Skip to content

You are viewing documentation for Immuta version 2.8.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Immuta Introduction

Audience: All Immuta users

Content Summary: This page introduces all users to Immuta, broadly describing Immuta's deployment options, approach to data access and risk, user roles, data sources, policies, projects, and auditing. To see a demonstration of the basic features and pages in the Immuta UI, view the Immuta Quickstart video.

Use the menu on the left to navigate to tutorials and detailed discussions of major features and concepts.

Immuta: A Single Access Point

The Immuta platform solves two of the largest issues facing data-driven organizations: access and governance. In large organizations, it can be difficult, if not impossible, for data scientists to access all the data they need. Once they do get access, it’s often difficult to make sure they use the data in ways that are compliant.

The Immuta platform solves both problems by providing a single, unified access point for data across an organization and ensuring that all restrictions placed on data are dynamically enforced through the platform. This unification removes friction between analysts and compliance professionals by creating digital data exchanges compliant with an organization's regulations and providing complete visibility and flexibility into how policies are enforced and monitored.

Immuta User Roles

User roles in Immuta are fluid and interdependent, and understanding these different roles is essential to effectively sharing, analyzing, and protecting data and maintaining compliance.

  • Data Owners: In order for data to be available in the Immuta platform, a Data Owner — the individual or team responsible for the data — needs to connect their data to Immuta. Once data is connected to Immuta, that data is called a data source. In the process of creating a data source, Data Owners are able to set policies on their data source that restrict which users can access it, which rows within the data a user can access, and which columns within the data source are visible or masked. Data Owners can also decide whether to make their data source public, which makes it available for discovery to all users in the Immuta Web UI, or made private, which means only the Data Owner and its assigned subscribers know it exists.

  • Data Users: Data Users consume the data that’s been made available through Immuta. Data Users can browse the Immuta Web UI seeking access to data and easily connect their third-party data science tools to Immuta.

  • Project Owners: These users can create their own project to restrict how their data will be utilized using purpose-based restrictions or to efficiently organize their data sources.

  • Governors: Governors set Global Policies within Immuta, meaning they can restrict the ways that data is used within Immuta across multiple projects and data sources. Governors can also set purpose-based usage restrictions on projects, which can help limit the ways that data is used within Immuta. By default, Governors can subscribe to data sources; however, this setting can be disabled in the Immuta Configuration, removing the Governor's ability to create or subscribe to data sources. Additionally, users can be a Governor and Admin simultaneously by default, but this setting can also be changed in the Configuration Builder, rendering the Governor and Admin roles mutually exclusive.

  • Application Admins: Application Admins manage the configuration of Immuta for their organization. These users can configure Immuta to use external identity managers and catalogs, enable or disable data handlers, adjust email and cache settings, generate system API keys, and manage various other advanced settings.

  • User Admins: Another type of System Administrator is the User Admin, who is able to manage the permissions, attributes, and groups that attach to each user. Permissions are only managed locally within Immuta, but groups and attributes can be managed locally or derived from user management frameworks such as LDAP or Active Directory that are external to Immuta. By default, Admins can subscribe to data sources; however, this setting can be disabled in the Immuta Configuration, removing the Admin's ability to create or subscribe to data sources. Additionally, users can be an Administrator and Governor simultaneously by default, but this setting can also be changed in the Configuration Builder, rendering the Administrator and Governor roles mutually exclusive.

Major Elements

Data Sources

A data source is how users virtually expose data (that lives in a remote data storage technology) across their enterprise to other users. When you expose a data source you are not copying the data; you are using metadata to tell Immuta how to expose it. Once exposed and subscribed to, the data will be accessed in a consistent manner across analytics and visualization tools, allowing reproducibility and sharing.

For more information and tutorials about data sources, see the Data Sources section.


Policies are fine-grained security controls applied to data sources by Data Owners or Data Governors, who determine the logic behind what is hidden from whom. Once policies are applied to a data source, data is hidden, masked, redacted, and anonymized in the control plane based on the attributes of the users accessing the data and the purpose under which they are acting.

Policies can be created through the Immuta workflows, or custom policy handlers can be created to inject complex policies.

For more information and tutorials about policies, see the Policies section.


Projects allow users to logically group work by linking data sources and can be created to efficiently organize work or to provide special access to data to specific users.

The same security restrictions regarding data sources are applied to projects; project members still need to be subscribed to data sources in order to access data, and only users with appropriate attributes and credentials will be able to see the data if it contains any row-level or masking security. However, Project Owners can enable Project Equalization, which improves collaboration by ensuring that the data in the project looks identical to all members, regardless of their level of access to data. When enabled, this feature automatically equalizes all permissions so that no project member has more access to data than the member with the least access.

For more detailed discussion and tutorials about projects, see the Projects section.

Audit Logs and Immuta Reports

All activity in Immuta is audited, and Data Owners and users with the AUDIT permission can access rich audit logs that detail who subscribes to each data source, why they subscribe, when they access data, and which files they access. These logs can be used for a number of intentions, including insider threat surveillance and data access monitoring for billing purposes. Audit logs can also be shipped to your enterprise auditing capability, if desired.

Similarly, Governors can build Immuta Reports to analyze how data is being used and accessed across Immuta using the Immuta Report Builder. Reports can be based on users, groups, projects, data sources, tags, purposes, policies, and connections within Immuta.

For more information and tutorials about audit logs and Immuta Reports, see the Viewing Audit Logs tutorial and the Immuta Reports guide, respectively.

Deployment Options

Immuta runs as a fully containerized solution in the cloud, on-premises, or both to meet the varying needs of customers. Each deployment option is briefly described below.

  • Public Cloud: For customers who store their data in the cloud, Immuta can be run in the cloud. Immuta supports storage and analytics services from Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
  • Hybrid Cloud: Immuta supports a hybrid model for larger organizations that want to deploy Immuta across both their on-premises and cloud infrastructure. This hybrid model supports all the integrations available for cloud and on-premises deployments.
  • On-Premises: For customers operating exclusively in their own data centers, Immuta supports three deployment scenarios and connects to a variety of storage solutions.

What's New in 2.8

Query Editor

The Query Editor Tutorial Video

The Query Editor allows users to preview data and write and execute queries directly in the Immuta UI for any data sources they are subscribed to. Additionally, Data Owners can examine how their policies impact the underlying data.

Query Editor Page

For more details, see the Query Editor overview page.

HIPAA Safe Harbor Policy

Data Policy Video Tutorial: HIPAA Safe Harbor

The HIPAA Safe Harbor policy is a Global Policy included in Immuta by default. When combined with Sensitive Data Detection, this policy automatically applies to relevant data sources so that they comply with the stipulations of HIPAA Safe Harbor.

For more information, see Policies in Immuta.

K-Anonymization Policy

Masking with K-Anonymization Video Tutorial

In Immuta, masking with K-Anonymization examines pairs of values across columns and hides groups that do not appear a specified number of times (k). For example, if one column contains street numbers and another contains street names, the group 123, "Main Street" probably would appear frequently while the group 123, "Diamondback Drive" probably would show up much less. Since the second group appears infrequently, these values could potentially identify someone, so this group would be masked.

For more information, see Policies in Immuta.

External Masking

External masking dynamically unmasks data that is masked (using a customer-provided encryption or masking algorithm) within a remote database. With this feature, users define data policies that allow Immuta to reach out to an external REST service that they own with their custom logic and security.

For more information, see Policies in Immuta.