Private preview: The Marketplace app is available to select accounts. Reach out to your Immuta representative for details.
All pending requests by the data consumers are listed and contain:
What data product was requested
When the request was made
What set of users can approve
Its current state:
Pending (These can be canceled by the requestor.)
Processing
Just because a data consumer is approved to a data product does not necessarily mean they will gain access to every data source in that data product. It is possible there are existing birthright policies on those data sources that the requesting user does not meet, and if those policies are always required, the user cannot gain access to the data product, even if approved.
For example, there may be sensitive employee salary data in a data source. Because of that, there is a birthright subscription policy on that data source that is always required which states, only members of group HR
can access this data source. This is effective; it provides global governance a guarantee that nobody can bypass policies on extremely sensitive data sources.
If that data source is now made part of a data product, the requesting user must be a member of group HR
to gain access to that particular data source in the data product, even if approved to the data product. Should that policy change in a way that the user now meets the requirements or the user is added to group HR
, Immuta will react by updating the policy. The user would then have access to that particular data source.
To provide transparency, the request access page will display the following information about each data source in the data product so the requestor is clear what they will, won't, and already have access to:
If the user already has access via a birthright subscription policy
If the user cannot gain access due to an existing birthright subscription policy
Note: it is still worth requesting access to a data product even if the user has access to all the data sources it contains because new data sources may be added later which they do not have birthright access to. In this case, if approved to the data product, they will gain access to the new data sources as soon as they are added to the data product.
If approved, Immuta will auto-provision access in the data platform(s) to the data sources in the data product. This is done natively in the data platform so that the user can query those tables/views/S3 objects directly from the data platform. This provisioning is represented as an understandable and scalable Immuta policy which will be combined with existing birthright policies, if any.