Approve to Promote
Last updated
Was this helpful?
Last updated
Was this helpful?
Approve to promote (ATP) helps platform owners ensure global policies are reviewed and approved before they are eligible for production environments. With ATP enabled, the Immuta application workflow guides policy authors to create, assess, and revise policies in development. When the policy author is ready for review, the approvers can inspect the policy and indicate their approval through the Immuta application. Once a policy has reached the configured number of approvals, the change becomes eligible for promotion. For instructions to enable this feature, see . To use the feature, see .
Approve to promote requires the following environment settings and Immuta CLI versions:
One Immuta tenant per policy-authoring environment and production environment. SaaS tenants should be hosted under separate domains.
Approve to promote is enabled only in the policy-authoring environment.
Immuta CLI 1.1.0+.
When approve to promote is enabled, any global policies that are created, edited, or staged will go through this process:
.
.
.
.
.
Users with the GOVERNANCE
or CREATE_DATA_SOURCE
permissions can create and edit global policies.
When ATP is enabled, policy changes will take effect in the policy-authoring environment before the policy is approved. This behavior allows users to iterate on these policies in the authoring environment before they are reviewed by others. When ready, the policy author requests a review from approvers through the Immuta policy builder user interface, who can then approve or request changes.
Once under review, the policy will display the approval history and progress.
Data governors and data owners can click a policy to see its status in the review process, approve it, or request changes to it.
After the policy author requests for approval, the policy is in review. The review period ends when the approval threshold is met, a reviewer requests for changes, or the policy is modified. ATP requires the configured minimum number of reviewers to approve a policy before it can be promoted.
For example, if the ATP approval threshold is configured to require approvals from three users and a policy review receives 3 approvals, then the review has ended and no other reviewers can request for changes. However if the same policy receives two approvals, a third reviewer may end the review for rework by requesting changes.
Users with the following Immuta permissions can review and approve policies:
CREATE_DATA_SOURCE
: Data owners can author and approve global policies that apply to data sources they own, but they cannot approve their own policies.
GOVERNANCE
: Governors can author and approve global policies, but they cannot approve their own policies.
When these users request changes to a policy, they are required to provide an explanation for the revision. Then, the request freezes the approval process until an update is made to the policy by a data governor. Users who previously approved the policy will need to re-approve the changes before the policy can be promoted.
When users approve a policy, they are prompted to provide an optional comment. After their approval, the policy status updates to show how many more approvals are required.
Immuta does not prevent governors from directly editing policies in production environments, so administrators should ensure that the GOVERNANCE
permission is granted to a limited number of users in production environments to prevent policy changes that circumvent the approval process.
In the policy-authoring environment, no audit records are emitted by Immuta for approvals. However, when policies are promoted, audit records will be emitted for the following actions:
Global policy created
Global policy review requested
Global policy change requested
Global policy approval rescinded
Global policy approved
Global policy promoted
The policy references (PolicyKey) are stable across environments, as long as they are not modified manually after cloning the policies for promotion.
Immuta does not prevent users with the GOVERNANCE
permission from editing policies directly in production without going through the approval workflow, so administrators should grant that permission to a limited number of users in the production environment.
Approval chains are not supported, so they must be coordinated outside Immuta.
Click the App Settings icon in the left sidebar.
Select Advanced Settings at the bottom of the left panel to expand the list.
Click Preview Features.
Scroll to the Approve To Promote section and click the Enable Approve to Promote checkbox. Note: Set the number of users required to approve the global policy in the Required Number of Approvals field. The example below requires 2 users, but adjust this number to meet your needs.
Click Save and Confirm to update the settings.
Disabling approve to promote
If approve to promote is disabled while policies are still In Review,
policies that have never been promoted remain the same; the labels and In Review section of the policy just disappear.
previously promoted policies revert to what was promoted (any changes that were not promoted are lost).
Production tenant cannot have approve to promote enabled
The production tenant of Immuta cannot have the approve to promote feature enabled on the App Settings page. This configuration should only be applied to the development tenant.
Before you can add promoted policies to the production environment, you need to configure the production environment as an additional profile
in the Immuta CLI.
Run immuta configure -p dev
. Note: dev
is the profile name of the development tenant in this example. You can use a different name.
Enter the URL and your API Key for your development Immuta tenant in the interactive prompt.
Run immuta configure -p prod
. Note: prod
is the profile name of the production tenant in this example. You can use a different name.
Enter the URL and your API Key for your production Immuta tenant in the interactive prompt.
Below is the configuration file that will be saved at ~/.immutacfg.yaml
:
Create a Global Data Policy in the development tenant.
Request a review from approvers by clicking Start Approval Process in the Immuta policy builder.
Once under review, the policy will will be marked as In Review and will display the approval history and progress.
After reviews are requested, other data governors and users who own affected data sources will be notified that a global policy is ready for their review.
Navigate to the policy on the Policies page.
Opt to approve the policy or request changes. Use the tabs below to view both of these options.
Click the policy to expand the In Review window and click the dropdown button to expand the list of options.
Click Approve, and opt to provide a comment in the modal that appears.
Click Send Approval to confirm.
Navigate to global policy and select Edit from the dropdown menu.
Update the policy to reflect the changes requested. In this example, the data governor updates the policy to mask personal identifiers by making null.
When ready, click Start Approval Process in the Immuta policy builder.
Users will receive another notification that their review is required.
To promote the policy, run the following command that clones the policy and saves it in a policy
folder in the path you specify. Note: If you run this command more that one time, you need to change the names of (or delete) the files that were already cloned to avoid an error; this process preserves the cloning history.
Once a policy is promoted, the Immuta UI displays the Promoted status.
The policy will be applied to data sources in the production environment.
Users can also rescind their approval of a policy.
Click the policy to expand the In Review window.
Click Undo Your Approval and opt to provide a comment in the modal that appears.
Click Rescind to confirm.
After a policy has been approved, governors through the Immuta CLI. The policy must then be cloned and saved to the production environment via the Immuta CLI. Once this has been completed, policies are marked as promoted in the UI.
.
Once the configured number of users (set on the App Settings page) approves the policy, the policy moves out of review and .
If changes are requested, a data governor must to apply the changes. Once these changes are made, the policy will need to be reviewed again by the specified number of users. Users will receive another notification that their review is required.
To add the global policy to the production environment, save the policy through the Immuta CLI, specifying the name of the profile you created for the production environment , the file path, and the policy name.