Domains are containers of data sources that allow you to assign data ownership and access management to specific business units, subject matter experts, or teams at the nexus of cross-functional groups. Within a domain, specific users are assigned a domain permission to manage policies on or to audit the data sources in that domain, which eliminates the problem of centralizing your data governance and giving users too much power over all data in your organization. Instead, you can control how much power these governance and audit users have over data by restricting their privileges to the domains you specify.
Once a data owner registers data as Immuta data sources, users with the GOVERNANCE
permission can add data sources to domains based on business units, business goals, or policy management strategy within their organization. Then, a user with the USER_ADMIN
permission can assign additional users to audit activity on data sources or manage policies on data within those domains:
Domains are also integral to delegating policy management of data products within a data mesh without breaking your organization's security and compliance standards. To learn more about how you can integrate Immuta in your data mesh framework (and domains' role in that process), see the Federated governance for data mesh and self-serve data access use case guide.
Data sources can be assigned to domains based on business units in your organization or any other method that suits your business goals and policy management strategy. Users with the GOVERNANCE
permission can change the domain that a data source belongs to or remove a data source from a domain. Once a data source is assigned to a domain (or multiple domains), users with a domain permission can start performing actions on those data sources.
See the Getting started with domains guide for instructions on creating a domain and adding data sources to it.
Whether created within or outside a domain, Immuta policies enforce access as usual: users who meet the restrictions outlined in the policy applied to a data source may access that data source. However, domains restrict who can author policies that apply to data sources assigned to that domain. This policy management restriction gives organizations more control of how much power governance users have over data. Furthermore, it can make Immuta easier to use by allowing more people to author policies.
Users with the Manage Policies
permission in a domain can set global policies to apply to the domains for which they have the Manage Policies
permission. In the example below, the domain policy manager can only apply global policies to the HR
domain:
If that same user had the Manage Policies
permission for the HR
and Marketing
domains, they could write global policies to apply to data sources within both of those domains. If that user had the Manage Policies
permission on all domains in their organization or the global GOVERNANCE
permission, they could set global policies to apply to all data sources.
When a data source is removed from or added to a domain, Immuta recomputes the policies that apply to the domain. Any policies associated with a domain will be added to or removed from a data source when it is added to or removed from the domain.
See the Getting started with domains guide for instructions on authoring domain policies.
When integrating domains to distribute policy management across your organization, data governance and access control must be applied horizontally (globally across data in your organization) and vertically (locally within specific domains or data products). Global policies should be authored and applied in line with your ecosystem’s most generic and all-encompassing principles, regardless of the data’s domain. For example, a global policy could be used to mask all PII data across an organization. Domain or local policies, on the other hand, should be fine-grained and applicable to only context-specific purposes or use cases. For example, a domain or local policy could be used to only show rows in the Sales
table where the value in the country
column matches the user's office location.
These three different policy levels are authored by separate users:
Global policy level: Users with the GOVERNANCE
permission can create global policies that apply to all data sources in an organization.
Domain policy level: Users with the Manage Policies
permission can apply policies to data sources within the domains for which they have that permission.
Local policy level: Data owners can apply policies directly to a data source, even if a domain or global policy applies to it as well. Because they are the most knowledgeable of their data, data owners can disable and apply the most relevant policy to their data source.
Since policies apply to domain data sources at multiple levels, there are instances in which two or three policies could apply to a single domain data source. Data owners can disable and enable policies that are most appropriate for their data source when a conflict occurs. For details about policy conflicts, merges, and policy conflict management, see the following pages:
Users with the global AUDIT
permission can see all audit events throughout Immuta. To scope this audit information to just a single domain, users can be given the domain Audit Activity
permission.
If a user has the domain Audit Activity
permission on a particular domain, they can audit the following activities:
Domain: Events from when the domain was created, users were added, permissions were updated, and the domain was updated.
Data sources: Events from the data sources within the specific domain.
Policies: Events for policies created, edited, or deleted that affect data sources within the domain.
Queries: Events for user queries against data sources within the domain.
Users with the GOVERNANCE
permission can delete any domain that has zero data sources assigned to it.
See the Getting started with domains guide for instructions on deleting a domain.
Existing data sources can be assigned to a domain by a user with the GOVERNANCE
permission. Once added to a domain, domain policies will be enforced on the data sources.
See the Getting started with domains guide for instructions on adding existing data sources to a domain.
Domain permissions can be added to users or groups by a user with the USER_ADMIN
Immuta permission. See the Permissions and personas page for a list of global and domain permissions necessary to manage domains.
Domains are containers of data sources that allow you to assign data ownership and access management to specific business units, subject matter experts, or teams at the nexus of cross-functional groups. Instead of centralizing your data governance and giving users too much governance over all your data, you control how much power they have over data sources by granting them permission within domains in Immuta.
Required Immuta permission: GOVERNANCE
Navigate to the Domains page.
Click + New Domain.
Enter a Name and Description for your domain.
Click Save.
To create a domain using the API, see the Domains API guide. For more information about domains, see the Domains reference guide.
Required Immuta permission: USER_ADMIN
User administrators can assign domain permissions from the domain permissions tab or the people page. See instructions for both methods below.
Click Domains and navigate to the domain.
Got to the Permissions tab and click + Grant Permissions.
Opt to select additional domains to apply the permission assignments to.
Choose how to assign the permission:
Individual selected users: Select this option from the dropdown and then search for individual users to grant the permission to.
Users in group: Select this option from the dropdown and then search for groups to grant the permission to.
Choose the permission to assign:
Manage Policies permission to allow them to create policies that will apply to the data sources within the domain.
Audit Activity permission to allow them to view audit events within the domain.
Review your changes and click Grant Permissions.
To assign permissions using the API, see the Domains API guide. For a list of permissions associated with domains, see the Domains reference guide.
Click People in the left navigation menu and select Users or Groups.
Select your user or group and then click the Settings tab.
Click + Add Domain Permissions.
Select the Domain for which the user or group should have the permission.
Opt to select additional users or groups to grant the permission to within the selected domains.
Choose the permission to assign:
Manage Policies permission to allow them to create policies that will apply to the data sources within the domain.
Audit Activity permission to allow them to view audit events within the domain.
Review your changes and click Grant Permissions.
Required Immuta permission: GOVERNANCE
Navigate to the Domains page and select your domain.
Click the Data Sources tab, and then click + Add Data Sources.
Select the checkboxes for the data sources you want to add to your domain.
Click + Add to Domain.
To assign data sources using the API, see the Domains API guide. For more information about domain data sources, see the Domains reference guide.
Required Immuta permission: GOVERNANCE
or Manage Policies
Navigate to the Domains page and select your domain.
Click the Subscription Policies or Data Policies tab.
Click Create Policy and select Subscription Policy or Data Policy.
Write your subscription policy or data policy as outlined in the policies how-to guide.
When building your policy, your domain should automatically be added in the What domain(s) should this policy be restricted to? section. However, you can select more domains that you have the Manage Policies
permission for here as well. This step will assign the policy to all data sources added to that domain.
For more information about domain policies, see the Domains reference guide.
Required Immuta permission: Audit Activity
Domain-related activity can be audited from the domain page, the audit page, the people page, or the data sources overview page. To find a specific audit record,
Navigate to the Audit page - records are automatically filtered to your authorized domains only.
Optional: Use filters to narrow down the search for activities.
Click on a record to see details about a specific activity.
Required Immuta permission: GOVERNANCE
Navigate to the Domains page and select your domain.
Click Remove Domain.
Confirm your changes.
To delete a domain using the API, see the Domains API guide.
Domains are containers of data sources that allow you to map your users and data into your organizational or governance structure. Within a domain you can assign data ownership and access management to specific business units, subject matter experts, or teams at the nexus of cross-functional groups.
Getting started with domains: Create and manage a domain.
Domains: This reference guide describes the design and components of domains.