Private preview: The Marketplace app is available to select accounts. Reach out to your Immuta representative for details.
By leveraging the Marketplace app, you introduce three new user types in your Immuta deployment:
Data product manager: These users own the management of the metadata around the data products and publish the data products.
Data steward: These users process the data consumer access requests to deny or approve access. Currently, these are users with the global GOVERNANCE or the domain-specific Manage Data Products permission.
Data consumers: These are the users who search for, discover, and request access to published data products. Once approved, the data consumer can query the data product natively in the data platform, where the access is provisioned automatically.
Data product managers are able to manage data product metadata, what data sources they contain, and publish data products to the data marketplace.
Any user with GOVERNANCE permission is able to publish data products. However, it is possible to delegate data product management to users without giving them the power that comes with GOVERNANCE permission.
The first step to delegating data product management is to create domains in Immuta, which can be completed by a user with GOVERNANCE permission.
Domains are containers for data sources that allow you to assign permissions scoped to the data sources in that domain. The permission for data product managers is Manage Data Products that can be assigned within a domain by a user with USER_ADMIN permission from within the Governance app.
When a user has the Manage Data Products permission and visits the Marketplace app, they can define and publish data products. Additionally, the data sources assigned to those data products can only be sourced from a domain where they have this Manage Data Products permission.
The purpose of domains in Immuta is to create scoped areas of responsibility for Immuta permissions. If given a permission on a domain, that permission is scoped to and can only act upon the data sources in that domain.
This is optimal for delegation of data product management for several reasons:
It avoids data product managers publishing data products that contain data sources they should not be publishing.
It allows you to group teams of users with different responsibilities together with permissions scoped to the same set of data sources. For example, you could give:
The HR users in charge of policies (subscription and data policies) Manage Policy permission in the HR Domain,
The HR users in charge of tagging Manage Tags permission in the HR Domain and finally,
The HR users in charge of publishing data products Manage Data Products permission in the HR Domain.
Data stewards process the data consumer access requests to deny or approve access. Currently, these are users with the global GOVERNANCE or the domain-specific Manage Data Products permission.
The data steward has a difficult job; historically, they have been asked to make extremely subjective determinations on access requests with too little information. The Immuta Data Marketplace, specifically the approval page, resolves that problem by presenting a range of request details all in a single view, making the data steward's job much easier.
The following information is in each request to help the data steward with their decision:
The requestor's answers to the required question(s) from the request access page.
Confirmation that the requestor has agreed to the data use agreement if there is one. The data use agreement can also be viewed through a link.
The last five approvals (if available) and denials (if available) on the data product with details about each: when they happened, who was approved or denied, who approved or denied them, and why.
This will help the approver understand if the user requesting access aligns with the past five users and the people who have already made approvals in case there are questions.
For each data source in the data product, any existing access details:
If the user already has access via a birthright subscription policy
If the user cannot gain access due to an existing birthright subscription policy
If approved, access will be auto-provisioned in the data platform(s) to the data sources in the data product. This is done natively in the data platform, which means the requesting user can query those tables/views/S3 objects directly from the data platform. This provisioning is represented as an understandable and scalable Immuta policy that will be combined with any existing policies.
Private preview: The Marketplace app is available to select accounts. Reach out to your Immuta representative for details.
Figure 1 depicts the workflows available in the Immuta Marketplace. This walkthrough will guide you through these steps.
Some of these steps are performed by different user types in Immuta, so this walkthrough is organized by Marketplace user type.
See the Marketplace app requirements page.
The data sources that are exposed through your data products are sourced from a domain; so in order to publish a data product, you must have at least one domain with at least one data source in it. Any user with the Immuta GOVERNANCE permission is able to publish data products in the Marketplace app using any Domain. However, this job can be delegated by creating data product managers. You create data product managers by giving them the Manage Data Product permission in a domain.
As shown in Figure 2, creating a domain and assigning data sources to it is handled by a user with GOVERNANCE permission. Assigning the Manage Data Product permission is handled by a user with USER_ADMIN permission.
These actions are completed in the Governance app, not the Marketplace app.
This user is able to publish the data products, manage their metadata, and manage request policies. As mentioned above, to be a data product manager, one must have the global GOVERNANCE permission or the domain-specific Manage Data Products permission in a domain.
From there, data product managers are able to publish and manage data products, from their domains, as depicted in Figure 3.
However, the first step in creating a data product is ensuring that the data sources that make up the data product are contained in the domain where you have the Manage Data Product permission.
Typically, you would give a data product manager CREATE permission in a schema or database that they can use as their sandbox for generating new tables/views natively in their data platform using data engineering tools like dbt. Those newly generated tables/views (or even S3 objects) are what they can use as the data sources for their data products.
How do you get these new data objects from the data platform as registered in Immuta and assigned to a domain so that they can be published in data products?
Immuta automatically registers objects through periodic polling to detect changes in the data platform and represent those changes in Immuta, as data sources. These checks can also be manually triggered.
Once the objects are registered in Immuta as data sources; they are assigned to a domain manually through the Governance app (or API).
A user with GOVERNANCE permission must be involved to add new data sources to domains as they are created. However, this is a short-term limitation, Immuta will soon support automatically adding data sources to a domain based on the schema or database they reside in or based on how they are tagged.
A data consumer can be anyone with a login to the Immuta. They can visit the Marketplace app, search for data products, and request access, as shown in Figure 4.
The data stewards are tasked with making determinations on Marketplace access requests, the final step in the workflow depicted in Figure 5.
Currently, in the Marketplace private preview, the users with the global GOVERNANCE permission or the domain-specific Manage Data Product permission in the domain must make the determinations on access requests to the data product. It is the default setting in the request policy for the data product. However, soon you will be able to assign any user, group, or permission as data stewards while creating the data product.
When an access request is made that requires approval, that request will appear as pending in the Marketplace, signaling a determination is required. The data steward can make the determination by approving or denying it with a reason, and if approved, Immuta will automatically provision the access, completing the workflow. Soon, there will be an option to temporarily approve access.
Soon the Marketplace app will support notifications (email, Teams, Slack, webhooks) which will allow the users assigned to make an determination on a request to be notified of this, as well as the requestors notified when a determination has been made.
Consider branding the Marketplace app with your own logo and colors, to give it the look and feel of your company.
If you would prefer that data consumers discover data products in your existing catalog, that is possible to configure. The Marketplace app is built in a way so it can present the access request page to the consumer via redirects from your catalog.
Private preview: The Marketplace app is available to select accounts. Reach out to your Immuta representative for details.
The Immuta Data Marketplace was built from the ground up with security and provisioning of access in mind. It allows for the following actions:
The delegation of data product managers to publish and manage data products on the Marketplace app.
Data consumers can quickly discover and request access to published data products in the Marketplace app.
Data stewards can receive requests for access and make determinations on them.
Approvals have a direct impact on access. Once a user is approved, access is auto-provisioned in the underlying data platform using powerful access policy management features.
Personalization of the Data Marketplace with your brand's logo and colors to give it your own look and feel.
You have a concept of data products that need to be exposed to your internal lines of business for broader consumption.
You want data consumers to request access to data products, not database roles, which is far more intuitive.
Your data products can be accessed from multiple different data platforms.
You want the option for data stewards to approve (or deny) access.
You want approvers to have additional details about the request so they can make the correct determination.
You want approvals to automatically provision access natively in the data platform.
You want the provisioning of approvals to be represented as scalable policies instead of one-user-at-a-time grants.
You are trying to share and/or monetize data externally (unless you own the data platform those external consumers leverage to query the data).
You want to automate access completely, doing away with manual approvals. You can accomplish this using data governance policies in the Governance app.
The Immuta Data Marketplace is a separate experience from the existing Immuta Governance app, but some actions to set up the Marketplace app must be completed in the Governance app.
Register tables, views, or files as data sources.
Manage birthright policies with global subscription and data policies. Birthright policies are policies that are pre-computed through rules and do not require manual approvals.
View reports and monitor Immuta activity and user query activity.
Discover and tag data automatically.
Configure data domains and permission users to be data product managers, allowing them to publish data products from that domain.
Customize the branding of the Marketplace app.
Data product managers manage and publish data products (from their assigned domains).
Data stewards receive and process access requests to data products.
Data consumers discover and request access to data products.
