Review Flows
Understanding review flows
Review flows define the approval process for access requests. When a user requests access to a data product, asset, or column (masking exception), the review flow determines who must authorize that request or if it can be approved automatically.
Configuration modes
When setting up a review flow within a request form, you must first decide how the reviewers (stewards) are managed. There are two primary modes:
1. In this request form (Centralized)
The review flow is defined directly within the request form. Every asset, data product, or column that uses this form will follow the same set of reviewers. This is ideal for standardized processes across the organization.
2. Delegate (Decentralized)
The review flow is managed at the individual asset or data product level. This allows local owners to configure their own specific reviewers, providing flexibility for different departments or data types while still using the same underlying request questions.
When using the Delegate mode, stewards configured at the local level will not have permission to edit the request form's questions.
Automatic approval
In cases where data is low-risk or public, you can select Automatically approve. This removes the need for manual intervention by a steward.
Justification: You are required to provide a reason why this data should be automatically accessible.
Duration: You can set these approvals to Never expire (permanent access) or expire After a set duration (temporary access).
Assigning stewards
If manual review is required, you must select the source of the stewards. A review is considered complete based on the sources assigned.
Steward sources
You can select reviewers from several categories:
User: A specific individual.
Group: Any member of a specific user group.
Attribute: Users associated with a specific metadata attribute.
Global permission: Users with system-wide roles (e.g.,
GOVERNANCE).Domain permission: Users with the
Manage Data Productpermission on the specific domain where the data product resides. See the section below for details.Catalog permission: The specific owner assigned to the asset in the external catalog. See the section below for details.
Dynamic steward lookups
Even when a review flow is fixed at the request form level, some sources are dynamic. This means the system identifies the specific reviewer based on the asset being requested:
Source
How it works
Catalog permission: Asset owner
The system looks up the specific owner assigned to the asset in the external catalog (only specific catalogs are supported).
Domain permission: Manage data product
The system identifies users with the Manage Data Product permission on the specific domain where the data product resides.
External catalog asset owner support
External catalogs that support the Catalog permission asset owner source in Immuta review flows are listed below:
Atlan: Asset Owner
Understanding approval logic
It is important to distinguish between Sources and Individuals. If your flow requires all stewards to approve, this means one representative from each assigned source must approve.
Example: If you assign a Security Group and a Data Owner as sources, you need one person from the Security Group and the specific data owner to sign off. It does not require every single person within the Security Group to click approve.
How to apply a review flow
Configure: Set up the flow logic within a Request Form.
Attach: Link the Request Form to a Data Product or Asset.
Execute: When a user clicks Request Access, the review flow is triggered automatically based on your configuration.
As you build out these flows, consider whether your priority is strict central governance or local flexibility. Which approach best fits your current data architecture?
Last updated
Was this helpful?