# Manage User Metadata How-to Guide

<table data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th><th data-hidden></th></tr></thead><tbody><tr><td><strong>1 -</strong> <strong>Manage user metadata how-to guide</strong></td><td></td><td></td><td></td><td></td></tr><tr><td><mark style="color:blue;"><strong>2 -</strong></mark> <mark style="color:blue;"><strong>Manage data metadata how-to guide</strong></mark></td><td></td><td></td><td><a href="../managing-data-metadata/manage-data-metadata-how-to-guide">manage-data-metadata-how-to-guide</a></td><td></td></tr><tr><td><mark style="color:blue;"><strong>3 -</strong></mark> <mark style="color:blue;"><strong>Author policy how-to guide</strong></mark></td><td></td><td></td><td><a href="../author-policy/author-policy-how-to-guide">author-policy-how-to-guide</a></td><td></td></tr></tbody></table>

Before authoring global subscription policies to automate access controls, user metadata must exist in Immuta so that it can be used in the policy to identify the users that should be granted or revoked access to data.

This how-to guide demonstrates how to manually add groups and attributes or use existing groups in external identity managers to identify users that should be targeted by a subscription policy.

For detailed explanations and examples of how to manage user metadata, see the [Managing user metadata guide](https://documentation.immuta.com/saas/govern/getting-started-with-secure/automate-data-access-control-decisions/managing-user-metadata).

## Requirements

**Immuta permission**: `USER_ADMIN`

## Prerequisite

[Identity access manager configured](https://documentation.immuta.com/saas/configuration/people/section-contents)

## Select your metadata strategy

* [**Fact-based (ABAC)**](#fact-based-abac): Use this strategy if you have [many variables](#user-content-fn-1)[^1] that determine access.
* [**Logic-based (orchestrated RBAC)**](#logic-based-orchestrated-rbac): Use this strategy if a [single variable ](#user-content-fn-2)[^2]determines access.

## Organize your user metadata

<details>

<summary>Fact-based (ABAC)</summary>

Fact-based user metadata (ABAC) allows you to decouple policy logic from user metadata, allowing highly scalable ABAC policy authoring. For example,

* Steve has attribute: `country:USA`
* Sara has attribute: `role:administrator`
* Stephanie has attribute: `sales_region: Ohio, Michigan, Indiana`

1. Create groups that describe users' roles or who they are.
2. Create attributes that describe users' roles or who they are.

</details>

<details>

<summary>Logic-based (orchestrated-RBAC)</summary>

Logic-based user metadata (orchestrated-RBAC) couples user metadata with access logic. For example,

* Steve has attribute: `access_to:USA`
* Sara has attribute: `role:admin_functions`
* Stephanie has groups: `Ohio_sales, Michigan_sales, Indiana_sales`

1. Use your groups as-is from your [identity manager](https://documentation.immuta.com/saas/configuration/people/section-contents/reference-guides/index) or other [custom sources](https://documentation.immuta.com/saas/configuration/people/section-contents/reference-guides/custom-external).
2. Create attributes in a hierarchy that will support hierarchical matching.

   For example, if you have the tags `Strictly Confidential`, `Confidential`, `Internal`, and `Public` , you would want to ensure that user attributes follow the same hierarchy. For example,

   * A user with access to all data: `Classification: Strictly Confidential`
   * A user with access to only `Internal` and `Public`: `Classification: Strictly Confidential.Confidential.Internal`

</details>

## Add user metadata to Immuta

Once you've organized your user metadata, you can add that metadata in Immuta in these ways:

1. Add attributes and groups to users in your identity manager. Then, sync your users, groups, and attributes from your external identity manager to Immuta:
   1. [**LDAP**](https://documentation.immuta.com/saas/configuration/application-configuration/how-to-guides/config-builder-guide#add-ldap-or-active-directory): Enable **LDAP sync** and **sync groups and attributes to Immuta** for your provider.
   2. [**OpenID Connect**](https://documentation.immuta.com/saas/configuration/people/section-contents/how-to-guides/openid-connect/openid-connect-protocol) or [**SAML**](https://documentation.immuta.com/saas/configuration/people/section-contents/how-to-guides/saml/enable-saml): Enable SCIM for your provider and enable sync attributes and groups.
2. [Add groups and attributes to users in Immuta manually.](https://documentation.immuta.com/saas/configuration/people/users-index/how-to-guides/managing-attribute-and-group)
3. [Use the external user info endpoint to sync attributes or groups from a custom source.](https://documentation.immuta.com/saas/configuration/people/section-contents/reference-guides/custom-external)

## Next steps

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th></th></tr></thead><tbody><tr><td><strong>Learn</strong></td><td>Read these guides to learn more about using Immuta to automate data access control decisions.</td><td><ol><li><a href="../../..#choose-your-path-orchestrated-rbac-or-abac">Choose your path: orchestrated RBAC and ABAC</a>: This section describes the two different approaches (or mix) you can take to managing policy and their tradeoffs.</li><li><a href="../managing-data-metadata">Managing data metadata</a>: This guide describes how to manage your data metadata and create meaningful tags before you use them to author policies.</li><li><a href="../author-policy">Author policy</a>: This guide describes how to define your global subscription policy logic.</li></ol></td></tr><tr><td><strong>Implement</strong></td><td>Follow these guides to start using Immuta to automate data access control decisions.</td><td><ol><li><a href="../managing-data-metadata/manage-data-metadata-how-to-guide">Manage data metadata</a>. Tag your columns with tags that are meaningful.</li><li><a href="../author-policy/author-policy-how-to-guide">Author policy</a>. Define your global subscription policy logic.</li><li>Optionally <a href="../../test-and-deploy-policy">test and deploy policy</a>.</li></ol></td></tr></tbody></table>

[^1]: An example of multiple variables determining access is a rule like this: `You must reside in the US and be a full time employee to see data tagged US and Highly Sensitive.`

    See the [Governance use cases introduction](https://documentation.immuta.com/saas/govern/getting-started-with-secure/..#choose-your-path-orchestrated-rbac-or-abac) for further explanation and examples.

[^2]: An example of a single variable determining access is a rule like this: `You must have signed data use agreement x to have access to data y.`

    See the [Governance use cases introduction](https://documentation.immuta.com/saas/govern/getting-started-with-secure/..#choose-your-path-orchestrated-rbac-or-abac) for further explanation and examples.