Amazon Redshift Viewless Integration Reference Guide
The Amazon Redshift viewless integration allows you to configure your integration and register data from Amazon Redshift in Immuta in a single step. Once data is registered, Immuta can enforce subscription policies on that data.
What does Immuta do in my environment?
Registering a connection
The Amazon Redshift viewless integration is configured and data is registered through connections, an Immuta feature that allows you to register your data objects through a single connection to make data registration more scalable for your organization. Instead of registering schema and databases individually, you can register them all at once and allow Immuta to monitor your data platform for changes so that data sources are added and removed automatically to reflect the state of data in your data platform.
When the connection is registered, Immuta ingests and stores connection metadata in the Immuta metadata database. In the example below, the Immuta application administrator connects the database that contains marketing-data , research-data , and cs-data tables. Immuta these tables as data sources and stores the table metadata in the Immuta metadata database.
Immuta presents a hierarchical view of your data that reflects the hierarchy of objects in Amazon Redshift after registration is complete:
Host
Database
Schema
Table or view
Beyond making the registration of your data more intuitive, connections provides more control. Instead of performing operations on individual schemas or tables, you can perform operations (such as object sync) at the connection level.
See the Connections reference guide for details about connections and how to manage them. To configure your Amazon Redshift viewless integration and register data, see the Register an Amazon Redshift connection guide.
Applying policies
Immuta enforces read and write subscription policies on Amazon Redshift tables by issuing SQL statements in Amazon Redshift that grant and revoke access to tables according to the policy.
When a user is subscribed to a data object registered in Immuta,
Immuta creates a role for that user in Amazon Redshift, if one doesn't already exist.
Amazon Redshift stores that role in its internal system catalog.
Immuta issues grants to that user's role in Amazon Redshift to enforce policy. The Protecting data page provides an example of this policy enforcement.
The users will query data in Amazon Redshift using the
immuta_<username>role, which allows them to use the privileges granted to that role by Immuta.
Amazon Redshift privileges granted by Immuta
See the Subscription policy access types page for details about the Amazon Redshift privileges granted to users when they are subscribed to a data source protected by a subscription policy.
Required Amazon Redshift privileges
The privileges that the Amazon Redshift viewless integration requires align to the least privilege security principle. The table below describes each privilege required by the and the user.
Database superuser or the following privileges:
CREATEDBCREATE USERsys:secadminroleUSAGEon all databases and schemas that contain data you want to registerThe following privileges
WITH GRANT OPTIONon objects registered in Immuta:DELETEINSERTSELECTTRUNCATEUPDATE
Setup user
These privileges allow the user registering the connection to
assign the required roles and privileges to the Immuta system account so that it can register the connection and manage the integration.
create an Immuta database that Immuta will use to connect to the Amazon Redshift instance and maintain state with the registered databases.
USAGE on all the databases and schemas that will be registered
Immuta system account
This privilege allows Immuta to crawl the database and discover database objects so it can register the Amazon Redshift data objects.
CREATE ROLE
Immuta system account
This privilege is required so that Immuta can create Redshift roles to enforce access controls.
Database superuser or have the sys:secadmin role
Immuta system account
This role allows Immuta to apply masking and row-level policies to Redshift securables, which will be available in a subsequent release.
The following privileges WITH GRANT OPTION on objects registered in Immuta:
DELETEINSERTSELECTTRUNCATEUPDATE
Immuta system account
These privileges allow Immuta to apply read and write subscription policies on tables registered in Immuta.
Maintaining state with Amazon Redshift
The following user actions initiate processes that keep Immuta data synchronous with data in Amazon Redshift:
Data source created or updated: Immuta registers data source metadata and stores that metadata in the Immuta metadata database.
Data source deleted: Immuta deletes the data source metadata from the metadata database.
User account is mapped to Immuta: When a user account is mapped to Immuta, their metadata is stored in the metadata database.
User subscribed to a data source: When a user is added to a data source by a data owner or through a subscription policy, Immuta creates a role for that user (if a role for them does not already exist) and grants Amazon Redshift privileges to that role.
Automatic subscription policy applied to or updated on a data source: Immuta calculates the users and data sources affected by the policy change and grants or revokes users' privileges on the data. See the Protecting data page for details about this process.
Subscription policy deleted: Immuta revokes privileges from the affected roles.
User removed from a data source: Immuta revokes privileges from the user's role.
Supported object types
While you can author and apply subscription and data policies on data sources registered through the Amazon Redshift connection, only subscription policies will be enforced natively in Amazon Redshift.
Tables
✅
❌
✅
Views
✅
❌
✅
Datashares
✅
❌
✅
Datashares privilege requirement
To allow Immuta to enforce access controls on datashares, you must include the WITH PERMISSIONS clause when creating the database from the datashare. You cannot add the WITH PERMISSIONS Amazon Redshift privilege after the database has been created. See the Amazon Redshift documentation for details.
Supported policies
The Amazon Redshift viewless integration allows users to author subscription policies to enforce access controls. Data policies will not be enforced natively in Amazon Redshift.
See the applying policies section for details about policy enforcement.
Security and compliance
Authentication method
The Amazon Redshift viewless integration supports username and password authentication to register a connection. The credentials provided must be for an account with the permissions listed in the Register an Amazon Redshift connection guide.
User registration and ID mapping
The built-in Immuta IAM can be used as a complete solution for authentication and user entitlement. However, you can connect your existing identity management provider to Immuta to use that system for authentication and user entitlement instead. Each of the supported IAM protocols includes a set of configuration options that enable Immuta to communicate with the IAM system and map the users, permissions, groups, and attributes into Immuta.
For policies to impact the right users, the user account in Immuta must be mapped to the user account in Amazon Redshift. You can ensure these accounts are mapped correctly in the following ways:
Automatically: If usernames in Amazon Redshift align with usernames in the external IAM and those accounts align with an IAM attribute, you can enter that IAM attribute on the app settings page to automatically map user IDs in Immuta to Amazon Redshift.
Manually: You can manually map user IDs for individual users.
For guidance on connecting your IAM to Immuta, see the how-to guide for your protocol.
Limitations and known issues
The following Immuta features are unsupported:
Amazon Redshift Spectrum: See the AWS Lake Formation reference guide for details about registering Amazon Redshift Spectrum data sources in Immuta. However, if you are using data policies on your Redshift Spectrum data sources, you cannot use the AWS Lake Formation integration. Instead, use the Amazon Redshift view-based integration.
Automatic data policy enforcement in Amazon Redshift
Impersonation
Query audit
Tag ingestion
Last updated
Was this helpful?