Subscription Policies

Current Status
Not Enrolled
Price
Closed
Get Started
This course is currently closed

Overview

Subscription policies control who can access specific data sources (e.g., tables, views, S3 objects). Together with data policies—which determine what users can see once they have access (e.g., row- or column-level controls)—these policies form a comprehensive data governance framework. This article focuses on the types of subscription policies in Immuta, their use cases, and best practices for efficient and scalable implementation.

Subscription policies are built on two key components:

  1. Who is allowed to access the data? 
  2. What tags define the access? 

Types of Subscription Policies

There are two types of subscription policies in Immuta:

  1. Anyone (least restricted): Users will automatically be granted access to the data sources.
  2. Users with specific groups or attributes (moderately restricted): Only users with the specified groups or attributes can see the data source and subscribe. 

All types of subscription policies in Immuta can be applied to two different scopes:

  • Local policy: Targets specific, individual tables. These policies are precise but require manual configuration for each table.
  • Global policy: Applies to data sources based on tags rather than individual tables. This allows a single policy to govern access across a broad range of datasets.

Recommendation: Immuta recommends adopting attribute-based access control (ABAC) global subscription policies to improve scalability and reduce complexity. Compared to group-based subscription policies, ABAC subscription policies are easier to audit, eliminate role explosion, and provide a clear, data-driven way to control access.

Anyone (Least Restrictive)

Creating a subscription policy in Immuta that allows anyone to access the data is the least restrictive type of subscription policy. 

  • Use Case: This approach is typically used for non-sensitive, widely needed data, such as reference codes. For example, medical reference codes (e.g., ICD-10) or financial tax codes are typically data sets that should be available to all users.
  • Implementation:
    • Tag relevant data sources with a tag such as reference_codes
    • Create a single policy to allow anyone to subscribe to data sources tagged reference_codes
  • Benefits:
    • Simplifies access to commonly used datasets.
    • Eliminates the need for multiple policies for the same type of data. This allows data owners to focus on simply tagging their data products instead of creating additional policies each time they publish a data product.

Users with Specific Groups or Attributes (Moderately Restrictive)

This type of subscription policy is used to grant access based on specific group memberships or user attributes. 

Group-Based Approach

  • Use Case: This approach is commonly used when access must be tied to specific organizational groups, such as teams or departments. For example,  a group like  Research_Team_B might be granted access to data sources tagged Clinical_Trial_2A7. This ensures that only users in that specific research team can access that specific clinic trial data.
  • Implementation:
    • Define a group (e.g., Research_Team_B).
    • Tag the relevant data sources with a consistent tag, such as Clinical_Trial_2A7.
    • Write a subscription policy in Immuta linking the group to the tagged data sources, such as: Allow users to subscribe when the user is a member of the group Research_Team_B on data sources tagged Clinical_Trial_2A7.
    • This process must be repeated for every new data source or group, leading to significant overhead as the number of datasets grows.
  • Benefits:
    • Straightforward setup for small-scale environments with minimal group and data complexity.
  • Challenges:
    • Each new data product requires a new policy.
    • “Role explosion” occurs as new groups are created for new data products.
    • Managing group memberships becomes complex when users frequently move in and out of groups.
    • Auditing is difficult because user access is tied to group memberships, making it hard to trace permissions.

Attribute-Based One-Policy Approach (Recommended)

ABAC subscription policies allow for dynamic, data-driven access with a single, scalable policy. This approach eliminates the need to create new policies for every data source.

  • Use Case: You can use attribute-based policies to dynamically manage access with a single, scalable policy using the @hasTagAsAttribute function to match user attributes to data source tags. For example, users with the attribute value allowed_data_product: AML_Reports can automatically gain access to tables tagged AML_Reports.
  • Implementation:
    • Use Immuta’s @hasTagAsAttribute function to define a single subscription policy: Allow users to subscribe when the user’s attribute matches the tag on the table for ALL data sources.
    • Ensure that user profiles include up-to-date attributes that reflect their allowed access. For example, add an attribute like allowed_data_product: AML_Reports to users who need access to AML Reports.
    • Apply consistent tags to data sources that correspond to user attributes. For example, tag datasets as AML_Reports to align with the user attribute.
  • Benefits:
    • Scales automatically as new data products are published.
    • Reduces the need for multiple policies.
    • Simplifies auditing with clear data-driven access.
    • Allows data owners to focus solely on tagging data sources.

Best Practices for Subscription Policies

  • Adopt Attribute-Based One-Policy Approach: ABAC policies enable dynamic, data-driven access control, reducing complexity and ensuring scalability. 
  • Clear and Consistent Tagging: Use meaningful and consistent tags for data sources. Automate the tagging process where possible to maintain accuracy and efficiency.
  • Align Attributes with Organizational Context: Ensure that attribute names reflect your organization’s structure or data governance model. For example, use attributes like allowed_domain for domain-based access or allowed_data_product for data product-based access.
  • Keep Metadata Up to Date: Regularly update user profiles to include relevant attributes that reflect their access requirements. This ensures the one-policy approach remains effective.