Author an ABAC Subscription Policy
This guide demonstrates how to build attribute-based access control (ABAC) subscription policies using the policy builder in the Immuta UI. To build more complex policies than the builder allows, follow the Advanced rules DSL policy guide.
- Determine your policy scope:
- Global policy: Click the Policies page icon in the left sidebar and select the Subscription Policies tab. Click Add Subscription Policy and complete the Enter Name field.
- Local policy: Navigate to a specific data source and click the Policies tab. Click Add Subscription Policy and select New Local Subscription Policy.
-
Select Allow Users with Specific Groups/Attributes.
-
Choose the condition that will drive the policy: when user is a member of a group or possesses attribute.
-
Use the subsequent dropdown to choose the group or attribute for your condition. You can add more than one condition by selecting + ADD. The dropdown menu in the subscription policy builder contains conjunctions for your policy. If you select or, only one of your conditions must apply to a user for them to see the data. If you select and, all of the conditions must apply.
-
If you would like to make your data source visible in the list of all data sources in the UI to all users, click the Allow Discovery checkbox. Otherwise, this data source will not be discoverable by users who do not meet the criteria established in the policy.
- Check the Require users to take action to subscribe checkbox to turn off automatic subscription. Enabling this feature will require users to manually subscribe to the data source if they meet the policy.
- If you would like users to have the ability to request approval to the data source, even if they do not have the required attributes or traits, check the Request Approval to Access checkbox. This will require an approver with permissions to be set.
-
For global policies: Select how you want Immuta to merge multiple global subscription policies that apply to a single data source.
-
Always Required: Users must meet all the conditions outlined in each policy to get access (i.e., the conditions of the policies are combined with
AND
). -
Share Responsibility: Users need to meet the condition of at least one policy that applies (i.e., the conditions of the policies are combined with
OR
).
Note: To make this option selected by default, see the app settings page.
-
-
For global policies: Click the dropdown menu beneath Where should this policy be applied and select When selected by data owners, On all data sources, or On data sources. If you selected On data sources, finish the condition in one of the following ways:
-
tagged: Select this option and then search for tags in the subsequent dropdown menu.
-
with columns tagged: Select this option and then search for tags in the subsequent dropdown menu.
-
with column names spelled like: Select this option, and then enter a regex and choose a modifier in the subsequent fields.
-
in server: Select this option and then choose a server from the subsequent dropdown menu to apply the policy to data sources that share this connection string.
-
created between: Select this option and then choose a start date and an end date in the subsequent dropdown menus.
-
-
Click Create Policy. If creating a global policy, you then need to click Activate Policy or Stage Policy.
Additional global ABAC subscription policies
When you have multiple global ABAC subscription policies to enforce, create separate global ABAC subscription policies, and then Immuta will use boolean logic to merge all the relevant policies on the tables they map to.