Data products are a curated collection of data sources published in the Request app. Data products provide a single unit that consumers request, stewards review, and Immuta provisions in the underlying data platform. Data products can be discovered in the Immuta Request app or in your data catalog. See the Manage data products page for a how-to on publishing products.
Assets are representations of data objects that users can request access to through their data catalogs. Assets include a request form and a review flow that users will go through to request access. See the Manage assets page for a how-to on editing the request forms of assets.
Data products are published and managed by data product managers in Immuta. They are typically highly curated and ready for consumption by the business. Any Immuta user can browse the data products in Immuta and request access directly in the UI, which will be provisioned automatically in their data platform.
A data product contains the following metadata:
Name
Description (optional)
Subject matter expert (SME) (optional)
Data products list the data sources contained within them and the columns of each of those data sources, so that users can know the access they are requesting:
Data sources are the data objects in the data product (tables, views, or files). Any data source within the domain specified when publishing the data product can be added to the data product. For each data source Immuta shows:
Data source name
Fully qualified path with the host
Members: Members of the data product are users who are approved for access to the product.
Data stewards: Data products also have data stewards. These users are configured in the request form for the data product. They can be assigned by permission, domain, group, attribute, or username.
All data product settings and metadata are point-in-time of when the access request was made and approved.
For example, if you change the data use agreement for a data product after access requests were approved for five users, those five users would remain approved under the previous data use agreement. Immuta only updates the data product with the changes for new requests, not approved or pending requests.
Private preview: The assets feature is private preview and available to all accounts.
Assets are representations of your data objects in Immuta. They are created automatically when you register a and will dynamically update with object crawls. Because they are created from a connection, they reflect the hierarchy of your data platforms and allow you to configure request forms for every data object for your specific requirements.
Only users with the GOVERNANCE permission or designated as data stewards in a request form can see assets.
Assets do not currently show members or access requests. To view the access requests for a specific asset and deduce the current members, filter by the asset name on the Access requests page in the UI.
Columns are organized per data source and include the following information:
Column name
Column tags
A red-eye icon and the label Masked will indicate that a masking policy is applied to the column
When viewing a data product, you can see details about what you’ll be able to query or unmask if approved:
The data product’s data sources (tables, views, files) and your Access Status for each
The data product’s columns and if masking is applied
There are different statuses based on the type of access you want.
There are three possible access statuses for the data sources in a data product:
Current access: You already have access to this data source through existing policies or a data product approval.
Access if approved: You will gain access to this data source should you request access and your request is approved.
: There are existing required policies on this data source that you do not meet.
It is still worth requesting access to a data product even if you have access to all the data sources it contains because new data sources may be added later, which you may not have birthright access to. In this case, if approved to the data product, you will gain access to the new data sources as soon as they are added to the data product.
It is possible that a data consumer will be blocked from accessing certain data sources, despite being granted access to a data product. This can be the case if data sources are protected by a and the consumer does not meet the criteria defined by that policy.
For example, there may be a rule stating that only members of the group HR can ever be eligible to be subscribed to employee data. Because of that rule, there is a created through the Govern app on that data source that states
Prevent users from subscribing unless user is a member of group
HRon data sources taggedemployee.
In this case, even if a consumer was approved access to a data product containing some data sources with employee data, their access will be blocked if they are not part of the group HR. This provides global governance with a guarantee that nobody can bypass policies on extremely sensitive data sources.
If that data source is now made part of a data product, the requesting user must be a member of group HR to gain access to that particular data source in the data product, even if they are approved to the data product. If the policy changes so the user meets the requirements, or if the user is added to group HR, Immuta will update the user’s access and grant access to that data source.
There are two masking statuses for columns within the data sources of a data product:
Masked: The column is currently masked by a data policy, but you can request a masking exception.
—: The column is not masked, so no exception is needed.
If an access request is approved, Immuta automatically provisions access in the supported data platforms:
Data access requests: The user gains query access to the approved data sources in the asset or data product.
Masking exception requests: The user sees unmasked values for the approved columns, while masking continues to apply for all other users.
In both cases, the provisioning is represented as an , combined with any applicable birthright or guardrail policies.
The access statuses in a data product are updated accordingly:
Data sources:
Current access → Current access
Access if approved
The requesting user and stewards will receive a notification through their configured that the access was approved or denied. A history of requests and their determinations is also visible on the Access requests page in the UI.
For any asset or data product, a data steward can choose to provide a temporary approval to the access request. This provisions access to the user for a set duration of time and then rescinds access through the asset or data product at the end of the set time. If you have temporary access to a data product, your access status will be updated: Temporarily approved.
Both data access and masking exception requests can be granted temporarily. When the approval expires, the user's access will be automatically revoked:
Data access requests: Provisioned access to data sources is revoked automatically when the duration expires.
Masking exception requests: Approved columns return to masked automatically when the duration expires.
After expiration, the user can re-request access or exceptions as needed.
Current accessAccess prevented → Access prevented
Columns:
Masked → - (unmasked for the approved user only)