Skip to content

Release Notes 2023

May

May 31, 2023

Enhancement

Filter the data sources overview dashboard by data platform type (Databricks or Snowflake).

Bug Fixes

  • Fix to address the following OpenID Connect login error: type error: cb is not a function uncaught exception detected.
  • Users could not save their SAML configuration on the app settings page after enabling SAML single log out and received the following error: options.allowIdPInitiatedSLO is not allowed.

May 25, 2023

New Feature

SAML single log out: Minimize security risks by enabling SAML single log out, which terminates abandoned sessions after a timeout event occurs or after a user logs out of Immuta, their identity provider, or another application.

Bug Fix

Fix to address an issue that caused sensitive data discovery to run on data sources added by schema detection, even if sensitive data discovery was disabled.

May 22, 2023

New Feature

Databricks metastore magic: Migrate your data from the Databricks legacy Hive metastore to the Unity Catalog metastore while protecting data and maintaining your current processes in a single Immuta instance.

Bug Fixes

  • The Redshift integration did not properly create views for tables that included column names with special characters. When users queried those views, they received column doesn't exist errors.
  • When configuring Snowflake object tag ingestion, the connection failed if the host provided was a Snowflake PrivateLink URL.
  • Vulnerability: CVE-2023-32314

May 11, 2023

Bug Fix

Fix to address a race condition that prevented job clusters from starting properly on Databricks runtimes 9.1 and 10.4.

May 4, 2023

Enhancements

  • New tag side sheet: Tag experience has been improved with the addition of tag side sheets, which provide contextual information about tags and can be accessed wherever tags are applied.
  • An additional 20 UAM audit events are captured and can now be exported to S3. See the full list of supported events on the Unified audit model page.

May 1, 2023

Enhancement

The audit Events page will now show multiple targets for queries that join tables.

Bug Fixes

  • Running an external catalog sync did not trigger policy updates when only table tags had changed. If users only added or removed table tags, global policy updates were not applied to data sources.
  • The data source activity monitoring for Snowflake charts were showing the largest value for each data point on the chart rather than the sum of the values.

April

April 27, 2023

Enhancements

Bug Fixes

  • Snowflake connection validation failed if users created a custom system account role name.
  • The data source overview and person overview queries charts were identical to the data overview queries chart, no matter what data source or person was selected.
  • A backend query was modified to improve the response time of the data source and user activity monitoring dashboards.

Deprecation

Deprecated items remain in the product with minimal support until their end of life date.

Support for the interpolated comparison WHERE clause function has been deprecated.

April 20, 2023

This deployment addresses a SAML login issue discovered in the original deployment on April 17. Consequently, the April 17 release notes entry has been replaced with the content below.

New Features and Enhancements

Bug Fixes

  • The enhanced subscription policy variable @hasTagAsAttribute did not unsubscribe users with that attribute from the data source when a matching column tag was removed.
  • Snowflake table grants did not properly update user subscriptions to data sources if their group in Immuta was renamed and the group name was used in an automatic subscription policy.
  • Vulnerabilities:
    • CVE-2023-0842
    • CVE-2023-29199

April 13, 2023

Enhancements

  • Data source and user activity monitoring dashboards can now be filtered by Snowflake cluster, warehouse, and role.
  • Performance improvements of the data source monitoring for Snowflake overview dashboard.

Bug Fixes

  • Users could not include duplicate tags in a single row-level policy when using the policy builder.
  • When configuring an external REST catalog, testing the data source link timed out after three seconds, and users received a failed to retrieve data error.
  • Vulnerabilities:
    • CVE-2023-0842
    • CVE-2023-29017

April 5, 2023

Enhancement

Tag enhancements are generally available and update various components of the UI.

Bug Fix

Snowflake integration: If a group's access was revoked from a data source in Immuta (manually or through a policy), table grants was not issuing revokes in Snowflake for members of the group that lost its subscription status, allowing them to still access that data. However, if low row access policies for Snowflake was disabled, all the rows in the data source were appropriately hidden.

March

March 30, 2023

Bug Fixes

  • Snowflake external catalog tags were not synced or pulled in to Immuta.
  • Users could not enable column detection if they had not made all columns visible in the data source during data source creation.

March 27, 2023

Enhancements

  • Data source and user activity monitoring dashboards will persist the date range selected for all dashboards in that user's session. Once logged out, the data range will return to default.

Bug Fixes

  • When using SCIM to sync an identity manager with Immuta, removing a user from a group in the identity manager did not remove the user from that group in the remote database in the following integrations:

    • Snowflake
    • Redshift
    • Synapse

    This issue could allow that user to retain access to data if they were removed from a group that was granted access by a policy.

  • If an Advanced DSL policy used the @columnsTagged function and the policy had multiple conditions, all users were restricted from seeing data.

  • Unity Catalog clusters: A breaking change in Databricks caused a wrong number of arguments error when users ran Unity Catalog queries.
  • When Databricks query plans for tables registered in Immuta were too large, Immuta could not process the audit record.
  • Vulnerabilities:
    • CVE-2023-24807
    • CVE-2023-28154

March 23, 2023

Features and Enhancements

Bug Fix

  • Vulnerability: CVE-2022-23529

March 16, 2023

Enhancements

  • The number of months for historical ingestion of data source and user activity monitoring for Snowflake can be configured from the app settings page.
  • A single query for multiple data sources will result in a single Snowflake Unified Audit Model (UAM) event and appear as one event on the Events page.
  • The custom date range for data source and user activity monitoring dashboards supports custom time ranges.

  • When executing the Immuta Data Security Framework, the status of the classification job for individual data sources can now be found in the data source health dropdown. The options include the following:

    • Classification complete: Classification has run on the data source and applied the appropriate classification tags.
    • Classification pending: A framework has been created, activated, or updated and will run on the data source.
    • Classification is not applicable: The data source is not affected by classification.

Bug Fixes

  • The Databricks Spark integration sometimes provided an incomplete list of databases in the Data Explorer UI or in Databricks clusters after running SHOW DATABASES.
  • Under rare circumstances, a global data policy using a tag failed to apply to some data sources.
  • User accounts created with IAM integrations using the SAML 2.0 protocol before SCIM was enabled were not updated by SCIM provisioning after SCIM was enabled.
  • With data source and user activity monitoring for Snowflake enabled, users without AUDIT permission were brought to an empty overview dashboard when logging in.

Removed Feature

Users can no longer register multiple data sources that reference the same underlying table in their remote data platform. Existing duplicate data sources that point to the same remote table will not be affected by this change; this feature removal only applies to data source creation.

March 3, 2023

Fix to repair impact of a recent Databricks Data Explorer change to issue use catalog hive_metastore command on Databricks runtimes older than Databricks runtime 11.x. The Databricks Spark integration now handles this command issued by Databricks Data Explorer.

February

February 23, 2023

Features and Enhancements

  • The Default subscription policy option allows you to choose whether or not a subscription policy will automatically restrict access to tables when they are registered as Immuta data sources. By default, Immuta does not apply a subscription policy on data you register (unless an existing global policy applies to it) so that you can preserve policies applied by your underlying data platform on those tables, leaving existing access controls and workflows intact.
  • Snowflake low row access policy mode improves query performance in Immuta's Snowflake integration by decreasing the number of Snowflake row access policies Immuta creates.
  • With data source and user activity monitoring for Snowflake enabled, the Audit tab on the navigation menu defaults to the Events page.
  • Classification for query sensitivity is now dynamic. For a query that joins tables, Immuta uses the same classification rules applied to tables and applies those rules to columns of the query. Immuta applies a new set of classification tags to the query columns and calculates sensitivity for the query event in the audit record. These query classification tags are not included on the tables' data dictionary.

Bug Fixes

  • When applying a global subscription policy that uses the @hasTagAsGroup or hasTagAsAttribute enhanced subscription policy variable (for example, "Allow users to subscribe when @hasTagAsAttribute('AllowedAccess', 'dataSource') on all data sources") to a data source, user access was restricted as expected; however, if the data source tag changed through the Immuta V2 API, access wasn't changed, which could potentially allow users to see data that they shouldn't. Additionally, access wasn't changed if the policy was removed.
  • Users could not save configuration changes if they enabled Snowflake table grants after creating the integration.
  • Users could not save configuration changes if they edited an existing Snowflake integration.
  • Detect pages with over ten thousand (10,000) results would error. There is now a notification that only ten thousand (10,000) of the results are available with the recommendation to refine the page by filter or search.
  • Vulnerabilities:
    • CVE-2022-32149
    • CVE-2022-23491

February 7, 2023

Bug Fixes

  • When applying a global subscription policy that uses the @hasTagAsGroup or hasTagAsAttribute enhanced subscription policy variable (for example, "Allow users to subscribe when @hasTagAsAttribute('AllowedAccess', 'dataSource') on all data sources") to a data source, user access was restricted as expected; however, if the data source tag changed, access wasn't changed, which could potentially allow users to see data that they shouldn't. Additionally, access wasn't changed if the policy was removed.
  • Users were able to query system tables in the query editor by using some specific Postgres functions.

Breaking Change

Users can no longer set schema to null when bulk updating data sources using the api/v2/data endpoint.

January

January 26, 2023

Features

  • Snowflake table grants is generally available. Let Immuta manage privileges on your Snowflake tables instead of manually granting table access to users. With Snowflake table grants enabled, Snowflake Administrators don't have to manually grant table access to users; instead, Immuta manages privileges on Snowflake tables and views according to the subscription policies on the corresponding Immuta data sources.
  • Starburst Integration v2.0: Immuta’s Starburst integration v2.0 allows you to access policy-protected data directly in your Starburst catalogs without rewriting queries or changing your workflows. Instead of generating policy-enforced views and adding them to an Immuta catalog that users have to query (like in the legacy Starburst integration), Immuta policies are translated into Starburst rules and permissions and applied directly to tables within users’ existing catalogs.

Private Preview Release

  • Immuta Detect is released for private preview. Detect is a tool that monitors your data environment and provides analytic dashboards in the Immuta UI based on audit information of your data use.

Deprecated Feature

Deprecated items remain in the product with minimal support until they are removed from the product.

  • External Masking

January 23, 2023

Bug Fixes

  • Snowflake, Redshift, and Azure Synapse integrations:

    • If a combined global subscription policy was applied to a data source and a user updated a global data policy (create, update, delete) that also applied to that data source, the data policy was not applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.
    • If an existing global subscription policy and an existing global data policy applied to the same data source, then modifications to that data source (or the creation of a new data source targeted by those policies), only the global subscription policy was applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.

  • Vulnerabilities:

    • CVE-2022-23529
    • CVE-2022-40899

Known Bugs

  • Editing a schema project to a database that already exists fails.