11, 2022

New Features

  • Enhanced Subscription Policy Variables (Public Preview): This feature empowers users to write fewer, simpler ABAC (Users with Specific Groups/Attributes) policies. Previously, policy writers had to specify user attribute keys in separate policies to grant access. With Enhanced Subscription Policy Variables, Immuta's policy engine compares user attributes with data source properties (database, host, schema, table, or tag) in a single policy to determine if there is a match. When attribute keys match the property specified, users will be able to subscribe to the data source(s).

  • Snowflake Table Grants: With this feature enabled with the Snowflake with Governance Controls integration, Snowflake Administrators no longer have to manually grant table access to users; instead, Immuta manages privileges on Snowflake tables and views according to the subscription policies on the corresponding Immuta data sources.

Improvements

  • Improved performance of auto-subscription policies.

Bug Fixes

  • If an SSL CA cert was used when setting up an LDAP IAM, clicking the Test LDAP Sync button resulted in an error.
  • Tags were removed from data sources if they were applied after data source creation and before the external catalog health check (which is triggered by navigating to the data source). However, tags applied to a data source during creation remained on the data source.
  • Group permissions were not considered when users attempted to create data sources or Global Policies. For example, if a user was a member of a group that had the GOVERNANCE permission assigned to it, that user was not inheriting the GOVERNANCE permission. Consequently, when that user tried to apply a Global Policy to a data source, they received an error. However, if a user had the GOVERNANCE permissions applied to their account directly, they were able to create a Global Policy. This same behavior occurred with the CREATE_DATA_SOURCE permission.
  • Creating an Immuta data source from a Databricks view that contained an implicit column alias failed.

Known Bugs

  • Editing a schema project to a database that already exists fails.
  • The App Settings page freezes when a user selects Migrate Users from BIM when configuring an external IAM.
  • An auto-subscription policy that adds more than 64,000 users to a data source can cause errors in the logs and impact subscription reports.
  • Integration jobs can end up in an expired state, even if they successfully are processed, under certain load conditions.

March 2022

March 31, 2022

  • Edit Configuration for Integrations: Users can edit the configuration for Azure Synapse, Databricks SQL, Redshift, and Snowflake without disabling the integration.
  • Manual Approvals in ABAC Global Subscription Policies: Governors can now add an approval workflow as an alternative method of access to data sources if a user does not meet the conditions of the Users with Specific Groups/Attributes (ABAC) Global Subscription Policy.

    Upgrade Notes

    • Before this release, if someone was manually added by an owner or Governor and didn’t meet the ABAC policy requirements, they could query the table, but no rows would come back because they didn’t have the groups or attributes specified in the policy. Now, manually adding users overrides the ABAC policy. Therefore, any users who had been manually subscribed to a data source but could not see any data will see data after this upgrade. You can prevent this behavior by either switching the Subscription policy to auto-subscribe (which removes users who don't meet the Subscription policy) or adding a Data Policy that redacts rows for users who do not have the groups or attributes specified in the Subscription policy.

    • If users have existing Global Subscription policies that were combined, those will not change on the data source after the upgrade. However, the Require Manual Subscription option will automatically be enabled on those existing policies, so users who meet the conditions of the policy will not be automatically subscribed.

  • Sensitive Data Discovery Global Template and Default Sample Size UI (Public Preview): Users can adjust these configurations on the App Settings page.

    Upgrade Note

    If users already had a Global Template or default sample size configured in the Advanced Configuration section, these configurations will migrate to the new Sensitive Data Discovery section on the App Settings page when they upgrade their Immuta instance.

  • Starburst Integration: Through this integration, Immuta applies policies directly in Starburst so that users can keep their existing tools and workflows (querying, reporting, etc.) and have per-user policies dynamically applied at query time.

  • Support for PrivateLink with Snowflake on AWS: Contact Immuta to enable this feature.

Bug Fixes

  • "Active" tags on merged Share Responsibility Global policies did not show the active number of data sources they were enforced on.
  • The configuration section for Native Workspaces could break if a native handler was not enabled.
  • Databricks:

    • If a table in Databricks had been created from an AVRO schema file, queries against the table on Immuta-enabled clusters only returned results for partition columns. Additionally, trying to create tables from an AVRO schema file on Immuta-enabled clusters returned an error: "Unable to infer the schema."
    • Fixed Databricks init script error handling when artifacts weren't downloading correctly.
    • Errors occurred when using mlflow.spark.log_model on non-Machine Learning clusters.
  • Because Immuta's built-in identity manager (BIM) is not enabled in SaaS, the App Settings page froze when a user selected Migrate Users when configuring an external IAM.

  • Redshift integration performance issues related to Python UDF concurrency capabilities.

  • Snowflake:

    • When enabling a native Snowflake integration with an external catalog, if the host had multiple periods in the account the Snowflake plugin was invalid.
    • When users tried to edit the Excepted Roles/Users List for the integration, the configuration saved correctly. However, when the App Settings page refreshed, the Excepted Roles/Users List was empty and the allow list in Snowflake was not updated.
    • When a user's group was deleted in an external IAM, that update appeared in Immuta but was not syncing properly in Snowflake.
    • When using Snowflake native controls with Excepted Roles specified, if users tried to do an outer join using a column that had a masking policy applied, it resulted in an error: SQL compilation error: Invalid expression [] in VALUES clause.

Known Bugs

  • Editing a schema project to a database that already exists fails.
  • Project owners are unable to edit projects with approved purposes and data sources.

March 14, 2022

  • Disable Query Engine: Application Admins can disable the Query Engine on the App Settings page.
  • New Immuta UI: Although the most significant change is the adjustment to the visual styles in the application, other UI changes include an expandable left navigation and dark mode support.
  • Support for AWS-Sydney.

Databricks Integration Note

  • Databricks Init Script: To use the updated Immuta init script and cluster policies, existing SaaS users must update their Databricks cluster configuration following this Manually Update Your Databricks Cluster guide.

Bug Fixes

  • Databricks:
    • Views: Although users could create views in Databricks from Immuta data sources they were subscribed to, when users tried to select from those views, they received an error saying that the Immuta data source the view was created against did not exist or that they did not have access to it.
    • External Delta Tables: Querying an external Delta table that had been added as an Immuta data source as a non-admin resulted in a NoSuchDataSourceException error if the table path had a space in it.
    • Sensitive Data Discovery failed for Databricks data sources when initiated in the UI if the cluster was configured to use ephemeral overrides.
    • The integration did not work with the Databricks Runtime 9.1 maintenance update.
  • Ephemeral Overrides:
    • The UI was not displaying the checkbox to apply the ephemeral override to multiple data sources.
    • Ephemeral overrides were not being used when calculating column detection.
  • Out of memory errors occurred when several actions or jobs ran simultaneously, such as
    • Bulk disabling data sources
    • Bulk creating data sources
    • Column detection
    • Schema detection
  • Sensitive Data Discovery: Users could not configure sampleSize to override the default number of records sampled from a data source.
  • Snowflake Governance Features Integration: When a data source existed in Immuta but not in Snowflake and a user tried to refresh the native policies, Immuta continuously retried to update the policies and then failed with the following error: Execution error in store procedure UPSERT_POLICIES: SQL compilation error: Table does not exist or not authorized.
  • Vulnerabilities
    • CVE-2022-0355: Information Exposure in simple-get
    • CVE-2022-0235: Information Exposure in node-fetch
    • CVE-2022-0155: Information Exposure in follow-redirects
    • CVE-2021-3807: Regular Expression Denial of Service (ReDoS) in ansi-regex
    • CWE-451: User Interface (UI) Misrepresentation of Critical Information in swagger-ui-dist

Known Bugs

  • Databricks: Errors occur when using mlflow.spark.log_model on non-Machine Learning clusters.
  • Editing a schema project to a database that already exists fails.
  • Because Immuta's built-in identity manager (BIM) is not enabled in SaaS, the App Settings page freezes when a user selects Migrate Users when configuring an external IAM.