search
Book a demo

Access to Data Products and Assets

When viewing a data product, you can see details about what you’ll be able to query or unmask if approved:

  • The data product’s data sources (tables, views, files) and your Access Status for each

  • The data product’s columns and if masking is applied

hashtag
Understanding access status

There are different statuses based on the type of access you want.

hashtag
Data source access

There are three possible access statuses for the data sources in a data product:

  1. Current access: You already have access to this data source through existing policies or a data product approval.

  2. Access if approved: You will gain access to this data source should you request access and your request is approved.

  3. Access prevented: There are existing required policies on this data source that you do not meet.

circle-info

It is still worth requesting access to a data product even if you have access to all the data sources it contains because new data sources may be added later, which you may not have birthright access to. In this case, if approved to the data product, you will gain access to the new data sources as soon as they are added to the data product.

hashtag
Access prevented status

It is possible that a data consumer will be blocked from accessing certain data sources, despite being granted access to a data product. This can be the case if data sources are protected by a guardrail subscription policy and the consumer does not meet the criteria defined by that policy.

For example, there may be a rule stating that only members of the group HR can ever be eligible to be subscribed to employee data. Because of that rule, there is a guardrail subscription policy created through the Governance app on that data source that states

Prevent users from subscribing unless user is a member of group HR on data sources tagged employee.

In this case, even if a consumer was approved access to a data product containing some data sources with employee data, their access will be blocked if they are not part of the group HR. This provides global governance with a guarantee that nobody can bypass policies on extremely sensitive data sources.

If that data source is now made part of a data product, the requesting user must be a member of group HR to gain access to that particular data source in the data product, even if they are approved to the data product. If the policy changes so the user meets the requirements, or if the user is added to group HR, Immuta will update the user’s access and grant access to that data source.

hashtag
Column access

There are two masking statuses for columns within the data sources of a data product:

  1. Masked: The column is currently masked by a data policy, but you can request a masking exception.

  2. : The column is not masked, so no exception is needed.

hashtag
Provisioning access when approved

If an access request is approved, Immuta automatically provisions access in the supported data platforms:

  • Data access requests: The user gains query access to the approved data sources in the asset or data product.

  • Masking exception requests: The user sees unmasked values for the approved columns, while masking continues to apply for all other users.

In both cases, the provisioning is represented as an understandable and scalable Immuta policy, combined with any applicable birthright or guardrail policies.

The access statuses in a data product are updated accordingly:

  • Data sources:

    • Current accessCurrent access

    • Access if approvedCurrent access

    • Access preventedAccess prevented

  • Columns:

    • Masked- (unmasked for the approved user only)

paper-plane The requesting user and stewards will receive a notification through their configured notification platform that the access was approved or denied. A history of requests and their determinations is also visible on the Access requests page in the UI.

hashtag
Temporary approvals

For any asset or data product, a data steward can choose to provide a temporary approval to the access request. This provisions access to the user for a set duration of time and then rescinds access through the asset or data product at the end of the set time. If you have temporary access to a data product, your access status will be updated: Temporarily approved.

Both data access and masking exception requests can be granted temporarily. When the approval expires, the user's access will be automatically revoked:

  • Data access requests: Provisioned access to data sources is revoked automatically when the duration expires.

  • Masking exception requests: Approved columns return to masked automatically when the duration expires.

After expiration, the user can re-request access or exceptions as needed.

PreviousData Products and AssetsNextNotifications

Last updated

Was this helpful?