SaaS
Search powered by AI

2024

December

December 19, 2024

Azure Private Link for Starburst is generally available: Private Link connectivity to Starburst on Azure, previously in private preview, is now generally available.

Classification page is available by default: Users can now view classification frameworks created through the frameworks API on the Discover classification page. This page is now enabled on all tenants.

December 17, 2024

Marketplace private preview now available: Marketplace brings data products and data people together by exposing request and approval workflows, all backed by the existing Immuta policy engine. Integrate Marketplace with your existing catalog, or leverage the Immuta Marketplace app alone.

It allows your entire organization to provision data as one through workflows:

  • Publish data products. Make curated data products findable on a single, central platform.

  • Establish teams and authority. Define logical domains for local control and visibility. Enable business users to manage metadata and access approvals separately from data product owners.

  • Search and access data assets. Make it easy for users to search and filter available data assets, and establish a process to easily request access.

  • Provision data access. Streamline data access approvals and automatically provision access based on data use agreements.

Watch the Immuta Marketplace webinar for a demo.

December 12, 2024

Disable randomized response by default and allow a customer to opt in: When a randomized response policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that contains the predicates used for the randomization. The results of this query, which may contain sensitive data, are stored in the Immuta internal database. Because this process may violate an organization's data localization regulations, you must reach out to your Immuta representative to enable this masking policy type for your account. If you have existing randomized response policies, those policies will not be affected by this change.

December 9, 2024

Global sensitive data discovery (SDD) template setting changes: If you have SDD enabled, there are template setting changes and a change in how Immuta runs SDD automatically on new data sources:

  • The default value for Global SDD Template Name is blank.

  • If you don't change the default value and leave Global SDD Template Name blank, Immuta won't run any patterns on new data sources.

  • If you change the default value and want a different identification framework to run, you need to enter the name of that identification framework (instead of the displayName). See the API documentation on how to retrieve the name of an identification framework

November

November 26, 2024

Enhancement

Compatibility with Collibra Edge: Immuta’s external catalog integration now supports auto-linking data sources with Collibra Edge. The auto-linking process performs name matching of data assets following the Edge naming convention with their corresponding data sources in Immuta.

Deprecation

Deprecated features remain in the product with minimal support until their end of life date.

Feature
Deprecation notice
End of life (EOL)

Redshift Okta authentication

November 2024

December 2024

Bug fix

Fix for accurately representing disabled users’ subscription status for data sources and projects in governance reports: Addressed an issue where users with status disabled were misrepresented in governance reports as being subscribed to data sources or projects when in fact they weren’t. (Disabled users always have all their data source and project subscriptions revoked until they get re-enabled.)

The following governance reports have been fixed:

  • Data source:

    • All data sources and the users and groups subscribed to them

    • What users and groups are subscribed to a particular data source

    • What users and groups have ever subscribed to a particular data source

  • Projects: What users and groups are part of a particular project

  • Purpose: What users are members of projects with a particular purpose

  • User:

    • All users and the data sources they are subscribed to

    • What data sources is a particular user subscribed to

    • What projects is a particular user currently a member of

November 20, 2024

Deprecation

Deprecated features remain in the product with minimal support until their end of life date.

Conditional tags applied by sensitive data discovery are deprecated and will be removed from the product in December, 2024. If you rely on conditional tags, consult your Immuta representative for instructions on using the classification framework API to apply these tags instead of sensitive data discovery.

November 15, 2024

New features and enhancements

  • Classification UI and Frameworks API is generally available: The frameworks API allows users to create rules to dynamically tag their data with sensitivity tags to drive dashboards and policies. These custom rules and frameworks can then be viewed in the UI and managed through the API.

  • New built-in pattern improvements: Additional improvements have been made to the improved pack of built-in identifiers:

    • CREDIT_CARD_NUMBER: Previously only detected card numbers that can be issued currently. Now, it can detect credit card numbers that were formerly issued.

    • PERSON_NAME: Enhanced the pattern to detect a wider variety of names to reduce the number of false-positives.

    • DATE: Previously only worked with strings. The pattern is enhanced to now detect and apply when the data type is date.

    • TIME: Previously only worked with strings. The pattern is enhanced to now detect and apply with the data type is time.

Deprecation

Deprecated features remain in the product with minimal support until their end of life date.

The following built-in Classification Frameworks are now deprecated and will reach end of life in December 2024:

  • California Consumer Privacy Act

  • Data Security Framework

  • General Data Protection Regulation

  • Health Insurance Portability and Accountability Act

  • Immuta Data Security Framework

  • Payment Card Industry Data Security Standard

  • Risk Assessment Framework

Instead, use the Classification Framework API and UI to create custom frameworks that replicate the functionality of any built-in framework and extend them to suit your use cases. Immuta's Product Engineering team can assist you with creating your custom framework.

November 12, 2024

Azure Private Link for Databricks and Snowflake is generally available: Azure Private Link provides private connectivity from the Immuta SaaS platform (hosted on AWS) to customer-managed Snowflake and Databricks accounts on Azure. It ensures that all traffic to the configured endpoints only traverses private networks over the Immuta private cloud exchange.

November 6, 2024

Integration error updates: This feature includes banner notifications for all users when an integration is experiencing an error. This update calls attention to critical integration errors that can have large impacts to end users to improve awareness and streamline the process of pinpointing and driving errors to resolution.

Additionally, Immuta has simplified how the integration statuses are reported within the app settings integrations page for enhanced clarity.

October 2024

October 31, 2024

Standard integration with Microsoft Purview enterprise data catalog for tag enrichment in Immuta: This deployment includes a new standard connector (out-of-the-box) for tag enrichment from a Microsoft Purview enterprise data catalog to Immuta.

The Microsoft Purview catalog integration with Immuta currently supports tag ingestion of Classifications and Managed attributes as tags for Databricks Unity Catalog, Snowflake, and Azure Synapse Analytics data sources and their associated columns. Additionally, data source and column descriptions from the connected Microsoft Purview catalog will also be pulled into Immuta.

This connector simplifies tag enrichment in Immuta for customers whose tag information resides in Microsoft Purview enterprise data catalog. Previously, customers leveraging Microsoft Purview enterprise data catalog had to build an integration themselves using Immuta’s custom REST catalog interface.

October 29, 2024

  • Databricks Unity Catalog additional workspace connections: This feature allows users to configure additional workspace connections within their Databricks integrations and bind these additional workspaces to specific catalogs. This enables customers to use Databricks’ workspace-catalog binding feature with their Immuta integration. Users can dictate which workspaces are authorized to access specific catalogs, allowing them to better control catalog access and isolate compute costs if desired.

  • Private networking across global segments: This feature allows connections to data sources over private networking that reside in a different global segment than their Immuta tenant. For example, if your Immuta tenant is in North America, you can now connect to data sources in APAC and the EU over private networking.

October 22, 2024

Databricks integration support defaulted to Unity Catalog: Eliminated the manual step of updating a global account setting prior to configuring a Unity Catalog integration. For Databricks integrations, the default support now assumes a Unity Catalog integration.

Customers using Databricks Spark must now update the default account setting before configuring their Databricks integrations.

October 15, 2024

Deprecations

Deprecated items remain in the product with minimal support until their end of life date.

Feature
Deprecation notice
End of life (EOL)

Data inventory dashboard

October 2024

November 2024

October 3, 2024

  • Improvements to sensitive data patterns used to find and tag data: These improved patterns have higher accuracy out of the box, which reduces the amount of overtagging and missed tags. The result is an easier experience and reduced time to value generating actionable metadata.

  • Microsoft Purview enterprise data catalog support: New standard connector for tag enrichment from Microsoft Purview enterprise data catalog to Immuta. In addition to Purview tags, the following Purview objects will be pulled in and applied to registered data sources as either column or data source tags in Immuta:

    • System classifications

    • Custom classifications

    • Managed attributes

October 1, 2024

  • SDD governance report shows whether tags are used in policy: All governance reports based on sensitive data discovery now have a report column showing whether the tag is used as part of a policy in Immuta.

  • Authentication change to accommodate Snowflake moving away from password-only authentication: This deployment includes updates to the integration setup script to accommodate Snowflake beginning to transition away from password-only authentication for new accounts. When configuring an integration manually for a new Snowflake account, Immuta provides an updated manual setup script that permits password-only authentication by differentiating it as a legacy service with an additional parameter. Existing integrations will continue to function as-is.

Bug fix

Fix for Databricks audit workspace IDs: Previously, users filtering their audit by workspaces had to enter a 16-digit workspace ID. This restriction has been removed.

September 2024

September 12, 2024

New domain-level permission - Audit Activity: This permission enables customers to delegate activity reviews to individuals for a set of audit events related to data sources within a domain, helping organizations open up access to query information to more users across the enterprise while staying compliant. For customers who use domains to define data products, the Audit Activity domain permission allows data product owners to review query activities of the data sources they manage using rich visualizations and dashboards.

September 10, 2024

SDD governance report shows whether tags are used in a policy: Under the governance reports menu, all reports based on sensitive data discovery now have a report column showing whether the tag is used as part of a policy in Immuta.

September 10, 2024

Rotating the shared secret for Starburst (Trino): Users can rotate the shared secret used for API authentication between Starburst (Trino) and Immuta, which provides improved security management, compliance with organizational policies, and the following benefits:

  • Enhanced security: Regularly update your API credentials to mitigate potential security risks.

  • Compliance support: Meet security requirements that mandate periodic rotation of API keys.

  • Flexibility: Change the shared secret at any time after the initial integration setup.

Existing integrations will continue to function normally. Downtime is required when rotating the shared secret, so follow the Starburst (Trino) integration API documentation to ensure continuous operation of your integration, and establish a regular schedule for rotating your shared secret as part of your security best practices.

August 2024

August 29, 2024

Deprecations

Deprecated items remain in the product with minimal support until their end of life date.

Feature
Deprecation notice
End of life (EOL)

CREATE_FILTER permission

August 2024

December 2024

Unmask requests

August 2024

December 2024

August 22, 2024

Schema monitoring for Snowflake and Databricks Unity Catalog supports detecting and automatically reapplying policies on data sources that have changed their object type (for example, a VIEW that was changed into a TABLE or vice versa).

August 20, 2024

Enhancement

SDD supports Databricks Unity Catalog OAuth M2M: Sensitive data discovery now works with Databricks data sources that are registered in Immuta using OAuth Machine-to-Machine (M2M) authentication.

Bug fix with breaking API change

Only users with the CREATE_DATA_SOURCE permission are authorized to use the POST api/v2/data endpoint; users without that permission will be blocked and get a 403 status returned.

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "You must have the \"CREATE_DATA_SOURCE\" permission."
}

August 13, 2024

Enhancement

Decreased the number of validation tasks for data owners from new data sources and columns found by schema monitoring: When schema monitoring is enabled, Immuta applies a New tag whenever a new data source is added or its columns change. This allows governors to create policies that automatically apply to all new data sources and columns (such as masking new data by default).

Previously, data owners were always asked to validate data source requests (which in turn removes the New tag) related to data source and column changes, even if there was no actual policy present targeting the New tag.

Now, data owners are only asked to validate data source requests if an actual policy is present that is targeting the New tag. Otherwise the validation request for data owners gets skipped.

As a result, in the absence of a relevant policy, data owners will now have fewer data source requests to validate which saves them time and increases efficiency.

Removed feature

Query text has been removed from all legacy audit records: Immuta no longer stores query text with legacy audit records, as its support has reached end of life. Instead, use UAM events, which by default contain query text.

Bug fix

Snowflake External OAuth: The form field Client Secret stopped being displayed in the UI for Snowflake data source registration, which led customers to believe that Snowflake External OAuth using client secret was no longer a supported authentication mechanism. This fix reintroduced the client secret field in the UI.

Customers who had already registered data sources with Snowflake External OAuth previously via the UI, API, or CLI while the bug existed were not affected, since the issue only affected the UI but not the backend or programmatic interfaces.

August 7, 2024

Deprecation

Deprecated items remain in the product with minimal support until their end of life date.

Feature
Deprecation notice
End of life (EOL)

Policy exemptions

August 2024

October 2024

August 1, 2024

Masked joins for Snowflake and Databricks Unity Catalog integrations is now generally available. This feature allows masked columns to be joined across data sources that belong to the same project giving users additional capability for data analysis within a project, while still securing sensitive data. Sensitive columns can be masked while still allowing users the ability to join on these within a project, helping organizations strike the correct balance between access and security.

July 2024

July 17, 2024

Simpler UX for sensitive data discovery: Customizing sensitive data discovery is now easier and quicker with a single entry point for configuration. Instead of navigating to multiple pages in the Immuta application, use a single form to create an identifier for sensitive data and add tags and regex patterns.

July 10, 2024

Released Immuta CLI v1.4.0: A new version of the CLI was released which includes new support for AWS IAM role authentication for audit export to S3 and some CLI breaking changes. See the CLI release note for more details.

July 9, 2024

  • Allow masked joins for Snowflake and Databricks Unity Catalog integrations: This feature allows masked columns to be joined across data sources that belong to the same project giving users additional capability for data analysis within a project, while still securing sensitive data. Sensitive columns can be masked while still allowing users the ability to join on these within a project, helping organizations strike the correct balance between access and security.

  • Removing legacy audit records: Starting July 23rd, Immuta will begin enforcing the 90 day retention period for legacy audit records for all tenants in SaaS. This will have no impact on Governance Reports. If you need to export legacy audit records older than 90 days, see the View audit logs guide for details on the legacy (deprecated) Audit API. Universal Audit Model (UAM) records can be exported on a configured schedule to S3 or ALDS, see the Export audit logs to S3 or Export audit logs to ADLS guides.

July 2, 2024

  • Group membership count contains information on active and disabled users: When looking at the number of users contained in a group, you can easily distinguish between active and disabled users. This enhancement allows user admins to verify accurate user-to-group membership between their external identity access manager and Immuta faster.

  • Support role-based access for S3 audit export: Audit export supports AWS IAM authentication. Customers can use AWS assumed role-based authentication or access key authentication to secure access to S3 to export audit events.

June 2024

June 27, 2024

Databricks Unity Catalog integration tag ingestion: Customers who have tags defined and applied in Databricks Unity Catalog can seamlessly bring those tags into Immuta to leverage them for attribute based access control (ABAC), data classification, and data monitoring.

This feature is currently in preview at the design partner level. To use this feature in preview, you must have no more than 2,500 Unity Catalog data sources registered in Immuta. See the design partner description for expectations and details, and then reach out to your Immuta representative to enable this feature.

June 25, 2024

Comply with column length and precision in a Snowflake masking policy: Snowflake is soon requiring the outputs of masked columns to comply with the length, scale, and precision of what the Snowflake columns require. To comply with this Snowflake behavior change, Immuta truncates the output values in masked columns to match the Snowflake column requirements so that users' queries continue to complete successfully.

June 11, 2024

Trino universal audit model available with Trino 435 using the Immuta Trino plugin 435.1: For customers that are using EMR 7.1 with Trino 435.1, and have audit requirements, the Immuta Trino 435.1 plugin now supports audit in the universal audit model. The Immuta Trino 435.1 plugin audit information is on par with the Immuta Trino 443 plugin. The Immuta Trino 435.1 plugin is supported on SaaS and 2024.2 and newer.

June 4, 2024

Adding a new external catalog integration automatically backfills tags for pre-existing data sources: Prior to this change, users had to manually link pre-existing data sources to the relevant external data catalog entry after a new external data catalog integration was set up, and only newly registered data sources were linked automatically. Now, Immuta triggers an auto-linking process for all unlinked data sources when a new external data catalog integration setup is saved.

This change increases the level of automation, reduces cognitive and manual workload for data governors, and aligns external data catalog integration behavior with end user expectations.

June 3, 2024

Removing the overview tab on identification frameworks: Under Discover, each identification framework now has two tabs: rules and data sources. Prior to this change, there was an overview tab that linked to the other two tabs. When clicking into an identification framework, you now land directly on the rules tab.

May 2024

May 30, 2024

  • OAuth M2M support for Databricks Unity Catalog: We are excited to announce that Immuta now supports establishing connections to Databricks using OAuth Machine-to-Machine (M2M) authentication. This feature enhances security and simplifies the process of integrating Databricks with Immuta, leveraging the robust capabilities of OAuth M2M authentication.

  • New product changelog: The new Immuta product changelog will announce the latest product updates, features, improvements, and fixes.

    Immuta users can open the in-app changelog by clicking “What’s New?” in the left-hand navigation. It is also available at changelog.immuta.com.

May 21, 2024

Schema monitoring enhancement for Databricks Unity Catalog: Schema monitoring for Databricks Unity Catalog now supports detecting and automatically reapplying policies on destructively recreated tables (from CREATE OR REPLACE statements), even if the table schema itself wasn’t changed.

May 14, 2024

The Immuta Starburst (Trino) integration supports additional query audit metadata enrichment including the object accessed during the query event: Immuta query audit events for Starburst (Trino) will include the following information.

  • Object accessed: The tables and columns that were queried

  • Tags: The Immuta table and column tags, including data catalog tags synchronized to Immuta, for queried tables and columns

  • Sensitivity classification: The columns' sensitivity in context of other queried columns if an Immuta classification framework is enabled at the time of audit event processing

  • Query duration: The amount of time it took to execute the query in seconds

  • Database name: The name of the Starburst (Trino) catalog

May 13, 2024

Governance permission required for Discover: Starting today, the Discover UI for managing automated data identification and classification is only accessible to users with the GOVERNANCE permission in the Immuta application. Previously, Immuta users with permission to create data sources could also access the settings in the Discover UI.

May 8, 2024

Bug fix

Fix for external tag ingestion related to Collibra Output Module API behavioral change: Incorrect filters were being passed to Collibra’s Output Module API when fetching column tag information. This was resulting in a failed API request while linking or refreshing Collibra tags on a data source. Collibra’s Output Module API began performing additional request validation on approximately May 6, 2024, which indicated a problem. This fix ensures that the Collibra tag ingestion integration in Immuta is reflecting these changes. Without it, there was a residual risk that some incorrect column tags would get ingested.

May 7, 2024

  • Data owners can now see audit events for the data sources that they own without having the AUDIT Immuta permission: Data owners can see query events for their data sources on the audit page, data overview page, data source pages, and the data source activity tab. They can also inspect Immuta audit events on the audit page and activity tab for the data sources they own. This enhancement gives data owners full visibility of activity in the data sources they own.

  • Snowflake memoizable functions update: Immuta policies leverage Snowflake’s memoizable UDFs. When an end user references a policy-protected column in a query, the cached results are available from the memoizable function, resulting in faster, more performant queries.

May 2, 2024

  • Running table statistics only if required (instead of by default): Table statistics consist of row counts, identification of high cardinality columns, and a sample data fingerprint. Immuta needs to collect this information in order to support the following data access policy types:

    • Column masking with randomized response

    • Column masking with format preserving masking

    • Column masking with k-anonymization

    • Column masking with rounding

    • Row minimization

    Prior to this change, table statistics would be collected for every newly onboarded object by default, except if the object had a Skip_Stats tag applied. Post this change, table statistics are now only collected on a data object once they are required (i.e., if one of the above-mentioned policy types is applied). Even then, the Skip_Stats tag continues to be respected. This change results in performance improvements, as the number of standard operations during data object onboarding is significantly reduced.

  • Alation custom fields integration: In addition to Alation standard tags, Immuta’s Alation integration now also supports pulling information from Alation custom fields as tags into Immuta.

April 2024

April 30, 2024

Data policies on Snowflake Iceberg tables: Users can now apply fine-grained access controls to Snowflake Iceberg tables, making support for Immuta data policies and subscription policies consistent across standard Snowflake table types.

April 22, 2024

Breaking changes

  • POST /project endpoint: Users will receive a 422 status error instead of a 400 status error when trying to create a new project name that would result in a database conflict on the project's unique name.

  • POST /api/v2/data endpoint response: creating will not be returned in the response when using this endpoint the first time; the response will just include bulkId and connectionString. However, when updating a data source using POST /api/v2/data, the response will include creating: [] (with no data source names inside the array).

April 18, 2024

New features and enhancements

  • Domains in general availability: Domains are containers of data sources that allow you to assign data ownership and access management to specific business units, subject matter experts, or teams at the nexus of cross-functional groups. Domains support organizations building a data mesh architecture and implementing a federated governance approach to data security, which can accelerate local, domain-specific decision making processes and reduce risk for the business.

    This feature is being gradually rolled out to customers and may not be available in your account yet.

  • Improved user experience for managing users, data sources and policies: This deployment includes significant user experience updates focused on enhancing Immuta's key entities: users, data sources, and policies.

    • The People section has a more intuitive experience with notable changes. Users and groups have been split into two separate tabs. The first tab provides an overview of a user or group, while the second tab contains detailed settings, such as permissions, attributes, and associated groups.

      Another important enhancement in the People section is the new Attributes page, which centralizes all information about an attribute, including the users or groups it applies to.

    • The Data Sources section has been completely redesigned to offer a more efficient search and filter experience. Users can preview details of a data source through expandable rows on the list and access bulk actions for data sources more easily.

    • The Policy section includes an updated list with improved search and filter capabilities. Additionally, a policy detail page allows users to view comprehensive policy information, take action, edit policies, and see a list of targeted data sources.

    These enhancements are being gradually rolled out to customers and may not be available in your account yet.

  • Disable external usernames with invalid Databricks identities: Databricks user identities for Immuta users will now be automatically marked as invalid when the user is not found during policy application. This will prevent them from being affected by Databricks policy until manually marked as valid again in their Immuta user profile. This change drastically improves syncing performance of subscription policies for Databricks Unity Catalog integrations when Immuta users are not present in the Databricks environment.

April 16, 2024

Project-scoped purpose exceptions for Snowflake and Databricks Unity Catalog integrations: Row and column-level policies can now account for purposes and projects for additional security. With this policy configuration, a user will only be able to view the data the policy applied to if they are acting under a certain purpose and that data is within their current project. Purpose exception policies ensure data is only being used for the intended purposes. This feature is in private preview.

Breaking API change

The POST /tag/{modelType}/{modelId} endpoint (which adds tags to models that can be tagged, such as data sources and projects) can only apply tags that exist to these models. This update presents one breaking change: A 404 status will now be returned with the tag(s) that were not valid instead of a 200 status, and no tags will be processed if any invalid tags are found.

{
  "statusCode": 404,
  "error": "Not Found",
  "message": "Tags with the names [`country`, `sensitive`] do not exist."
}

April 11, 2024

Write policies for Amazon S3: Besides READ operations, Immuta's Amazon S3 integration now also supports fine-grained access permissions for READWRITE operations. While Immuta read policies control who can consume objects from Amazon S3 storage locations, write policies allow control of who can add and delete objects. Contact your Immuta representative to get write policies for Amazon S3 enabled in your Immuta tenant.

April 9, 2024

Disable k-anonymization by default and allow a customer to opt in: When a k-anonymization policy is applied to a data source, the columns targeted by the policy are queried under a fingerprinting process that generates rules that enforce the k-anonymity. The results of this query, which may contain sensitive data, are temporarily held in memory.

Because this process may violate an organization's data localization regulations, you must reach out to your Immuta representative to enable this masking policy type for your account. If you have existing k-anonymization policies, those policies will not be affected by this change.

April 4, 2024

Enhancement

Updated classification frameworks: Customers using the public preview classification frameworks feature now have access to the Data Security Framework (DSF) and Risk Assessment Framework (RAF). DSF extends sensitive data discovery tags to apply descriptive category tags to your data; RAF extends the DSF to apply sensitivity tags to your data, such as Medium, High, and Very High.

Together, these frameworks replace the less comprehensive legacy Immuta Data Security Framework, which has been deprecated and will be removed from the product.

April 2, 2024

Enhancements

  • Support protecting more than 10,000 objects with Unity Catalog row- and column- level policies: Users can now mask more than 10,000 columns or tables with row filters, removing the previous limitation in the Unity Catalog integration. This enhancement provides greater flexibility and scalability for data masking operations, allowing users to effectively secure sensitive data across larger datasets.

  • Updates to button labels: Two buttons have been renamed to align their labels more closely with their functionality.

    • The "Sync Native Policies" button has been renamed to "Sync Data Policies" to better reflect its function.

    • The "Refresh Native Views/Policies" button has been renamed to "Refresh Native Views/Data Policies" for improved accuracy.

  • Support access using AWS IAM role in SaaS for Amazon S3 integration: Users can now leverage an AWS IAM role for Immuta to establish a secure, cross-account connection to S3 Access Grants. This enhancement allows for seamless orchestration of access grants, providing a more secure and compliant experience for our users.

March 2024

March 28, 2024

New feature

Support exporting audit to Azure ADLS Gen2: Immuta can now export audit logs to Microsoft Azure ADLS Gen2 Blob, in universal audit format (UAM). The Immuta audit export payload contains audit records for both configuration activity in Immuta and data access activity from Snowflake, Databricks and Starburst.

Deprecation

Deprecated items remain in the product with minimal support until their end of life date.

The ability to configure the behavior of the default subscription policy has been deprecated and will reach end of life in September 2024. Once this configuration setting is removed from the app settings page, Immuta will not apply a subscription policy to registered data sources unless an existing global policy applies to them. To set an "Allow individually selected users" subscription policy on all data sources, create a global subscription policy with that condition that applies to all data sources or apply a local subscription policy to individual data sources.

March 26, 2024

New features and enhancements

  • UAM support for Starburst: Immuta's universal audit model now includes query audit events from Starburst Enterprise. These query audit events are included on the new audit page, in the Detect activity views, and in the S3 export payload. This feature is currently supported in Immuta SaaS tenants with Starburst e438 and will be available in the 2024.2 LTS release.

  • Query duration support for Detect Monitors: Immuta Detect can now notify you via a webhook when a user executed a query that exceeded a configurable duration threshold on supported data platforms. This enhancement allows data platform owners to know when a user issued long-running queries so they can keep data warehouse running costs low. Additionally, knowing which users issued long-running queries is an opportunity to enable data consumers to query the data in an optimal way, direct them to use another optimized data set, and allow the data owner to understand new workload requirements.

    Use Detect monitor with query duration thresholds to increase visibility of users and queries that may breach data platform latency SLO and control data warehouse cost.

  • Write policies for Starburst: In addition to read operations, Immuta's Starburst integration now supports fine-grained access permissions for write operations. In its default setting, write operations control the authorization of SQL operations that perform data modification. Administrators can include more operations (such as ALTER and DROP tables) to be authorized as write operations through advanced configuration. Contact your customer success representative to learn more.

Breaking API change

The POST /tag/column/{datasource_id}_{column_name} endpoint (which adds tags to columns on data sources) can only tag existing columns on data sources. It does this by checking the dictionary associated with the data source to see if the desired column exists on the data source. This deployment introduces two breaking changes:

  • Column does not exist 404: When the column does not exist on the data source, a 404 status is now returned instead of a 200.

    {
"statusCode": 404,
"error": "Not Found",
"message": "Data Source {datasourceId} does not have a column named '{columnName}' (case-sensitive)."
}

  • Dictionary does not exist 404: When an associated dictionary does not exist on the specified data source (that you have access to add tags to), a 404 status is now returned instead of a 403.

    {
"statusCode": 404,
"error": "Not Found",
"message": "Could not find column information for Data Source {datasourceId}."
}

February 2024

February 27, 2024

Feature removal

Audit page: The audit page that uses the legacy audit format has been removed. The legacy version of Immuta audit format continues to be maintained and accessible through the deprecated audit API until its scheduled EOL date.

February 22, 2024

Enhancements

  • Color coding for data source health: The health status for each data source on the data source list page now uses color coding to provide a visual for users so they can quickly determine whether they should take action related to the health of data sources. Additionally, unhealthy data sources are ranked at the top of the list on the data source page to ensure that when users log in to Immuta they are aware that unhealthy data sources exist in the system. Prior to this change, users had to click through all data source pages or had to explicitly set up a filter to achieve the same behavior.

  • “Pending” policy state: A new Pending policy state indicates when background jobs are running to update permissions after a policy is created or changed. Once the Pending state changes to Active, all policy changes have been enforced on affected data sources.

  • Custom URL redirects: Custom URL redirects create a second fully-qualified domain name for SaaS tenants that redirects to the primary domain name. This gives users a domain name that they can remember and that has little impact on their integrations. Contact your customer success representative if you are interested in setting up a custom URL redirect.

  • Sensitive Data Discovery (SDD) tag context: Introducing language to specify when tags were placed by legacy SDD; the tag side sheet now mentions that legacy SDD is deprecated and targeted for removal in March 2024.

    Native SDD now leaves legacy SDD tags in place when they are not found upon a subsequent re-scan of a data source. Customers who begin using native SDD can now see results with no impact to prior legacy SDD tags. See the Migrate legacy to native SDD page for more details.

February 15, 2024

Enhancements

  • Faster query performance with Snowflake memoizable functions: When a policy is applied to a column, Immuta now uses Snowflake memoizable functions to cache the result of common lookups in the policy encapsulated in the called function.

    Subsequently, when users query a column with the applied policy, Immuta leverages the cached result, resulting in significant enhancements to query performance.

    To enable support for memoizable functions, contact your Immuta customer success representative.

  • Workspace filtering for Databricks Unity Catalog audit collection: Users can limit Databricks Unity Catalog audit collection by specifying a comma-delimited list of Databricks workspace IDs in the integration's app settings.

Bug fixes

  • For a more responsive Detect activity page experience, Immuta limited the number of auto-suggested filter values (such as data sources, tags, and users) to 100 of the most active values. The total item count for each filter type still reflects the number of events in the dashboard time range.

  • When pulling personally identifiable information (PII) from Collibra, Immuta now includes and differentiates true and false value assignments as Personally Identifiable Information.true and Personally Identifiable Information.false to more accurately reflect how PII is set in Collibra.

February 6, 2024

Enhancement

Improved validation when saving sensitive data discovery patterns in the Immuta UI: When adding a regular expression pattern for sensitive data discovery, the Immuta UI validates the format of the regular expression according to the RE2 regular expression standard. Patterns that don’t conform cannot be saved, preventing those patterns from causing failures at run time.

February 1, 2024

New feature

Snowflake query monitoring with notifications: Immuta Detect monitors help you surface non-compliant data combinations and maintain data availability through data platform configuration changes. Monitors automate manual aggregation and calculation of user activity metrics based on query events. Additionally, they can notify you when the metrics exceed your intended operating thresholds. Monitors work with query tags, query execution outcomes, and Immuta Discover classification sensitivities when enabled.

This feature is in private preview and can be made available upon request. Contact your customer success manager for more details.

Bug fix

Fix to address a UI issue that led customers to believe that disabled users were not getting their access revoked. The UI has been updated and disabled users are now being filtered out from the data source members tab.

January 2024

January 30, 2024

New features and enhancements

  • Immuta audit events in the universal audit model (UAM): Universal audits now include Immuta configuration audit events, domain audit events, sensitive data discovery (SDD) audit events, and user management audit events. Immuta tenants with the domain preview enabled can now audit domain structure changes.

  • Sensitive data discovery (SDD) pattern validation at runtime: SDD has used RE2 regular expression syntax since mid-year of 2023, and custom patterns created since that time are validated when added to the system. In limited cases, custom patterns created prior to this are not RE2 compliant and cause SDD analysis to fail without apparent cause. Now, those cases raise a detailed message stating the pattern name and the full regular expression. This message is shown under the data source health check menu for any targeted data sources where SDD failed for this reason.

  • Usability updates:

    • The new user profile page separates information better and makes it easier to understand.

    • Keyboard shortcuts are now available for some common functions. Keep an eye out for in-app guidance that helps with how to use them.

    • The account menu is wider for better readability and now has an option to toggle between light and dark mode. (By default, Immuta still uses your browser settings.)

    • Browser tabs tell you which page you’re on, instead of all being labeled “Immuta Console.” A new, adaptive favicon allows you to still tell that it’s Immuta at-a-glance, whether you’re in light or dark mode.

Bug fix

Activating regulatory frameworks in Discover: Fix to address an issue that prevented some customers from activating the regulatory frameworks in Discover. In some cases, customers who previously used the Immuta data security framework (DSF) before getting access to the new frameworks for GDPR, CCPA, HIPAA and PCI were unable to activate the new frameworks.

January 25, 2024

New features and enhancements

  • Amazon S3 integration: Immuta’s Amazon S3 integration enhances the management of permissions in complex data lakes on object storage. Eliminate scalability concerns as you enforce S3 access effortlessly. You can grant users time-bound access to files and folders, creating a security posture with zero-standing permissions, a gold-standard for compliance.

    Additionally, you can grant access to human identities seamlessly through Identity Providers (IdPs) like Okta, Microsoft Entra ID, and more, thanks to integration with AWS IAM Identity Center. With the implementation of attribute-based access controls (ABAC) for S3, Immuta provides a simplified and efficient approach to managing data lake permissions. The privileges you set using the Amazon S3 integration can apply anywhere, from the CLI, to your applications using AWS SDKs, and on Amazon EMR Spark and Amazon SageMaker. Elevate your data governance with these advanced capabilities and experience a seamless and secure data access environment. Contact your customer success manager for more details.

  • Immuta audit events in the universal audit model (UAM): Universal audits now include Immuta policy and data sources changes.

  • Write policies: Write policies is a new capability to manage user write access authorizations via policy (enabling users to modify data in data source objects). This release supports the new functionality for Snowflake and Databricks Unity catalog integrations. Contact your customer success manager for more details.

Deprecations and breaking changes

Deprecated items remain in the product with minimal support until their end of life date.

Feature
Deprecation notice
End of life (EOL)

Databricks Spark with Unity Catalog support integration

January 2024

March 2024

dbt integration

January 2024

March 2024

Data source expiration dates

January 2024

May 2024

Bug fixes

  • Bug fix for sensitive data discovery settings: Fix to the App Settings for Sensitive Data Discovery. Previously, the field to set the global SDD framework was hidden and as a result the global SDD framework could not be updated. The field is now available when SDD is turned on.

  • Bug fix for SDD rules display: Fix to an issue with adding new discovery rules to an Identification framework. Previously, adding a new discovery rule would not appear in the list in the UI until the page was reloaded. Newly added rules now appear in the list at once.

  • Immuta could not update a group through SCIM if that group was initially created through SAML before SCIM was enabled in an IAM's configuration.

January 23, 2024

Enhancements

  • Enhancement to Classification Frameworks rule display: In Discover, under Classification frameworks, the list of rules now shows all input and output tags in the browse list. There is no need to click further into a details screen to learn everything about a rule.

  • Change to SDD person name rule: The built-in Sensitive Data Discovery pattern for Person Name has been adjusted to more easily match columns that are consistent with person names.

Bug fix

Addressed a vulnerability that could allow a malicious user to enter HTML tags to affect the page's user interface. Such an issue could increase the risk of XSS attacks or threaten users’ privacy.

January 18, 2024

Bug fix

Performance improvements for Immuta tenants that had data sources with more than 500 masked columns.

January 16, 2024

Bug fix

Redshift Spectrum data sources were not deleted when the schema project they belonged to was deleted.

January 11, 2024

Bug fixes

  • Fix to address issue that prevented users with the CREATE_DATA_SOURCE permission from being able to create a data source if a user without that permission previously tried to register data sources via the API.

  • Users were unable to edit an external catalog’s configuration.

January 9, 2024

Minor enhancements and fixes that are not user-facing.

January 8, 2024

New feature

Integrations API: The integrations API allows you to integrate your remote data platform with Immuta so that Immuta can manage and enforce access controls on your data.

January 4, 2024

Changes and enhancements

  • With native SDD enabled, users will have SDD options displayed when creating a data source for Snowflake and Databricks, but those SDD options will no longer be displayed for other technologies.

  • An additional 19 UAM audit events are captured and can now be viewed on the Immuta audit page in the UI or exported to S3. See the full list of supported events on the Universal audit model (UAM) page.

Bug fix

If creating a user initially failed because of an invalid payload, users encountered the following 409 error in a subsequent request with the correct payload: User with the provided userid already exists.

PreviousDeployment NotesNext2023

Last updated

Self-managed versions

2024.32024.22024.1

Copyright © 2014-2024 Immuta Inc. All rights reserved.