Skip to content

You are viewing documentation for Immuta version 2023.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

Default Subscription Policy

Immuta’s default subscription policy option allows you to choose whether or not a subscription policy will automatically restrict access to tables when they are registered as Immuta data sources.

By default, Immuta does not apply a subscription policy on data you register (unless an existing global policy applies to it) so that you can preserve policies applied by your underlying data platform on those tables, leaving existing access controls and workflows intact; users who had access to a table before it was registered can still access that data without interruption. If this default behavior is disabled on the App Settings page, a subscription policy that requires owners to manually add subscribers to the data source will apply to new data sources (unless a global policy you create applies), blocking access to those tables until users subscribe to those data sources in Immuta.

Any global policies that match registered data sources will apply to data sources, no matter which subscription policy is enabled by default.

Default Subscription Policy Options

There are two settings available as the default subscription policy: none or allow individually selected users.

  • None: If this option is selected as the default subscription policy, a data source will have no subscription policy applied to it if

    • it is a new data source and no global policy matches it.
    • a data owner or governor removes an existing global subscription policy from the data source.

    Once a global subscription policy matches or a data owner applies a local subscription policy to a data source, that policy will restrict users’ access to the table.

  • Allow individually selected users: If this option is selected, data owners have to manually add users as subscribers to the data source in Immuta for those users to query the underlying table.

Changing the default subscription policy setting only affects new data sources; existing data sources (and those in the process of being registered when the setting is changed) are unaffected. For example, if an Immuta data source’s subscription policy restricts access to members of the Marketing group before the feature is enabled, that existing subscription policy will still apply to that table in the underlying data platform; only users who are members of the Marketing group will be able to access that data.

For instructions on changing the default subscription policy setting, see the manage default subscription policy page.

Managing Data Policies

Data owners and governors can manage data policies on data sources without affecting users’ access to the registered data sources.

Managing Data Source Members

If no subscription policy is applied to a data source, users can only subscribe as data source owners; they cannot be added as regular subscribers. To add regular subscribers, a data owner or governor must apply a subscription policy to the data source.

Limited Enforcement in Databricks

Limited enforcement in Databricks allows users to access data that is not registered as an Immuta data source, so all tables remain open to users until they are explicitly registered and protected by Immuta policies. You can use limited enforcement in Databricks while no subscription policy is applied to a data source. However, Immuta recommends registering all data sources in Immuta so that data policies can be applied.