Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Purpose-based access control is a method of data access control that makes access decisions based on the reason a user or tool intends to use the data, which provides flexibility data governance teams need to build a high-powered, granular access control model. Furthermore, most regulations (like GDPR and HIPAA) include purpose clauses that require sensitive data only be collected and used for precise reasons.
For example, the GDPR’s Purpose Limitation Principle states that “Personal data should only be collected and processed for a legitimate specific purpose.” Furthermore, the regulation claims that the specific purpose “should be expressed in an unambiguous, transparent, and simple manner” in order to be compliant. The goal of this clause is to ensure that sensitive information is not being unnecessarily collected, stored, and exposed to risk by organizations that use it. With purpose-based access control, organizations can exhibit the granular, purpose-based control over data access that ensures compliance with these standards.
Immuta projects allow you to connect purposes to data sources and users to enforce purpose-based access controls on your data.
This getting started guide outlines how to quickly implement purpose-based access controls for your business use case using Immuta projects, purposes, and global data policies.
The how-to guides in this section illustrate how to create and manage projects and purposes.
Create a project: Create a project to group data sources and users.
Create a purpose: Create a purpose for your project to enforce access restrictions on the project data sources.
Adjust a policy: Redistribute the noise of k-anonymization across multiple columns of a data source within a project to make specific columns more useful for analysis.
Project management: This section guides project owners, governors, and project managers through managing project settings, data sources, and members.
Projects and purposes: Immuta projects allow you to connect purposes to data sources and users to enforce purpose-based access controls on your data.
Policy adjustments: Project owners can use policy adjustments to increase a data set's utility while retaining the amount of k-anonymization that upholds de-identification requirements. With this feature enabled, users can redistribute the noise across multiple columns of a data source within a project to make specific columns more useful for their analysis.
Why use purposes?: This explanatory guide contains a conceptual overview of purposes in Immuta and the business value achieved by using purpose-based access controls.
Requirement: GOVERNANCE
or PROJECT_MANAGEMENT
Immuta permission
Click Governance and select Purposes in the navigation menu.
Click + Add Purpose.
Complete the Purpose Name field, and opt to customize the acknowledgement statement or add a description.
Click Create.
Click Governance and select Purposes in the navigation menu.
Open the dropdown menu and click View or Edit in the actions column of the purpose you want to add sub-purposes to.
Click Add Sub-Purposes.
Enter a name in the Enter nested purpose field in the Sub-Purpose Builder.
Click the arrow to the right of the purpose or sub-purpose(s) to continue adding nested purpose fields.
Click Save.
A list of sub-purposes will populate at the bottom of the page. You can manage these sub-purposes by clicking Edit in the Actions column at any time.
Click Data in the navigation menu and select Projects.
Go to the project overview page and click Add Purposes.
Select the purpose from the dropdown menu or click Create Purpose.
Complete the prompts in the modal and then click Save.
For the purpose to go into effect, it must be approved by a user with the GOVERNANCE
or PROJECT_MANAGEMENT
Immuta permission.
Click Governance and select Purposes in the navigation menu.
Open the dropdown menu and click Edit in the Actions column of the purpose you would like to customize.
Click Edit above the acknowledgement statement, customize the text, and then click Confirm.
The page displays the updated statement, which now will be used by all projects and purposes. The updated statement will also be used by any new members joining existing projects containing purposes with default statements.
By default, sub-purposes will inherit the acknowledgment statements of their parent purposes. However, you can customize the acknowledgement statement for an individual sub-purpose as well by following the process above.
Navigate to your user profile page and click the Requests tab.
Approve or deny the purpose request in the actions column.
Click Governance and select Purposes in the navigation menu.
Click the more actions icon in the Actions column of the purpose or sub-purpose you want to delete.
Select Delete, and then click Confirm to approve the deletion.
Any project that contained the deleted purpose will be treated as no longer compliant, so the project overview page will display a violation
tag. Project owners can remediate the violation by removing the purpose from the project.
Requirement: You must own the project
On the Members tab, click the Role of the member whose role you want to change.
Select a different role: subscribed or owner.
On the Members tab, click the Deny button next to the user or group you want to remove.
Complete the Reasoning field in the window that appears, and then click Submit.
Requirements:
If or is enabled, you must own the project.
If a purpose has been added to and approved for the project, you must have the GOVERNANCE
or PROJECT_MANAGEMENT
Immuta permission.
Otherwise, you must be a project member.
Navigate to the Project Overview tab.
Click the Add Data Sources button.
Start typing the name of a data source you'd like to include in the project.
Select the data source from the list of auto-completed options in the dropdown menu.
Repeat this process to add additional data sources to the list. You can remove them using the more options icon.
Opt to re-equalize the project by clicking the toggle on.
When complete, click the Save button at the bottom of the list.
You can automatically add all data sources to a project that contain a Limit usage to purpose policy that matches the purpose of that project.
Select a Project, and click the Add Data Sources button.
Click Add By Purpose.
All data sources matching the project's purpose(s) will populate at the bottom of the dialog. Review this list, and then click Save.
Set your current project to be the one you want new data sources in.
Navigate to the Data Sources page.
Select the checkboxes for the data sources you want in a project.
Select the bulk actions more options icon in the top right corner.
Click Add To Current Project.
Purpose-based access control makes access decisions based on the purpose for which a given user or tool intends to use the data. This method of data access also provides flexibility for you to override policies and grant access to unmasked data to an individual for a very specific reason. Immuta recommends using to create exceptions to global data policies.
There is some up-front work that needs to occur to make this possible.
A user with the GOVERNANCE
Immuta permission for access to different data types unmasked. As part of creating the purposes, they may want to the user must agree to when acting under that purpose.
A data owner or governor updates the masking or row-level policies to . For example, Mask all columns tagged PII for everyone except users acting under purpose [some legitimate purpose(s)]
.
Users and connect the project to both the policy and the purpose by
with the policies they want users to be excluded from and
to the project
However, that project does nothing until the purpose is .
Once that approval is complete, the user wanting the exception must .
Using the Immuta UI, the . Once switched to that project, the approved exceptions occur for the user.
These exceptions can be made temporary by deleting the project once access is no longer needed or un-approving the purpose for the project after the need for access is gone.
Public preview: This feature is in public preview. It is available to all customers and can be enabled on the Immuta app settings page.
Project owners can use policy adjustments to increase a data set's utility while retaining the amount of k-anonymization that upholds de-identification requirements. With this feature enabled, users can redistribute the noise across multiple columns of a data source within a project to make specific columns more useful for their analysis. Since these adjustments only occur within the project and do not change the individual data policies, data users must be acting under the project to see the adjustments in the data source.
For example, a policy might mask these data source columns with k-anonymization: Income
, Education
, EmploymentStatus
, Gender
, and Location Code
. When the analyst examines the data, the percent NULL has been predetermined by Immuta with an equal weight across all of these columns. However, if the analyst's work hinges on the EmploymentStatus
column, the project owner can adjust the weights on the policy adjustment tab in the project to make the necessary data (EmploymentStatus
) less NULL.
For columns that are already well-disclosed (meaning they already have a low percent null), the same percent null will display even when you drastically change the weight distribution.
Increasing the weight of a column that is already well-disclosed will not change the outcome. Generally, the biggest impact will be seen when you increase the weights of the largest percent null column. (The only exception to this is if that column already has a lot of native nulls in the remote database.)
This feature provides an option to allow fields in the clear when creating a purpose, permitting specified analysts to bypass k-anonymization in specific circumstances.
When any purpose with the allow fields in the clear property enabled is approved for use within a project, a project member can proceed through the policy adjustment workflow and specify columns to be unmasked.
In today’s world of modern privacy regulations, deciding what a single user can see is not just about who they are, but what they are doing. For example, the same user may not be able to see credit card information normally, but if they are doing fraud detection work, they are allowed to.
This may sound silly because it’s the same person doing the analysis, so why should we make this distinction? This gets into a larger discussion about controls. When most think about controls, we think about data controls - how do we hide enough information (hide rows, mask columns) to lower our risk. There’s a second control called contextual controls; what this amounts to is having a user agree they will only use data for a certain purpose and not step beyond that purpose. Combining contextual controls with data controls is the most effective way to reduce your overall risk.
In addition to the data controls you’ve seen, Immuta is also able to enforce contextual controls through what we term purposes. You are able to assign exceptions to policies, and those exceptions can be the purpose of the analysis in addition to who the user is (and what attributes they have). This is done through Immuta projects; projects contain data sources, have members, and are also protected by policy, but most importantly, projects can also have a purpose which can act as an exception to data policy. Projects can also be a self-service mechanism for users to access data for predetermined purposes without having to involve humans for ad hoc approvals.
The goal of Immuta is to modernize the management of data policies in organizations. One key aspect of modernization is to remove day-to-day human involvement in policy decision making, which is fragile and subjective. One decision process is how and when to make exceptions to policies.
This decision process could be something like: “because Morgan is analyzing employee attrition and retention, they should be able to see employee satisfaction survey data.” Notice it is not “because Morgan is HR, they should be able to see employee satisfaction survey data.” It’s not who Morgan is, but what Morgan is doing that should allow them heightened access. The purpose for data access drives the policy decision and can be approved objectively because you are not approving who can see data, but what can be done with it. However, if Morgan has to ask permission every time there is a new survey, this becomes a subjective and time-consuming process for the organization.
This is where purposes and purpose-based access control can help. Purposes allow you to define exceptions to rules as the purpose for which the user is acting. The key point here is you can define these purposes ahead of time, before any user actually tries to get an exception. Immuta projects are valuable not just for purpose-based access control, but because of the documentation trail they provide, the collaboration they allow, and the data access process they automate.
Additionally, to ensure that purposes are being used correctly and applied accurately, project purposes must be approved before the purpose is active in a project. That approver will see the lists of tables, the project members, and project documentation and decide if they want to approve it or not. This approval is recorded by Immuta, creating a documentation trail. After a purpose is approved within a project, any changes to the members or data sources will require the purpose to be re-approved, ensuring that the project continues to be compliant to an organization's requirements.
Purpose-based access control makes access decisions based on the purpose for which a given user or tool intends to use the data, which reduces risk and aligns with many privacy regulations, such as GDPR and CCPA. This method of data access also provides flexibility for you to override policies and grant access to unmasked data to an individual for a very specific reason, without time-consuming and ad hoc manual approvals.
Immuta recommends using purposes to create exceptions to global data policies.
See this Getting started guide for instructions on how to implement purpose-based access control for your organization.
Requirement: You must own the project
Navigate to the project.
Click the Policies tab.
In the Project Equalization section, click the toggle button on the far right to On.
Navigate to the project Overview tab.
Click the Add Purposes button in the center of the page.
Select the desired purpose(s) from the dropdown menu. The project must have one purpose with noise reduction for policy adjustments to function. Noise reduction is indicated by the policy adjustment amount highlighted in gray. If there is no policy adjustment shown, it is the default, none.
Click Save.
The purpose will be staged until a user with the GOVERNANCE
or PROJECT_MANAGEMENT
permission approves and activates it. If you have one of these permissions, the staging will be skipped.
After the purpose has been approved, click I Agree to agree to the terms of the purpose.
Note: All members of the project must agree to the terms of the purpose; if they decline, they will be removed from the project.
Navigate to the Policy Adjustment tab.
Select the data source from the dropdown menu. You will receive a No Adjustments Available message if there are no columns in the data sources that are associated with adjustable policies.
Select the columns from the dropdown menu.
In the priority ranking window, give weight from most to least important columns. The higher the weight the more usability will be provided, while still providing de-identification through the other columns.
Opt to select Keep Fields in the Clear for specific columns.
After assigning the weight and ensuring that the remaining weight is zero, click the Adjust button.
Check that the percent NULL is appropriate for your usability. If you are content with the percent NULL, move on to the next step; if you are not satisfied with the percent NULL, repeat the previous steps until satisfied.
Click Apply after you have made the acceptable adjustments.
After you ensure that your data source has two columns with k-anonymization policies applied,
Navigate to your project and click the Overview tab.
Click Add Purposes and select a purpose with a Noise Reduction and Fields in Clear tags, or create a new purpose with Noise Reduction and Fields in Clear enabled.
Click Save, and then click I Agree.
Navigate to the Policy Adjustment tab.
Select the data source(s) and columns from the subsequent dropdown menus.
Select the Keep in the Clear checkbox next to columns to be kept in the clear.
Adjust the weight for the remaining columns. The Remaining Weight must equal 0.
Click Adjust and then Apply.
The values for the fields you selected will now be visible to users acting under the project.
Immuta projects combine users and data sources under a common purpose. Sometimes this purpose is for a single user to organize their data sources or to control an entire schema of data sources through a single projects screen; however, most often this is an Immuta purpose for which the data has been approved to be used and will restrict access to data and streamline team collaboration.
Project members: The users who will create, manage, and use projects.
Purposes: Purposes allow governors to define exceptions to policies based on how a user will use the data.
Data sources: Projects create an environment within Immuta where the user will only see the data sources within the project, despite their subscription to other data sources.
Subscription policy: Project users with the appropriate permissions can set a subscription policy on a project to control the users who can join.
Documentation: Project users can create documentation within the Immuta project page, allowing for an easy and consistent trail of communication.
Equalization: Project equalization ensures that the data in the project looks identical to all members, regardless of their level of access to data.
Workspaces: With equalization enabled, project users can create Snowflake or Databricks workspaces where users can view and write data.
Derived data sources: Derived data sources are the data sources that come from workspaces. Once they are created, they automatically inherit policies from their parent sources.
Masked joins: Within a project, users can join masked columns.
The features and capabilities of each user differ based on the user's role within the project and within Immuta. Roles and their capabilities are outlined below.
Project role | Capabilities |
---|---|
Data governors and users with the PROJECT_MANAGEMENT
permission are responsible for configuring and approving project purposes and acknowledgement statements.
Purposes help define the scope and use of data within a project and allow users to meet purpose restrictions on policies. Governors create and manage purposes and their sub-purposes, which project owners then add to their project(s) and use to drive data policies. Project owners can also create a purpose; however, they remain in a staged state until a governor or project manager approves the purpose request.
Purposes can be constructed as a hierarchy, containing nested sub-purposes, much like tags in Immuta. This design allows more flexibility in managing purpose-based restriction policies and transparency in the relationships among purposes.
For example, if the purpose Research
included Marketing
, Product
, and Onboarding
as sub-purposes, a governor could write the following global policy:
Limit usage to purpose(s) Research for everyone on data sources tagged PHI.
This hierarchy allows you to create this as a single purpose instead of creating separate purposes, which must then each be added to policies as they evolve.
Now, any user acting under the purpose or sub-purpose of Research
- whether Research.Marketing
or Research.Onboarding
will meet the criteria of this policy. Consequently, purpose hierarchies eliminate the need for a governor to rewrite these global policies when sub-purposes are added or removed. If new projects with new Research purposes are added, the relevant global policy will automatically be enforced.
Projects with purposes require owners and subscribers to acknowledge that they will only use the data for those purposes by affirming or rejecting acknowledgement statements. Each purpose has its own acknowledgement statement, and a project with multiple purposes requires users to accept more than one acknowledgement statement. Immuta keeps a record of each project member's response to the acknowledgement statement(s) and records the purpose, the time of the acknowledgement, and the text of the acknowledgement. Purposes can use Immuta's default acknowledgement statement or one customized by a data governor.
If users accept the statement, they become a project member. If they reject the acknowledgement statement, they are denied access to the project.
When a user is working within the context of a project, they will only see the data in that project. This helps to prevent data leaks when users collaborate. Users can switch project contexts to access various data sources while acting under the appropriate purpose. By default, there will be no project selected, even if the user belongs to one or more projects in Immuta.
When users change project contexts, queries reflect users as acting under the purposes of that project, which may allow additional access to data if there are purpose restrictions on the data source(s). This process also allows organizations to track not just whether a specific data source is being used, but why.
Schema projects are a collection of data sources that Immuta creates when multiple data sources belong to the same schema. For information about schema projects, see the Schema project guide.
Requirement: You must own the project or have the GOVERNANCE
or PROJECT_MANAGEMENT
Immuta permission
Navigate to the Project Overview tab.
Click + Add Purposes.
Create a new purpose in the modal or select purposes from the dropdown menu.
Click Save, and then click I Agree.
Navigate to the Project Overview tab.
Scroll to the purposes section and click Remove.
Click I Agree
See the guide.
Requirement: CREATE_PROJECT
Immuta permission (and you must own the project)
Click the Project Overview tab.
Click the Edit button in the Documentation section.
Document the details of your project in the text box that appears, and then click Save.
Requirement: CREATE_PROJECT
(and you must own the project), GOVERNANCE
, or PROJECT_MANAGEMENT
Immuta permission
Select a project and navigate to the Project Overview tab.
Scroll to the Tags section and click the Add Tags button.
Begin typing the tag name in the window that appears, and then select the tag from the dropdown menu. A list of chosen tags will populate at the bottom of this window.
After selecting all relevant tags, click the Add button.
Requirement: CREATE_PROJECT
(and you must own the project), GOVERNANCE
, or PROJECT_MANAGEMENT
Immuta permission
Navigate to the Project Overview tab.
Scroll to the Tags section and click on the tag that you want to remove to open its side sheet.
Click Remove.
Click Confirm to delete the tag.
Requirements:
CREATE_PROJECT
(and you must own the project), GOVERNANCE
, or PROJECT_MANAGEMENT
Immuta permission to disable or enable a project
CREATE_PROJECT
Immuta permission to delete a project
Click the Data icon and select Projects in the sidebar.
Select the My Projects tab.
Click the more options icon next to the project and select Disable.
Click the Data icon and select Projects in the sidebar.
Select the My Projects tab.
Click the more options icon next to the project and select Enable.
Deleting a project permanently removes it from Immuta. Projects must first be disabled before they can be deleted.
Click the Data icon and select Projects in the sidebar.
Select the My Projects tab.
Click the more options icon next to the disabled project and select Delete.
Click Confirm.
See the guide.
Project owner
Users with the CREATE_PROJECT
permission can
enable project equalization and masked joins
disable, delete, and enable projects
create Snowflake or Databricks workspaces
Project governor
Users with the GOVERNANCE
permission can
manage project members, project tags, and project subscription policies
add and remove project data sources
Project manager
Users with the PROJECT _MANAGEMENT
permission can
add and remove project data sources
Project member
Once subscribed to a project, all users can
add data sources to the project (unless project equalization or masked joins is enabled)
Requirement: CREATE_PROJECT
Immuta permission
Project naming convention
Use a naming convention for projects that reflects the naming convention for databases. (e.g., If the project in Dev is called: “my_project” name the project “dev_my_project.") The data will end up in the project database prefix, so you can trace the source and make edits upstream in that project as necessary.
Navigate to the Projects tab under Data in the sidebar, and click the New Projects button.
Fill out the Basic Information:
Enter a name for your project in the Project Name field.
Opt to complete the Project Description field to help identify your project.
Opt to enter project Documentation to provide context for members.
Select the purposes and any policy adjustments:
Choose to select a purpose from the list of purposes or create a new purpose for the project.
To create a new purpose, click Create Purpose and complete the prompts in the modal.
Note that all purposes added to a project will need to be created or approved by a user with the GOVERNANCE
or PROJECT_MANAGEMENT
permission. Once purposes have been applied to a project, only these users can add data sources to the project.
Add a native workspace configuration: Select your workspace configuration from the Workspace Configuration dropdown menu: Databricks or Snowflake.
Databricks: Opt to edit the sub-directory in the Workspace Directory field (this sub-directory auto-populates as the project name) and enter the Workspace Database Name.
Snowflake: Name the Workspace Schema. By default, the schema name is based off of the project name, but you can change it here. Your project workspace will exist within this schema under Snowflake under the database configured by the application admin.
Use the dropdown menu to select the Hostname. Projects can only be configured to use one Snowflake host.
Select one or more Warehouses to be available to project members when they are working in the native workspace.
Add data sources to the project using the dropdown menu. Data sources can also be added after the project is created.
Click Affirm and Create.
Projects are private by default but can be made public and shared with other users by changing the subscription policies setting. Governors are the only users who can manage subscription policies for projects with purposes.
In the project, click the Policies tab.
Click Edit Subscription Policy.
Select the group of users who will have access:
Allow anyone: Selecting this option makes the project visible to everyone. Opt to require manual subscription by selecting the checkbox. This will require the users to manually subscribe to the project to gain access.
Allow anyone who asks (and is approved): Selecting this option makes the project visible in search results, but users must request access and be granted permission. This restriction supports multiple approving parties, so project owners can allow more than one approver or users with specified permission types to approve other users who request access to the project.
Click Anyone or An individual selected by user from the first dropdown menu.
Note: If you choose An individual selected by user, when users request access to a project they will be prompted to identify an approver with the permission specified in the policy.
Select the USER_ADMIN, GOVERNANCE, or AUDIT permission from the subsequent dropdown menu. You can add more than one approving party by selecting + Add Another Approver.
Allow users with specific groups/attributes: Selecting this option allows users with the specified groups and attributes to join the project.
Choose whether to build the policy off user groups or user attributes:
is a member of group: Type the group name and select the group.
possesses attribute: Type the attribute and select it. Then select the value from the dropdown menu.
Opt to + Add Another Condition. When adding another condition, choose how the conditions will be required. If you select or, only one of the conditions must apply to a user for them to subscribe to the project. If you select and, all of the conditions must apply.
Opt to allow users who do not meet the restrictions defined in the policy to still be able to discover the project by selecting the Allow Project Discovery checkbox.
Once saved, users with the proper authorizations will be automatically subscribed. Opt to require users to manually subscribe to the project by selecting the Require Manual Subscription checkbox.
Allow individually selected users: Selecting this option hides the project from the search results. Project owners must manually add and remove users, and the Private label will appear next to the project name.
Click Save to finish your policy.
In the project, click the Members tab.
Click the Add Members button.
Start typing a user's or group's name in the Add Members modal and select it from the dropdown that appears.
Opt to add an expiration to the subscription by entering the number of days until the access will expire.
Select the role.
Click Add.
Current project members will receive notifications that new users have been added to the project. A similar entry will be posted to the project's activity pane.