Skip to content

You are viewing documentation for Immuta version 2024.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Immuta Query Engine Overview

Audience: Data Users

Content Summary: This page explains the Immuta Query Engine.

Data Sources

Once subscribed to a data source, one of the mechanisms the user has for accessing data in that source is the Immuta SQL connection. The connection is a regular PostgreSQL connection, and the data sources look like PostgreSQL tables, but these tables abstract the true underlying database technology, allowing users to visit a single place for all of their data. However, the data still resides in its original location, not within Immuta. When a user queries the Immuta database, the query is transformed to sync with the underlying data platform for any data source. When the data is returned from the original location, Immuta applies policies based on the querying user's attributes and forwards the data on to that user.


All policy types are supported by the Immuta Query Engine. See the Subscription Policies or Data Policies overview for details about policy types.

Analytic Tools

Users can add their SQL connection to their analytic tools, such as Excel, Tableau, RStudio, etc. to query protected data through the Query Engine.

Once you’ve hooked in your BI tool and have subscribed to data sources in Immuta, you will see available tables in the Immuta database — these tables are the exposed Immuta data sources. All of the Immuta data sources look and feel just like PostgreSQL tables (when they are actually a proxy for the real data source). This means you can execute cross-database technology queries since to you, they are just PostgreSQL tables.

You will only be allowed to run queries on data sources you are subscribed to and against data you have appropriate entitlements to view.


To access data sources in the context of a project, Immuta users can also obtain unique SQL credentials for each project that they are a member of.

These credentials will only provide access to the data sources in their respective projects and allow Data Governors to enforce purpose-based restrictions on project data.

See Creating Project Based SQL Connections for more information.