External User ID Mapping

External IDs for integrations can be mapped in for Snowflake, Databricks, Starburst (Trino), Redshift, Azure Synapse Analytics, and HDFS based on attributes from an external IAM system, allowing you to link an external account to the corresponding Immuta account even when usernames do not match between Immuta and the external system.

Configure External User ID Mapping on App Settings Page

External IDs for integrations can be mapped in for Snowflake, Databricks, Starburst (Trino), Redshift, Azure Synapse Analytics, and HDFS based on attributes from an external IAM system.

  1. Click the App Settings icon in the left sidebar and click Identity Management.

  2. After you have clicked Add IAM, define the mapping in the Profile Schema section. Note: Mappings can also be disabled on the App Settings page, so it’s possible that not all of these fields will be available.

  3. Click Save.

  4. Test a login to ensure that the values are picked up correctly.

Manually Configure External User ID Mapping on a User's Page

For IAMs where no mapping has been defined (including Immuta's built-in IAM), the external user ID mappings can be set manually.

  1. Click the People icon and select the Users tab.

  2. Select the user you want to edit.

  3. In the Usernames section, click Edit for the technology username you want to change.

    1. Complete the Username field in the modal that appears and click Save.

    2. For Databricks usernames,

      1. Select Databricks Username to map the Databricks username to the Immuta user and enter the Databricks username in the field. Username mapping for Databricks is case insensitive.

      2. Select Unset (fallback to Immuta username) to use the Immuta username as the assumed Databricks username. Use this option if the user's Databricks username matches the user's Immuta username. Username mapping for Databricks is case insensitive.

      3. Select None (user does not exist in Databricks) if this is an Immuta-only user. This option will improve performance for Immuta users who do not have a mapping to Databricks users and will be automatically selected by Immuta if an Immuta user is not found in Databricks. To ensure your Databricks users have policies correctly applied, manually map their usernames using the first option above.

    3. For S3 usernames, use the dropdown menu to select the User Type. Then complete the S3 field. When selecting Unset (fallback to Immuta username), the S3 username is assumed to be the same as the Immuta username. User and role names are case-sensitive. See the AWS documentation for details.

All external IDs are displayed on the user details page and their user profile.

Last updated