External IDs for integrations can be mapped in for Snowflake, Databricks, Starburst (Trino), Redshift, and Azure Synapse Analytics based on attributes from an external IAM system, allowing you to link an external account to the corresponding Immuta account even when usernames do not match between Immuta and the external system.
External IDs for integrations can be mapped in for Snowflake, Databricks, Starburst (Trino), Redshift, and Azure Synapse Analytics based on attributes from an external IAM system.
Click the App Settings icon in the left sidebar and click Identity Management.
After you have clicked Add IAM, define the mapping in the Profile Schema section.
Note: Mappings can also be disabled on the App Settings page, so it’s possible that not all of these fields will be available.
Click Save.
Test a login to ensure that the values are picked up correctly.
For IAMs where no mapping has been defined (including Immuta's built-in IAM), the external user ID mappings can be set manually.
Click the People icon and select the Users tab.
Select the user you want to edit.
In the Usernames section, click Edit for the technology username you want to change.
Complete the Username field in the modal that appears and click Save.
For Databricks usernames,
Select Databricks Username to map the Databricks username to the Immuta user and enter the Databricks username in the field.
Select Unset (fallback to Immuta username) to use the Immuta username as the assumed Databricks username. Use this option if the user's Databricks username exactly matches the user's Immuta username.
Select None (user does not exist in Databricks) if this is an Immuta-only user. This option will improve performance for Immuta users who do not have a mapping to Databricks users and will be automatically selected by Immuta if an Immuta user is not found in Databricks. To ensure your Databricks users have policies correctly applied, manually map their usernames using the first option above.
For S3 usernames, use the dropdown menu to select the User Type. Then complete the S3 field. When selecting Unset (fallback to Immuta username), the S3 username is assumed to be the same as the Immuta username. User and role names are case-sensitive. See the AWS documentation for details.
All external IDs are displayed on the user details page and their user profile.
Click the People icon and select the Groups tab.
Click the New Group button.
In the modal, enter the new group's name. You can opt to enter a description of and email address for the new group.
Click Save.
Click the People icon and select the Groups tab.
Select the group you want to edit and select the Settings tab.
Click the Add Members button.
Begin typing in the Search by Member Name or Email text box.
Click on the name from the dropdown list to add this user to the group.
Authentication best practice: Use an external IAM for authentication and Immuta's internal IAM to manage attributes.
Click the People icon and select the Groups tab.
Select the group you want to edit and select the Settings tab.
Click Add Attributes.
Begin typing the attribute name in the Attribute text box.
If the attribute already exists, select it from the dropdown list.
If the attribute does not exist yet, enter the full name of the attribute, and then select it from the dropdown.
In the Attribute Value text box, enter a value.
If the value already exists, select it from the dropdown list.
If the value does not exist, enter the full name, and then select it from the dropdown.
Click Close.
Click the People icon and select the Groups tab.
Select the group you want to edit and select the Settings tab.
In the members section, click Remove to the right of the member you want to remove.
Click Delete to confirm.
Click the People icon and select the Groups tab.
Select the group you want to edit.
Click the more actions icon, and select Delete.
Click Delete to confirm.
Click the People icon and select Users or Groups.
Select the user or group you want to edit and select the Settings tab.
In the Attributes section, click the more actions icon on the attribute value you want to remove.
Click Remove and Confirm.
Click the People icon in the navigation and select the Users tab.
Click the New User button.
Fill out the Full Name and Email fields in the dialog. Note: The user's email address will be used as the username and must be unique.
Click the Create button.
Click the People icon in the navigation and select the Users tab.
Select the user you want to edit and select the Settings tab.
Click Add Permissions.
Click the Select Permission dropdown, and select the permission you want to give the user.
Click the People icon in the navigation and select the Users tab.
Select the user you want to disable, and click the more actions icon.
Select Disable User.
Click Disable in the confirmation dialog.
Requirement: USER_ADMIN
permission
Note: This action permanently deletes all data associated with this user from Immuta, including data source subscriptions, and a timestamp of this event will be captured in the audit logs. The ability to create governance reports against this user will no longer be possible. This action cannot be undone.
Click the People icon in the navigation and select the Users tab.
Select the user you want to disable, and click the more actions icon.
Select Permanently Delete.
Click Permanently Delete User in the confirmation dialog.
Type Delete to confirm deleting the user permanently.
Click the Confirm Permanent Delete button.
Prerequisite: An IAM configured in Immuta
Click the People icon in the navigation and select the Users tab.
Click the more actions icon and select Migrate User.
Enter their username in the modal that appears and click Migrate User.
Click the People icon in the navigation and select the Users tab.
Select the user you want to edit and select the Settings tab.
Click Remove on the permission you want to remove.
Click the People icon in the navigation and select the Users tab.
Click the Metrics button.
Complete the Number of Days field in the dialog that appears, and then click Download to download the JSON file.
Once an account has been disabled, it will not appear in the list of current Immuta users. To show the disabled accounts,
Click the People icon in the navigation and select the Users tab.
Use Filters to filter the table to Include Accounts and check the Disabled box.
Immuta can consume user attributes from an external HTTP endpoint in an out-of-band fashion. This feature allows you to retrieve users' groups and authorizations from an additional resource, alongside the user attributes retrieved in the authentication flow. Such an external endpoint can be configured on any of the Identity Provider types that Immuta supports.
The following section instructs how to implement the HTTP service.
The service can authenticate requests with both or either of the following methods:
Basic username and password Authorization
header
SSL cert validation
For more information, refer to Configure an External User Info Endpoint.
Note: Immuta will expect non 200 error codes when the user info cannot be retrieved.
The user info endpoint will be called each time Immuta needs to synchronize with a remote IAM on user groups and authorizations. Immuta will query the endpoint with the user ID specified in request's query.
Note: The endpoint's path does not necessarily have to be /user-info
.
Parameters
Responses
Response Schema
Below is an example value that could be returned by the endpoint: