Authoring Policies in Secure
Immuta allows you to define policies at different levels of your data stack.
First are subscription policies, which are commonly termed table access grants or table-level access. Subscription policies control access to your tables. Immuta calls them subscription policies because they are not always an access grant but could also be the result of a data consumer finding the data, requesting access, and then being subscribed to it via Immuta policy you have in place.
Authoring policy at scale
While it is possible to build policies one table at a time using Immuta, there isn't much value in doing so. These are termed local policies in Immuta.
To build policy at scale, you must use global policies. Global policies allow you to build policies that reference tags rather than physical tables or columns. So instead of building a policy like this
mask column name in table customers, you can instead build a policy such as
mask columns tagged name anywhere you see the name tag.
These global policies will then seek out the name tag, wherever found, and apply the policy, no matter the physical location of the tables that contain names. It's important to understand that Immuta supports tag-based global policies for more than just masking. Both subscription and row-level policies can be authored as global policies targeting tags instead of physical tables and columns.
How you get the tags on the tables and columns is outlined in the Automate data access control decisions use case.
There are many guides found in this section, but an efficient approach to learning how to author secure policy would be to first read the two Immuta use cases specific to secure:
And then to focus on the complex topics around how applying policy at scale is managed in Immuta, specifically
- Overview on how to author policies at scale
- Overview of subscription policies and data policies
- Full reference guide for all data policies
- Details on how to minimize policy downtime if there's a large amount of change due to data engineering in your data platform(s)
- Details on how subscription policy conflicts and data policy conflicts are managed