Book a demo

Amazon Redshift Viewless Integration Reference Guide

Immuta policies will not be automatically enforced in Amazon Redshift

While you can author and apply subscription and data policies on data sources registered using the Amazon Redshift viewless integration, these policies will not be enforced natively in Amazon Redshift. You can use Immuta webhooks to be notified about changes to user access and make appropriate access updates in Amazon Redshift using your own process.

Contact your Immuta representative to use this feature.

The Amazon Redshift viewless integration allows you to configure your integration and register data from Amazon Redshift in Immuta in a single step.

What does Immuta do in my environment?

Registering a connection

The Amazon Redshift viewless integration is configured and data is registered through connections, an Immuta feature that allows you to register your data objects through a single connection to make data registration more scalable for your organization. Instead of registering schema and databases individually, you can register them all at once and allow Immuta to monitor your data platform for changes so that data sources are added and removed automatically to reflect the state of data in your data platform.

When the connection is registered, Immuta ingests and stores connection metadata in the Immuta metadata database. In the example below, the Immuta application administrator connects the database that contains marketing-data , research-data , and cs-data tables. Immuta these tables as data sources and stores the table metadata in the Immuta metadata database.

Immuta presents a hierarchical view of your data that reflects the hierarchy of objects in Amazon Redshift after registration is complete:

  • Host

  • Database

  • Schema

  • Table or view

Beyond making the registration of your data more intuitive, connections provides more control. Instead of performing operations on individual schemas or tables, you can perform operations (such as object sync) at the connection level.

See the Connections reference guide for details about connections and how to manage them. To configure your Amazon Redshift viewless integration and register data, see the Register an Amazon Redshift connection guide.

Amazon Redshift privileges

The privileges that the Amazon Redshift viewless integration requires align to the least privilege security principle. The table below describes each privilege required by the and the user.

Amazon Redshift privilege
User requiring the privilege
Explanation

Database superuser or the following privileges:

  • CREATEDB

  • CREATE USER

  • CREATE ROLE

  • sys:secadmin role

  • USAGE on all databases and schemas that contain data you want to register

  • The following privileges WITH GRANT OPTION on objects registered in Immuta:

    • DELETE

    • INSERT

    • SELECT

    • TRUNCATE

    • UPDATE

Setup user

These privileges allow the user registering the connection to

  • assign the required roles and privileges to the Immuta system account so that it can register the connection and manage the integration.

  • create an Immuta database that Immuta will use to connect to the Amazon Redshift instance and maintain state with the registered databases.

USAGE on all the databases and schemas that will be registered

Immuta system account

This privilege allows Immuta to crawl the database and discover database objects so it can register the Amazon Redshift data objects.

CREATE GROUP

Immuta system account

This privilege is required so that Immuta can create Redshift groups and manage group membership to enforce access controls, which will be available in a subsequent release.

Database superuser or have the sys:secadmin role

Immuta system account

This role allows Immuta to apply masking and row-level policies to Redshift securables, which will be available in a subsequent release.

The following privileges WITH GRANT OPTION on objects registered in Immuta:

  • DELETE

  • INSERT

  • SELECT

  • TRUNCATE

  • UPDATE

Immuta system account

These privileges allow Immuta to apply read and write subscription policies on tables registered in Immuta, which will be available in a subsequent release.

Maintaining state with Amazon Redshift

The following user actions initiate processes that keep Immuta data synchronous with data in Amazon Redshift:

  • Data source created or updated: Immuta registers data source metadata and stores that metadata in the Immuta metadata database.

  • Data source deleted: Immuta deletes the data source metadata from the metadata database.

Supported object types

While you can author and apply subscription and data policies on data sources registered through the Amazon Redshift connection, these policies will not be enforced natively in Amazon Redshift.

Object type
Subscription policy support
Data policy support
Marketplace support

Tables

Views

Datashares

Security and compliance

Authentication method

The Amazon Redshift viewless integration supports username and password authentication to register a connection. The credentials provided must be for an account with the permissions listed in the Register an Amazon Redshift connection guide.

Limitations and known issues

The following Immuta features are unsupported:

  • Amazon Redshift Spectrum: See the AWS Lake Formation reference guide for details about registering Amazon Redshift Spectrum data sources in Immuta. However, if you are using data policies on your Redshift Spectrum data sources, you cannot use the AWS Lake Formation integration. Instead, use the Amazon Redshift view-based integration.

  • Automatic subscription and data policy enforcement in Amazon Redshift

  • Impersonation

  • Query audit

PreviousRegister an Amazon Redshift ConnectionNextAmazon Redshift View-Based Integration

Last updated

Was this helpful?