User Impersonation
Last updated
Was this helpful?
Last updated
Was this helpful?
Impersonation allows users to query data as another Immuta user.
User impersonation is supported with
Select Enable Impersonation when configuring the Redshift integration on the App Settings page.
After enabling user impersonation with your Amazon Redshift integration, there are two ways to give a user permission to use the feature: in the Immuta UI or in Amazon Redshift. Use the tabs below to select one method.
As an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Add Permissions.
Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.
To impersonate another user in Redshift,
Run the following in Redshift: CALL immuta_procedures.impersonate_user(<Immuta username of the user to impersonate>).
Run queries.
To end user impersonation in Redshift, run CALL immuta_procedures.impersonate_user(<NULL>).
There are two ways to revoke permission to impersonate users: in the Immuta UI or in Amazon Redshift. Use the tabs below to select one method.
As an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Remove for the IMPERSONATE_USER permission.
User impersonation is specific to the script and session in which it was set. Using a new script or running a subset of script queries without setting the context will result in the queries being run as the regular user.
Select Enable Impersonation when configuring the Synapse Analytics integration on the App Settings page.
After enabling user impersonation with your Azure Synapse Analytics integration, there are two ways to give a user permission to use the feature: in the Immuta UI or in Azure Synapse Analytics. Use the tabs below to select one method.
As an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Add Permissions.
Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.
To impersonate another user in Synapse,
Run the following command:
Run queries.
To end user impersonation in Synapse, run EXEC sys.sp_set_session_context @key = N'NULL', @value = '<NULL>'.
There are two ways to revoke permission to impersonate users: in the Immuta UI or in Azure Synapse Analytics. Use the tabs below to select one method.
As an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Remove for the IMPERSONATE_USER permission.
User impersonation is specific to the script and session in which it was set. Opening a new script will revert the user back to themselves.
Databricks user impersonation allows a Databricks user to impersonate an Immuta user. With this feature,
the Immuta user who is being impersonated does not have to have a Databricks account, but they must have an Immuta account.
the Databricks user who is impersonating an Immuta user does not have to be associated with Immuta. For example, this could be a service account.
When acting under impersonation, the Databricks user loses their privileged access, so they can only access the tables the Immuta user has access to and only perform DDL commands when that user is acting under an allowed circumstance (such as workspaces, scratch paths, or non-Immuta reads/writes).
Once the cluster is configured with a list of Databricks users who are allowed to impersonate Immuta users, run the following SQL command to set the user you want to impersonate:
Run queries as the impersonated Immuta user:
Once impersonation is active, any query issued in the session will have the appropriate data and subscription policies applied for the impersonated user.
Audited queries include an impersonationUser field, which identifies the Databricks user impersonating the Immuta user:
To end user impersonation for the session, run
The only way to enable this feature is through cluster configuration. The IMPERSONATE_USER permission in Immuta will not allow a user to perform impersonation in Databricks.
To grant the user IMPERSONATE_USER permission, as an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Add Permissions.
Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.
The Starburst (Trino) integration supports the native Starburst or Trino impersonation approaches:
JDBC method: In your JDBC connection driver properties, set the sessionUser property to the Immuta user you want to impersonate. See the Starburst JDBC driver documentation for details.
Trino CLI method: Set the --session-user property to specify the session user as the Immuta user you want to impersonate when invoking the Trino CLI. See the Starburst release notes for details.
To view the user you are impersonating, run SHOW SESSION like 'immuta.immuta_user'.
To end user impersonation, run RESET SESSION immuta.immuta_user.
To revoke permission to impersonate users, as an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Remove for the IMPERSONATE_USER permission.
The user's permissions to impersonate users are not checked until the query is run. If the user does not have the IMPERSONATE_USER permission in Immuta, they will be able to run the command to impersonate a role, but will not be able to query as that role.
Select Enable Impersonation when configuring the Snowflake integration on the App Settings page.
After enabling user impersonation with your Snowflake integration, there are two ways to give a user permission to use the feature: in the Immuta UI or in Snowflake. Use the tabs below to select one method.
As an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Add Permissions.
Click the Select Permission dropdown, and select the IMPERSONATE_USER permission.
To impersonate another user in Snowflake,
Open a New Worksheet and set your role to the impersonation role specific to your organization.
Run SET immuta_user = '<<Immuta username of the user to impersonate>>'.
Run queries within that worksheet.
There are two ways to revoke permission to impersonate users: in the Immuta UI or in Snowflake. Use the tabs below to select one method.
As an Immuta user with the permission USER_ADMIN,
Click Identities in the navigation menu and select Users.
Select the user you want to edit and select the Settings tab.
Click Remove for the IMPERSONATE_USER permission.
Impersonation is specific to the workspace and session in which it was set. Opening a new worksheet will revert the user back to themselves.
Snowflake auditing will show the user running the queries as the user logged in to Snowflake not as the user they are impersonating.
In the , add a comma-separated list of Databricks users who are allowed to impersonate Immuta users for the IMMUTA_SPARK_DATABRICKS_ALLOWED_IMPERSONATION_USERS Spark environment variable.
This command generates an API token for the specified user that queries Immuta for metadata pertinent to that user. When generating the token, the impersonated username is matched with the corresponding IAM user. The IAM used by default is the built-in IAM in Immuta, but can be set using the .
User impersonation is automatically enabled with your Starburst (Trino) integration, but the authenticated user must be given the IMPERSONATE_USER permission in Immuta or match the Starburst (Trino) .