Use Immuta as a Marketplace

If you do not currently have a marketplace solution for your data products, you can create a marketplace in Immuta for your users to browse curated data products and request access to those data products. Then your data stewards can make determinations in Immuta that translate directly to Immuta policies and automatic access provisioning.

Figure 1 depicts the workflows available. This walkthrough will guide you through these steps.

Some of these steps are performed by different user types in Immuta, so this walkthrough is organized by User type.

Governance and user admin users

The data sources that are exposed through your data products are sourced from a domain; so in order to publish a data product, you must have at least one domain with at least one data source in it. Any user with the Immuta GOVERNANCE permission is able to publish data products in the Request app using any domain. However, this job can be delegated by creating data product managers. You create data product managers by giving them the Manage Data Products permission in a domain.

As shown in Figure 2, creating a domain and assigning data sources to it is handled by a user with GOVERNANCE permission. Assigning the Manage Data Products permission is handled by a user with USER_ADMIN permission.

These actions are completed in the Governance app, not the Request app.

Data product manager user

This user is able to publish the data products, manage their metadata, and manage request forms. As mentioned above, a data product manager must have the global GOVERNANCE permission or the domain-specific Manage Data Products permission in a domain.

From there, data product managers are able to publish and manage data products, from their domains as depicted in Figure 3.

When a new data product is published, a webhook is sent off and users with Manage Data Products permission in that data product's domain will receive a notification.

However, the first step in creating a data product is ensuring that the data sources that make up the data product are contained in the domain where you have the Manage Data Products permission.

Making data sources available in a domain

See the Setting up domains for data product management page for details about how to automatically have data sources be assigned to domains.

Data consumer user

A data consumer can be anyone with a login to Immuta. They can visit the Request app, search for data products and request access to them, or request masking exceptions on specific columns within those products, as shown in Figure 4.

Once they request access, a webhook is sent off and Immuta will send notifications to the data stewards of the data product.

Data steward user

The data stewards are tasked with making determinations on access requests, the final step in the workflow depicted in Figure 5.

Data stewards are assigned to data products in the request form used; they can be assigned based on their group, attributes, or permissions or the exact user can be assigned. If the data stewards are not assigned in a request form, the data product owner will select them for each data product. The request form will also dictate if any data steward can approve an access request or if all of them must.

When an access request is made that requires approval, a webhook is sent off and data stewards will receive a notification with the request. Additionally, it will appear as pending, signaling a determination is required.

The data steward can make the determination by approving, denying, or temporarily approving it with a reason. If approved, Immuta will automatically provision access by granting data product access in the data platform or unmasking the approved columns, completing the workflow depending on the request type. When any data steward can approve, just a single determination will dictate the user's access. However, if all data stewards must approve, one determination must be made by one data steward belonging to each of the assigned groups, attributes, or permissions. If a single data steward denies access, the user will not get access.

When a final determination is made for an access request, a webhook is sent off and the requester and all other data stewards for the data product will receive a notification with the decision.