Use Case

Data Access Control

 
What Is Data Access Control?

Data access control refers to permitting or restricting the ability to view, access, or utilize data within a specific system or database. It is a fundamental aspect of data security because it helps ensure that only authorized users are able to access and use data for permitted purposes.

Data access control implementation starts with discovering and classifying sensitive data, then building data policies to enforce access authorization.

The Data Access Control Challenge

The exponential growth of data volumes, users, and regulatory requirements is preventing many organizations from achieving value from their cloud investments. Organizations are faced with a choice between halting progress to ensure data use is secure and compliant, or leaving it completely exposed.

Legacy approaches to data access control are simply no longer feasible. Static, role-based controls quickly lead to role explosion, requiring data teams to manually manage hundreds or thousands of user roles. Homegrown or platform-native controls pose similar challenges. Based on customer evidence and published research, this data access dilemma can cost hundreds of thousands of dollars in lost productivity, and raises the potential for sensitive data to slip through the cracks.

Centralized Data Access Control Management

Immuta provides a centralized control plane where you can build policies and enforce them across cloud platforms in your ecosystem. With policies separated from individual platforms, it’s simpler to manage policies, add new platforms, avoid duplication, and ensure policies are consistently enforced across all data sets.

Designed for Technical & Non-Technical Users

Immuta’s plain language policy builder requires no SQL coding or technical expertise, so technical and non-technical users alike can create and maintain policies. This not only enables distributed stewardship, but it also provides transparency into how data is protected and facilitates better communication across platform, security, and governance teams.

Dynamic & Scalable Policies with Minimal Overhead

Immuta’s attribute-based access control grants or restricts access based on multiple user, object, and environmental traits. Unlike role-based access control, this dynamic approach avoids role explosion and vastly reduces the management burden on IT resources. With purpose-based restrictions, you are also able to easily ensure compliance with regulations like GDPR.

Customers

Data Access Control at Thomson Reuters

Thomson Reuters implemented Immuta’s dynamic attribute-based access controls and increased data usage by 60x.

“Because we don’t have to worry about the problems Immuta is solving, we move a lot faster in trying to solve the problems that are inherent to large mountains of data sitting in one place. ”

Carter Cousineau VP, Data & Model (AI/ML) Governance & Ethics
Immuta Features

The Immuta Advantage

Immuta provides innovative solutions to streamline data access control while maintaining a high degree of flexibility.

Attribute-Based Access Control

Leverage ABAC to build unique vertical policies and enable scalable data access so the right users can access the right data.

Learn More
Purpose-Based Control

Simplify compliance with regulatory requirements, localization laws, and data use agreements by building purpose-based restrictions into access controls.

Learn More
Plain Language Policy Authoring

Write policies in plain language so all security and governance stakeholders can understand and manage them, no technical expertise required.

Learn More
Policy Reduction

Reduce the number of policies to manage by 93x by implementing dynamic, scalable, attribute-based access controls.

Learn More
Platform-Native Policy Enforcement

Seamlessly enforce policies without impacting performance or standard workflows through Immuta’s integrations with leading cloud platforms like Snowflake and Databricks.

Learn More
Increased Collaboration

Facilitate collaboration internally and externally by giving domain owners the power to create and manage policies based on business context.

Learn More
Architecture
How does attribute based access control work
Results

Unlock More Data with
Dynamic Access Control

Without Immuta With Immuta
Overly broad or overly restrictive controls
Strike the balance between security and utility

Unmanageable access control and role explosion
Reduce policy burden by 93x

Need to rewrite policies for each database system
Write policies once and enforce them everywhere

Bottlenecks significantly delay data access
Accelerate data access by 100x

Frequently Asked Questions

What is fine-grained access control?

Fine-grained access control is a method of managing data access that uses specific policies to restrict access at the row-, column-, and cell-level, ensuring that sensitive information is thoroughly protected when large amounts of data are stored together. With fine-grained access control, each data point has a unique access control policy, making protection measures more precise and allowing data with varying regulatory requirements to be securely stored and used together.

What’s the difference between RBAC vs. ABAC vs. PBAC?

How can you differentiate between RBAC vs. ABAC vs. PBAC?


Role-based access control (RBAC) grants data access to users based on their role or function within the organization. This type of access control works for small organizations with few data sets and data users, but as roles, users, and rules change, data teams are forced to create new roles to accommodate organizational evolutions. As a result, a system may contain hundreds or thousands of roles that are difficult to manage and scale as organizations grow, which can lead to increased risk of data leaks and breaches.


Attribute-based access control (ABAC) is an approach to data security that permits or restricts data access based on assigned user, object, action, and environmental attributes. In contrast to RBAC, ABAC has multiple dimensions on which to apply access controls. This makes attribute-based access control a highly dynamic model because policies, users, and objects can be provisioned independently, and policies make access control decisions when the data is requested.


Policy-based access control (PBAC) applies regulation-based restrictions to sensitive personal data, as detected by automated sensitive data discovery tagging. When combined with data masking tools, this reinforces confidence that the right people are accessing the right data at the right time, and for appropriate purposes. For regulatory compliance and data audit trails, this level of control is particularly powerful and critical for ensuring data is adequately protected and reportable to legal and compliance teams.

What are the four types of access control?

The four main types of access control are discretionary, mandatory, role-based, and attribute-based. With discretionary access control (DAC), users create rules to determine who has access to the data through access control lists (ACLs) and capabilities tables. Mandatory access control (MAC), often regarded as the strictest type, takes a hierarchical approach to data access in which a systems admin regulates data access based on varying security clearance levels, and is widely used in the government and military. Role-based access control (RBAC) depends on a systems admin to grant access permissions based on a user’s role within the organization. Unlike RBAC, attribute-based access control (ABAC), enables data access based on attributes of the user, object, action, and environment, creating a dynamic system that vastly reduces the number of policies needed to enforce access control and avoids the need to create new roles for all changes to a data environment.

Why is mandatory access control this strictest access control model?

Mandatory Access Control (MAC) is considered the strictest access control model. Primarily used by the government and military, this form of access control takes a hierarchical approach to regulating data access. Security labels, denoting both classification and category, are placed on the available resources by system admins and cannot be changed by any other users. The same labels are attributed to the system’s users, so only those with the proper security credentials are able to access certain resources within the system.

Have 29 Minutes?

Let us show you how Immuta can transform the way you govern and share your sensitive data.