Manage User Metadata How-to Guide

Before authoring global data policies to mask columns or redact rows, user metadata must exist in Immuta so that it can be used in the policy to identify the users that should be targeted by the policy.

This how-to guide demonstrates how to manually add groups and attributes or use existing groups in external identity managers to identify these users.

For detailed explanations and examples of how to manage user metadata, see the Managing user metadata guide.

Requirements

Immuta permission: USER_ADMIN

Prerequisite

Identity access manager configured

Organize your user metadata using the ABAC method

Fact-based user metadata allows you to decouple policy logic from user metadata, allowing highly scalable ABAC policy authoring. For example,

• Steve has attribute: country:USA

• Sara has attribute: role:administrator

• Stephanie has attribute: sales_region: Ohio, Michigan, Indiana

1. Create groups that describe users' roles or who they are.

2. Create attributes that describe users' roles or who they are.

Add user metadata to Immuta

Once you've organized your user metadata, you can add that metadata in Immuta in these ways:

1. Add attributes and groups to users in your identity manager. Then, sync your users, groups, and attributes from your external identity manager to Immuta:

   1. LDAP: Enable LDAP sync and sync groups and attributes to Immuta for your provider.

   2. OpenID Connect or SAML: Enable SCIM for your provider and enable sync attributes and groups.

2. Add groups and attributes to users in Immuta manually.

3. Use the external user info endpoint to sync attributes or groups from a custom source.

Next steps