Attribute-Based Access Control

Immuta’s ABAC helps reduce policy burden by decoupling the user from data access control policies.

What is ABAC?

Attribute-based access control (ABAC) is a dynamic and multidimensional approach to data security that allows access to authorized database users and restricts access for unauthorized internal and external individuals.

How Immuta delivers ABAC

Build Policies in Plain Language

Immuta’s explainable policy builder lets users author policies in plain language, so all security and governance stakeholders can understand how access control is managed and protected. Data engineers can also build policies as code to make them extensible to other tools in the data stack. This approach improves collaboration and fits seamlessly into modern DataOps workflows.

Flexibility to Support Attributes, Roles, and Purposes

Many data teams suffer from “role explosion” due to static, role-based policies, requiring them to manually manage hundreds or thousands of user roles to control access to data in specific tables or databases. Immuta solves this problem with attribute-based access control. Unlike open source solutions such as Apache Ranger, this approach uses dynamic user subject attributes, such as geography, time and date, clearance level, and purpose, represented as policy variables, to make context-aware decisions at query time. This means that a single Immuta ABAC policy can replace over 100 roles, saving time and reducing security risks.

Easily Integrate with Third Party Systems

Immuta easily integrates with third party systems like data catalogs, IAMs like Okta, and business applications like HR systems, and allows data teams to write policies against those systems. Furthermore, Immuta easily integrates into developer pipelines with its policy-as-code interface.


Limit Data Use to Specific Purposes

New and expanding government regulations such as CCPA and the GDPR prevent analytics teams from legally using sensitive data without clear and intended purposes. Immuta provides easy-to-use consent workflows for data teams to audit usage purposes and create attribute-based controls that enforce who can use what data and why. With streamlined workflows for consent, it’s easier to comply with legal guidelines and prove that compliance when necessary.

Improved Security and Management

With Immuta’s ABAC, key attributes are determined at request time to determine validity of access request. Contextual and purpose based controls can also be applied for enhanced security. If an employee changes roles or leaves the company, the risk of data leaks are eliminated as roles do not need to be manually managed for each user.

Secure Data Collaboration

Immuta features a patented, policy-based approach to enabling secure data collaboration using data-level zones that manage read/write access across users with different permissions. By using data-level zones, Immuta automatically equalizes access rights for all users, making it easy and safe to publish derived data sets without leaking data to users with different permissions.


Frequently Asked Questions

What is attribute-based access control and why is it important?

Attribute-based access control manages access to a company’s data by allowing access to authorized database users based on various dynamic attributes, including title, geography, and data type. This delivers a range of business benefits, including increased efficiency of data analytics, data governance, data-rich application development, and compliance, as well as quicker results and greater value derived from sensitive data.

How does ABAC differ from RBAC by definition?

RBAC permits or restricts data access based on the privileges associated with a user’s role within an organization. Privileges can only be changed or added if a new role is created. ABAC is more dynamic. It permits or restricts data access based on a variety of independently provisioned and environmental characteristics, such as assigned user, action, and environmental attribute.

What are attribute-based access control implementation best practices?

Attribute-based access control (ABAC) is a dynamic and multidimensional approach to data security. When implementing ABAC, it is best to ensure you have a tool that enables simple, scalable policy creation in order to avoid unnecessary manual work or role-explosion. The ABAC model should also be flexible, with the ability to adapt to the ever-changing world of compliance and governance. Automation, universal cloud compatibility, and customized permissions can work in tandem to provide users with safe and effective access to their data. Immuta’s attribute-based access control model provides these features and more.

What are the key features of ABAC solutions?

The key features of ABAC solutions are that they are flexible, simple, and secure. They must be flexible in order to apply across cloud and on-premises data ecosystems while basing access decisions on a combination of attributes, roles, and purposes. They must be simple in their comprehensible policy creation and implementation, so that any stakeholder can understand the terms of data access and use. And they must be secure in their effective governance of data access and use, so that only users with the proper permissions are seeing the right data at the right time.

What is an attribute-based access control example?

Here is an attribute-based access control (ABAC) example: Consider an organization whose product requires a monthly subscription fee. It’s stored data necessarily includes customer credit card numbers to facilitate payment. To ensure only the right users are seeing this sensitive information for the right purposes, the organization could implement an ABAC policy that states “Allow users to subscribe when user possesses attribute Department with value Finance On data sources with columns tagged Discovered>Entity>Credit Card Number.” This will ensure that only users with the “Finance” attribute are able to access this information and process customer payments, without locking the policy to static or unmanageable roles.

Have 29 minutes?

Let us show you how Immuta can transform the way you govern and share your sensitive data.