Let’s say Sally and Bob are working together on a project, and Sally has more data access than Bob. She can see PII and Bob cannot, but they both can see credit card numbers. Without Immuta, an admin would have to know what tables they intend to use, scrub all those tables of PII, and then give Sally and Bob access to those new tables in a place where they can safely work on the data and save any output they create.
With Immuta, this is a lot easier. Sally or Bob could create the project, add the tables as data sources, invite the other person to be a project member, and equalize it. The equalization will compare the members of the project to the data policies on the tables in the project and find the intersection: Sally and Bob both can see credit card numbers. That intersection becomes the equalization setting. Once the project is equalized in this example, Sally will lose access to PII, but both Sally and Bob will retain access to credit card numbers.
Now Sally and Bob want to do some transformation on the data and write it somewhere. This is where project workspaces come into play. Once workspaces are configured in a Snowflake or Databricks Spark integration, Immuta will create a schema in the native database dedicated to this project where Sally and Bob can write their output. Within this workspace
Only members of the project will have access to that schema to write to or read from. (For example, in Snowflake Immuta limits it to a particular role it creates in Snowflake.) This is important, because if someone who can’t see credit card numbers somehow had access to where Sally and Bob were writing, they would gain access to data (the credit card numbers) they shouldn’t see.
They will only be able to access the tables that are in the project. (This may be critical if someone approved the purpose for only those tables.)
When determining where you should give analysts WRITE access, you need to consider the entire universe of where they have READ access, and that universe is constantly changing. This is an impossible proposition for you to manage without Immuta projects.
Users at different levels of access can work together without help from an admin (to scrub the data).
Customers can avoid data leaks on analyst writes.
Project equalization
The same security restrictions regarding data sources are applied to projects: project members still need to be subscribed to data sources to access data, and only users with appropriate attributes and credentials can see the data if it contains any row-level or masking security.
However, project equalization improves collaboration by ensuring that the data in the project looks identical to all members, regardless of their level of access to data. When enabled, this feature automatically equalizes all permissions so that no project member has more access to data than the member with the least access. For a tutorial on enabling equalization, navigate to the Manage equalization guide. Note: Only project owners can add data sources to the project if this feature is enabled.
Once project equalization is enabled, the subscription policy for the project is locked and can only be adjusted by the project owner by changing the equalized entitlements. For users to access data sources within the project (and for the equalization to take effect), users must switch their context to the project.
This setting adjusts the minimum entitlements (i.e., users' groups and attributes) required to join the project and to access data within the project. When project equalization is enabled, equalized entitlements default to Immuta's recommended settings, but project owners can edit these settings by adding or removing parts of the entitlements. However, making these changes entails two potential disadvantages:
If you add entitlements, members might see more data as a whole, but at least some members of the project will be out of compliance. The status of users' compliance is visible from the members tab within the project.
If you remove entitlements, the project will be open to users with fewer privileges, but this change might make less data visible to all project members. Removing entitlements is only recommended if you foresee new users joining with less access to data than the current members.
This setting determines how often user credentials are validated, which is critical if users share data with project members outside of Immuta, as they need a way to verify that those members' permissions are still valid.
Once project equalization is enabled, the project subscription policy builder locks and can only be adjusted by manually editing the equalized entitlements. Then, the subscription policy will combine with the entitlement settings, depending on the policy type.
The way entitlements and approvals combine differs depending on the policy type; for clarity, the table below illustrates various scenarios for each type. Every row demonstrates how a specific project subscription policy changes after project equalization is enabled (when an equalized entitlement is set and when no entitlement is set) and how the policy reverts if project equalization is subsequently disabled.
Anyone
Allow user to subscribe when user is a member of group Accounting
Individual users you select
Individual users you select
Allow users to subscribe when approved by anyone with permission owner (of this project)
Allow users to subscribe when they satisfy all of the following: is a member of group Accounting and is approved by anyone with permission owner (of this project)
Allow users to subscribe when approved by anyone with permission owner (of this project)
Allow users to subscribe when approved by anyone with permission owner (of this project)
Allow users to subscribe to the project when user is a member of group Legal
Allow users to subscribe to the project when user is a member of group Accounting
Individual users you select
Individual users you select
Individual users you select
Allow users to subscribe to the project when user is a member of group Accounting
Individual users you select
Individual users you select
For example, consider the subscription policy of the following sample project, Fraud Prevention, before project equalization is enabled:
Fraud prevention
Subscription policy: Allow users to subscribe when approved by anyone with permission owner (of this project).
After enabling project equalization, the following equalized entitlement is recommended by Immuta: User is a member of group Claims and Billing Department.
In this particular example, the equalized subscription policy contains the equalized entitlement and the approval of the original policy, so users must satisfy both conditions to subscribe:
the user must be a member of the group Claims and Billing Department
the user must be approved by anyone with permission Owner (of this project).
Use project equalization so that all project members see the same data, and re-equalize projects if new members or data sources are added to the project.
Requirement: You must own the project
In the project, click the Policies tab.
In the Project Equalization section, click the toggle button to On.
Note: Only project owners can add data sources to the project if this feature is enabled.
Click Edit next to Equalized Entitlements.
In the Equalized Entitlements Builder, select either is a member of a group or possesses attribute from the user condition dropdown menu.
If you selected is a member of a group, select the appropriate group from the resulting dropdown.
If you selected possesses attribute, select the appropriate key and value from the subsequent dropdown menus.
Click Save.
Use the recommended equalized entitlements
Use Immuta's recommended equalized entitlements to protect your data in projects. Changing these entitlements creates two potential disadvantages:
If you add entitlements, members might see more data as a whole, but at least some members of the project will be out of compliance.
If you remove entitlements, the project will be open to users with fewer privileges, but this change might make less data visible to all project members. Removing entitlements is only recommended if you foresee new users joining with less access to data than the current members.
To view members' compliance status after changing the equalized entitlements,
Navigate to the Members tab from the Project Overview page.
Click the Not In Compliance text to view the details about the user's status.
Users who are not in compliance will be unable to view data sources within the project until the compliance issues are resolved.
To revert entitlements to those recommended by Immuta,
Click Edit next to Equalized Entitlements.
Click Use Recommended.
Click Confirm.
Update the validation frequency to specify how often users must log into Immuta to retain access to the project.
Click Edit in the Validation Frequency section.
Enter an integer in the first field of the Validation Frequency modal that appears.
Select Days or Hours in the next dropdown.
Click Save.
Navigate to the Policies tab.
In the Project Equalization section, click the toggle button to Off.
Click Yes, Turn Off in the confirmation window.
Project equalization improves collaboration by ensuring that the data in the project looks identical to all members, regardless of their level of access to data. When enabled, this feature automatically equalizes all permissions so that no project member has more access to data than the member with the least access.
Manage equalization: Enable project equalization and manage equalized entitlements to create a common level of access for all project members.
Equalized access: This guide describes the design and behavior of project equalization.
Why equalize access?: This explanatory guide offers an example use case for project equalization to highlight its business value.