This page describes the Azure Synapse Analytics integration, through which Immuta applies policies directly in Azure Synapse Analytics. For a tutorial on configuring Azure Synapse Analytics see the Azure Synapse Integration page.
The Azure Synapse Analytics is a policy push integration that allows Immuta to apply policies directly in Azure Synapse Analytics Dedicated SQL pools without the need for users to go through a proxy. Instead, users can work within their existing Synapse Studio and have per-user policies dynamically applied at query time.
This integration works on a per-Dedicated-SQL-pool basis: all of Immuta's policy definitions and user entitlements data need to be in the same pool as the target data sources because Dedicated SQL pools do not support cross-database joins. Immuta creates schemas inside the configured Dedicated SQL pool that contain policy-enforced views that users query.
When the integration is configured, the Application Admin specifies the
Immuta Database: This is the pre-existing database Immuta uses. Immuta will create views from the tables contained in this database, and all schemas and views created by Immuta will exist in this database, such as the schemas immuta_system, immuta_functions, and the immuta_procedures that contain the tables, views, UDFs, and stored procedures that support the integration.
Immuta Schema: The schema that Immuta manages. All views generated by Immuta for tables registered as data sources will be created in this schema.
User Profile Delimiters: Since Azure Synapse Analytics dedicated SQL pools do not support array or hash objects, certain user access information is stored as delimited strings; the Application Admin can modify those delimiters to ensure they do not conflict with possible characters in strings.
For a tutorial on configuring the integration see the Azure Synapse Integration page.
Synapse data sources are represented as views and are under one schema instead of a database, so their view names are a combination of their schema and table name, separated by an underscore.
For example, with a configuration that uses IMMUTA as the schema in the database dedicated_pool, the view name for the data source dedicated_pool.tpc.case would be dedicated_pool.IMMUTA.tpc_case.
You can see the view information on the data source overview page under Connection Information.
This integration uses webhooks to keep views up-to-date with the corresponding Immuta data sources. When a data source or policy is created, updated, or disabled, a webhook is called that creates, modifies, or deletes the dynamic view in the Immuta schema. Note that only standard views are available because Azure Synapse Analytics Dedicated SQL pools do not support secure views.
An Immuta Application Administrator configures the Synapse integration, registering their initial Synapse Dedicated SQL pool with Immuta.
Immuta creates Immuta schemas inside the configured Synapse Dedicated SQL pool.
A Data Owner registers Synapse tables in Immuta as data sources. A Data Owner, Data Governor, or Administrator creates or changes a policy or user in Immuta.
Data source metadata, tags, user metadata, and policy definitions are stored in Immuta's Metadata Database.
The Immuta Web Service calls a stored procedure that modifies the user entitlements or policies and updates data source view definitions as necessary.
A Synapse user who is subscribed to the data source in Immuta queries the corresponding data source view in Synapse and sees policy-enforced data.
This page describes the Azure Synapse integration, configuration options, and features. See the for a tutorial on enabling the integration and these features through the App Settings page.
A running Dedicated SQL pool
The Azure Synapse Analytics integration supports the username and password authentication method to configure the integration and create data sources.
Immuta cannot ingest tags from Synapse, but you can connect any of these to work with your integration.
Impersonation allows users to query data as another Immuta user in Synapse. To enable user impersonation, see the page.
Immuta does not support the following masking types in this integration because of limitations with Dedicated SQL pools (linked below). Any column assigned one of these masking types will be masked to NULL:
The delimiters configured when enabling the integration cannot be changed once they are set. To change the delimiters, the integration has to be disabled and re-enabled.
If the generated view name is more than 128 characters, then the view name is shortened to 128 characters. This could cause collisions between view names if the shortened version is the same for two different data sources.
For proper updates, the Dedicated SQL pools have to be running when changes are made to users or data sources in Immuta.
A user can to a single Immuta tenant.
Reversible Masking: Synapse UDFs currently only support SQL, but Immuta needs to execute code (such as JavaScript or Python) to support this masking feature. See the .
Format Preserving Masking: Synapse UDFs currently only support SQL, but Immuta needs to execute code (such as JavaScript or Python) to support this masking feature. See the .
Regex: The built in string replace function does not support full regex. See the .
Project Workspaces | Native Query Audit |
The table below provides definitions for each status and the state of configured data platform integrations. The status of the integration appears on the integrations tab of the Immuta application settings page and in the response schema of the integrations API.
If any errors occur with the integration configuration, a banner will appear in the Immuta UI with guidance for remediating the error.
| Status | Description | State |
|---|---|---|
createError
Error occurred during creation of the integration.
creating
Integration is in the process of being created and set up.
deleted
Integration is deleted.
Not in use
deleteError
Error occurred while deleting the integration. The integration has been rolled back to the previous state.
deleting
Integration is in the process of being disabled or deleted.
disabled
Integration was force disabled and no cleanup was performed on the native platform.
Not in use
editError
Error occurred while editing the integration. The integration has been rolled back to the previous state.
editing
The integration is in the process of being edited.
enabled
The integration is enabled and active.
migrateError
Error occurred while performing a migration of the integration. The integration has been rolled back to the previous state.
migrating
Migration is being performed on the integration. An example of a migration is a stored procedure update.
recurringValidationError
Validation has failed during the periodic check and the integration may be misconfigured.