# App Settings

## Use Existing Identity Access Manager

See the [Identity managers documentation](https://documentation.immuta.com/saas/people/section-contents#how-to-guides) for how-to guides for your IAM protocol.

## Set Default Permissions

To set the default permissions granted to users when they log in to Immuta, click the **Default Permissions** dropdown menu, and then select permissions from this list.

## Link External Catalogs

See the [External Catalogs page](https://documentation.immuta.com/saas/configuration/tags/catalogs/configure).

## Add a Project Workspace

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Select **Add Workspace**.
3. Use the dropdown menu to select the **Databricks** **Workspace Type.**
   * Before creating a workspace, the cluster must send its configuration to Immuta; to do this, run a simple query on the cluster (i.e., `show tables`). Otherwise, an error message will occur when users attempt to create a workspace.
   * The **Databricks API Token** used for project workspace access must be **non-expiring**. Using a token that expires risks losing access to projects that are created using that configuration.
4. Use the dropdown menu to select the **Schema** and refer to the corresponding tab below.

{% tabs %}
{% tab title="abfss" %}

1. Enter the **Name**.
2. Click **Add Workspace**.
3. Enter the **Hostname**, **Workspace ID**, **Account Name**, **Databricks API Token**, and **Storage Container**.
4. Enter the **Workspace Base Directory**.
5. Click **Test Workspace Directory**.
6. Once the credentials are successfully tested, click **Save**.
   {% endtab %}

{% tab title="gs" %}

1. Enter the **Name**.
2. Click **Add Workspace**.
3. Enter the **Hostname**, **Workspace ID**, **Account Name**, and **Databricks API Token**.
4. Use the dropdown menu to select the **Google Cloud Region**.
5. Enter the **GCS Bucket**.
6. Opt to enter the **GCS Object Prefix**.
7. Click **Test Workspace Directory**.
8. Once the credentials are successfully tested, click **Save**.
   {% endtab %}
   {% endtabs %}

{% hint style="info" %}
**Databricks API Token Expiration**

The **Databricks API Token** used for project workspace access must be **non-expiring**. Using a token that expires risks losing access to projects that are created using that configuration.
{% endhint %}

## Add An Integration

### Integration settings

Follow the [Configure a Databricks Spark integration guide](https://documentation.immuta.com/saas/configuration/integrations/databricks/databricks-spark/how-to-guides/simplified) to set up the integration.

### Global Integration Settings

#### Snowflake Audit Sync Schedule

**Requirements**: See the requirements for Snowflake audit on the [Snowflake query audit logs page](https://documentation.immuta.com/saas/govern/detect-your-data/audit/reference-guides/query-audit-logs/snowflake#requirements).

To configure the [audit ingest frequency for Snowflake](https://documentation.immuta.com/saas/govern/detect-your-data/audit/reference-guides/query-audit-logs/snowflake#audit-frequency),

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Navigate to the **Global Integration Settings** section and within that the **Snowflake Audit Sync Schedule**.
3. Enter an integer into the textbox. If you enter 12, the audit sync will happen once every 12 hours, so twice a day.

#### Databricks Unity Catalog Configuration

**Audit**

**Requirements**: See the requirements for Databricks Unity Catalog audit on the [Databricks Unity Catalog query audit logs page](https://documentation.immuta.com/saas/govern/detect-your-data/audit/reference-guides/query-audit-logs/databricks-uc#requirements).

To configure the [audit ingest frequency for Databricks Unity Catalog](https://documentation.immuta.com/saas/govern/detect-your-data/audit/reference-guides/query-audit-logs/databricks-uc#audit-frequency),

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Navigate to the **Global Integration Settings** section and within that the **Databricks Unity Catalog Configuration**.
3. Enter an integer into the textbox. If you enter 12, the audit sync will happen once every 12 hours, so twice a day.

**Additional privileges required for access**

By default, Immuta will revoke Immuta users' `USE CATALOG` and `USE SCHEMA` privileges in Unity Catalog for users that do not have access to any of the resources within that catalog/schema. This includes any `USE CATALOG` or `USE SCHEMA` privileges that were granted outside of Immuta.

To disable this setting,

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Navigate to **Global Integration Settings** > **Databricks Unity Catalog Configuration**.
3. Click the **Revoke additional privileges required for access** checkbox to disable the setting.
4. Click **Save**.

See the [Databricks Unity Catalog reference guide](https://documentation.immuta.com/saas/integrations/databricks/databricks-unity-catalog/unity-catalog-overview#user-permissions-immuta-revokes) for details about this setting.

## Initialize Kerberos

To configure Immuta to protect data in a kerberized Hadoop cluster,

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Upload your **Kerberos Configuration File**, and then you can modify the Kerberos configuration in the edit window.

   <figure><img src="https://1751699907-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlWBda5Pt4s8apEhzXGl7%2Fuploads%2Fgit-blob-78b26f678d8fda533ea676faf6570bd9cf5f19fb%2Fkdc-config.png?alt=media" alt=""><figcaption></figcaption></figure>
3. Upload your **Keytab File**.
4. Enter the principal Immuta will use to authenticate with your KDC in the **Username** field. *Note: This must match a principal in the Keytab file.*
5. Adjust how often (in milliseconds) Immuta needs to re-authenticate with the KDC in the **Ticket Refresh Interval** field.
6. Click **Test Kerberos Initialization**.

## Generate System API Key

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Click the **Generate Key** button.
3. Save this API key in a secure location.

## Audit Settings

### Enable Exclude Query Text

By default, query text is included in query audit events from Snowflake, Databricks, and Starburst (Trino).

When query text is excluded from audit events, Immuta will retain query event metadata such as the columns and tables accessed. However, the query text used to make the query will not be included in the event. This setting is a global control for all configured integrations.

To exclude query text from audit events,

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Scroll to the **Audit** section.
3. Check the box to **Exclude query text from audit events**.
4. Click **Save**.

## Configure Governor and Admin Settings

These options allow you to restrict the power individual users with the GOVERNANCE and USER\_ADMIN permissions have in Immuta. Click the **checkboxes** to enable or disable these options.

## Create Custom Permissions

You can create custom permissions that can then be assigned to users and leveraged when building subscription policies. *Note: You cannot configure actions users can take within the console when creating a custom permission, nor can the actions associated with existing permissions in Immuta be altered.*

To add a custom permission, click the **Add Permission** button, and then name the permission in the **Enter Permission** field.

## Create Custom Data Source Access Requests

To create a custom questionnaire that all users must complete when requesting access to a data source, fill in the following fields:

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Opt for the questionnaire to be required.
3. **Key**: Any unique value that identifies the question.
4. **Header**: The text that will display on reports.
5. **Label**: The text that will display in the questionnaire for the user. They will be prompted to type the answer in a text box.

## Create Custom Login Message

To create a custom message for the login page of Immuta,

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Enter text in the **Enter Login Message** box. *Note: The message can be formatted in markdown.*
3. Opt to adjust the **Message Text Color** and **Message Background Color** by clicking in these dropdown boxes.

## Prevent Automatic Table Statistics

{% hint style="warning" %}
**Without fingerprints, some policies will be unavailable**

These policies will be unavailable until a data owner manually generates a fingerprint for a Snowflake data source:

* Masking with format preserving masking
* Masking using randomized response
  {% endhint %}

To disable the automatic collection of statistics with a particular tag,

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Use the **Select Tags** dropdown to select the tag(s).
3. Click **Save**.

### Randomized response

{% hint style="info" %}
**Support limitation**: This policy is only supported in Snowflake integrations.
{% endhint %}

When a randomized response policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process. To enforce the policy, Immuta generates and stores predicates and a list of allowed replacement values that may contain data that is subject to regulatory constraints (such as GDPR or HIPAA) in Immuta's metadata database.

The location of the metadata database depends on your deployment:

* Self-managed Immuta deployment: The metadata database is located in the server where you have your external metadata database deployed.
* SaaS Immuta deployment: The metadata database is located in the AWS global segment you have chosen to deploy Immuta.

To ensure this process does not violate your organization's data localization regulations, you need to first activate this masking policy type before you can use it in your Immuta tenant.

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Navigate to the **Other Settings** section and scroll to the **Randomized Response** feature.
3. Select the **Allow users to create masking policies using Randomized Response** checkbox to enable use of these policies for your organization.
4. Click **Save** and confirm your changes.

## Advanced Settings

### Preview Features

If you enable any Preview features, provide feedback on how you would like these features to evolve.

#### Complex Data Types

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Navigate to the **Advanced Settings** section, and scroll to the **Preview Features**.
3. Check the **Allow Complex Data Types** checkbox.
4. Click **Save**.