Start from Your Data Catalog
With the Request app, you can let your users browse for data in your data catalog (Atlan, Alation, Collibra, Databricks Unity, Snowflake Horizon, etc) and request access immediately when they find the data they need access to. Your catalog is the single source of truth for the data and its metadata; however, Immuta helps you to track the requests coming in and the determinations made on them.
Access request links
Access request links are what allow your users to click a Request access button in their data catalog and arrive at the correct request form in Immuta.
Each access request link corresponds to a data product or asset in Immuta, and in the case of assets, when a user clicks the link, Immuta identifies the requested object from the fullyQualifiedName and attaches the correct request form. The asset access request links are completely deterministic, allowing you to add them to data objects in your data catalog without having to refer to names or data source IDs in Immuta.
Access request links will automatically work with any asset in Immuta, as they are all populated from connections. Access request links can be configured with any data catalog by adding it to the data asset's description. However, Immuta does have integrations with select catalogs for an improved user experience.
The access request links for every asset are formatted as follows:
https://app.immutacloud.com/marketplace/request?requestType&host&technology&fullyQualifiedName&accountIdThe access request links for data products are formatted as follows:
https://app.immutacloud.com/marketplace/data-product/{data product id}/request-access?type&accountIdFor details about the access request link variables, see the Configure access request links guide.
Data products and assets
When starting from your data catalog, you may opt to just use the access request links from assets, requiring no additional setup in Immuta. However, if you want users to be able to request access to a collection of objects at the same time, you can publish and use data products:
Collection of objects (e.g., data product, dataset, etc.)
Data product
Publish a curated collection of data sources as a data product to mirror the collection for objects in your catalog.
Assets (e.g., table, view, schema)
Assets
No additional setup required. Assets are automatically created from connections.
For more information, see the Data products and assets page.
Provisioning
Once a user clicks the access request link and fills out the request form, it is then sent to data stewards to review. If they determine that user should have access to the data, then Immuta provisions access for the data consumer in the data platform. This access is represented as scalable Immuta policies and, for supported connections, pushed as native grants into the data platform so the user can query the data.
For more information about provisioning, see the Understanding access provisioning and underlying policies guide.
Supported data catalogs
While you can add access request links to the description of data objects in any catalog, Immuta does have select data catalogs with additional support.
Alation
Access request
Masking exception
Data product access
Yes
Atlan
Access request
Masking exception
Data product access
Yes
Collibra
Access request (coming soon)
Masking exception
Data product access
Yes
Databricks Unity Catalog
Access request
No
Snowflake Horizon
Access request (available through Universal Search)
No
Other
Always possible through description field
No
Databricks Unity Catalog considerations
Databricks Unity Catalog does not have a dedicated location for the masking exception request button; however, data consumers can re-request access to the same object and choose a masking exception instead of, or in addition to, an access request.
Snowflake Horizon considerations
If the access request link is configured through the description field, there will not be a dedicated button to make a masking exception request; however, data consumers can re-request access to the same object and choose a masking exception instead of, or in addition to, an access request.
Snowflake contact limitations
If the access request link is configured through contacts, the Request access button is only visible from Snowsight in Universal Search results. It will not appear in the Horizon Catalog explorer.
If the access request link is configured through contacts, f you have access to at least one object within a database or schema, then the Request access button will not be visible for that database or schema in the Snowsight Universal Search results screen.
For example, for the following database, schema, and table:
Database A
Schema B
Table C
Table D
If you have access to Table C, you will not be able to request access to Database A or Schema B.
To avoid these limitations, opt to add the request access link to the Snowflake object descriptions rather than the contact. OBJECT_VISIBILITY still needs to be set on your databases.
Last updated
Was this helpful?