# Walkthrough

{% hint style="info" %}
**Private preview**: The assets and access request link features are private preview and available to all accounts.
{% endhint %}

This page describes the workflow that centers Immuta within your data catalog. This allows users to browse data in their existing data catalog and request access there directly. Immuta then acts as the review and provisioning engine while the catalog remains the single source of truth for metadata and discovery.

When setting up the Request app for the first time, this is what your workflow will look like:

1. [Register a connection](#register-a-connection).
2. [Set up a request form for your assets](#set-up-a-request-form-for-your-assets).
3. [Add access request links to catalog objects](#add-access-request-links-to-your-catalog).
4. [Users request access through links in your catalog](#users-request-access-through-links-in-your-catalog).
5. [Data consumer submits the access request](#data-consumer-submits-the-access-request).
6. [Data stewards review and make a determination for the access request](#data-stewards-review-and-make-a-determination-for-the-access-request).
7. [Immuta automatically provisions access](#immuta-automatically-provisions-access).

The sections below explain each step in detail.

{% stepper %}
{% step %}

#### Register a connection

An application admin will [register the connection](/SaaS/configuration/integrations/data-and-integrations/registering-a-connection.md#how-to-guides) to pull in object metadata and create data objects. Immuta will then represent those data objects as assets.

*This action must be completed in the Govern app.*

{% hint style="warning" %}
Assets will only be created from connection-backed objects. Data sources registered through the legacy onboarding are not supported.
{% endhint %}
{% endstep %}

{% step %}

#### Set up a request form for your assets

Immuta sets a default request form for all assets; however, you can set up a customized request form to suit your organization's needs.

A governance user will [create a request form](/SaaS/request/review-access-requests/how-to-guides/manage-request-forms.md#create-a-new-request-form) that data consumers will complete when requesting access to assets; then, the governance user will [attach it to an asset](/SaaS/request/configure/how-to-guides/manage-assets.md). The request form contains the questions requesters must answer, ensuring that data stewards have all the necessary details to make determinations on access requests.

Once the request form is attached to an asset, any user that requests access to that asset through their data catalog by clicking an access request link will be taken to the **Request access** page in Immuta to fill out the questions and submit the request.
{% endstep %}

{% step %}

#### Add access request links to your catalog

Your catalog administrator will [configure access request links](/SaaS/request/configure/how-to-guides/configure-access-request-links.md) within the objects of your data catalog.

This will allow your data catalog users to browse for data within their catalog, and once they find data they want access to, they can click the access request link to take them to the request form attached to that asset.
{% endstep %}

{% step %}

#### Users request access through links in your catalog

Users browse through your data catalog as they normally do. When they come across data which they do not have access to, [they click a link within that data object directly in the data catalog](/SaaS/request/access-data-products/how-to-guides/requesting-access-from-your-catalog.md).

This link will take them to the request form attached to the asset that corresponds to the data object. If you have an [IAM configured](/SaaS/configuration/people/section-contents/reference-guides/index.md#external-identity-managers), and the data consumer is already signed in, they will be taken directly into the app.
{% endstep %}

{% step %}

#### Data consumer submits the access request

The data consumer is taken to the **Request access** page in Immuta to fill out the questions for the request form that corresponds to the asset (database, schema, table, etc.). They answer the exact questions that your data stewards need to properly determine whether or not the requester should gain access.

<i class="fa-paper-plane">:paper-plane:</i> Once they request access, a webhook is sent off and Immuta will send notifications to the data stewards designated in the review flow.
{% endstep %}

{% step %}

#### Data stewards review and make a determination for the access request

Data stewards [review the access requests](/SaaS/request/review-access-requests/how-to-guides/view-and-respond-to-access-requests.md) within Immuta and can make determinations by approving, denying, or temporarily approving the access request. Using [AI review assist](/SaaS/request/review-access-requests/reference-guides/understanding-review-assist.md), they can quickly and easily make determinations of access with exactly the information they need, provided by the answers to the questions in the request form.

Data stewards are assigned in the review flow:

* If any data steward can approve, just a single determination will dictate the user's access.
* If all data stewards must approve, [one determination must be made by one data steward](#user-content-fn-1)[^1] belonging to each of the assigned groups, attributes, or permissions.

If a single data steward denies access, the user will not get access. If the access request is approved, Immuta will automatically provision access by granting access to the requested data within the data platform or unmasking the requested column, completing the workflow.

<i class="fa-paper-plane">:paper-plane:</i> When a final determination is made for an access request, a webhook is sent off and the requester and all other data stewards assigned in the review flow will receive a notification with the decision.
{% endstep %}

{% step %}

#### Immuta automatically provisions access

After an access request is approved by the necessary data stewards, Immuta provisions access for the data consumer in the data platform. This access is represented as [scalable Immuta policies](/SaaS/request/configure/reference-guides/understanding-access-provisioning-and-underlying-policies-in-immuta.md) and, for supported connections, pushed as native grants into the data platform so the user can query the data.
{% endstep %}
{% endstepper %}

[^1]: For example, if the request form lists users with the `GOVERNANCE` permission and users with the HR group as data stewards, then one user with the `GOVERNANCE` permission and one user with the HR group must approve to satisfy each of those conditions. A single user may approve for all conditions in a request form if they have the necessary permissions.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/SaaS/request/introduction/walkthrough.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.