Author Policy How-to Guide

3 - Author policy how-to guide

Authoring global subscription policies to automate access controls involves using the data metadata and user metadata in Immuta to identify the data that should be governed and the users the policy should target.

This how-to guide demonstrates how to author a global subscription policy in Immuta to automat access decisions.

For detailed explanations and examples of how to author subscription policies, see the Author policy guide.

Requirements

Immuta permission: GOVERNANCE global permission, Manage Policies domain permission, or own the data source

Prerequisites

Understand your metadata

How you author policies is dictated by how your user and data metadata is organized to grant access:

  • Fact-based (ABAC): determine access, and data sources are tagged at the column and table level.

  • Logic-based (orchestrated RBAC): A determines access, and data sources are tagged at the table level. With orchestrated RBAC you have established one-to-one relationships with how your users are tagged (attribute or group) and what that single tag explicitly gives them access to.

Author a subscription policy

ABAC policy authoring
  1. Determine why someone should be given access to data. For example, let’s say that to have access to Strictly Confidential, you have determined that someone should be

    • an employee (not contractor)

    • in the US

    • part of the Legal team

  2. Build individual subscription policies for each piece of logic associated with why someone should have access. Examples are provided below.

Example policy 1: employee access

Author a subscription policy that grants read access to users who are a member of group Employees that applies to columns tagged Strictly Confidential:

Allow users to subscribe with read access when user is a member of group Employees on data sources with columns tagged Strictly Confidential.

Example policy 2: country access

Author a subscription policy that grants read access to users with attribute Country.US that applies to columns tagged Strictly Confidential:

Allow users to subscribe with read access when user possesses attribute Country with value US on data sources with columns tagged Strictly Confidential.

Example policy 3: legal team access

Author a subscription policy that grants read access to users who are a member of group Legal Team that applies to columns tagged Strictly Confidential:

Allow users to subscribe with read access when user is a member of group Legal Team on data sources with columns tagged Strictly Confidential.

Orchestrated RBAC policy authoring
  1. Determine how user metadata and data metadata is organized. What variable determines access?

  2. Build grant subscription policies using special functions in the advanced DSL builder to target tables. Since orchestrated RBAC is all about one-to-one matching of user metadata to data metadata, use the special functions in the subscription policy builder for managing this:

    1. @hasTagAsAttribute('', )

    2. @hasTagAsGroup()

Example

Let’s say there are Strictly Confidential tables and Public tables. Everyone has access to Public, and only special people have access to Strictly Confidential.

Users are tagged with their access under the Access attribute key:

  • Bob: Access: Strictly Confidential

  • Steve: Access: Public

Tables are also tagged with the same metadata:

  • Table 1: Strictly Confidential

  • Table 2: Public

You would build a grant subscription policy that targets all tables like this:

Allow users to subscribe with read access when @hasTagAsAttribute(Access,dataSource) on all data sources.

Next steps

Learn

Explore this use case to learn more about using Immuta to mask sensitive data.

Compliantly open more sensitive data for ML and analytics: This section focuses on how to safely and compliantly open more sensitive data for your organization to support machine learning and analytics needs.

Implement

Follow these guides to test your policies and use Immuta to enforce fine-grained access controls.

Last updated

Was this helpful?