Managing roles for users and groups in Data Virtualization

Data Virtualization has four user roles, which are specific to Data Virtualization. You can grant these roles to existing Cloud Pak for Data users or groups.

To learn more, review the following information.

Restriction:

To avoid double masking when you use preview in Watson™ services, access control in Data Virtualization is not applied when you preview a data asset (table or view) that comes from Data Virtualization. This happens only when data masking applies to the preview in Watson services. Access control does not apply in this circumstance.

The preview is subject to the data protection rules and catalog or project access control only.

This means that even though a user does not have access to query an object from Data Virtualization, they might still be able to preview it in a catalog or project if they have access to that catalog or project as well as the data asset.

Tech preview This is a technology preview and is not supported for use in production environments.

Data Virtualization roles

For a user or group to have access to the Data Virtualization service, you must assign them one of the following Data Virtualization roles.
Data Virtualization Admin
The user who provisions the Data Virtualization service is automatically assigned the Data Virtualization Admin role. After the service is provisioned, the Data Virtualization Admin can give other users or groups access to the service.

The Data Virtualization Admin is considered to be the manager of the Data Virtualization instance and assigns appropriate Data Virtualization roles to Cloud Pak for Data users or groups.

Data Virtualization Engineer
Configures the data sources, virtualizes data, and manages access to virtual objects. Users or groups with this role can create a virtual table or view and grant access to it to users or groups with any Data Virtualization role. By default, every virtual object that is created in Data Virtualization is private. This privacy means that in order for a virtual object to be accessed by a user or group other than its creator, access to the virtual object must be granted.

Data source administrators are expected to provide access to a user or group with a Data Virtualization Engineer role before that user or group can add a data source. Users or groups with this role service and fulfill data requests from Data Virtualization users.

Data Virtualization User

Data Virtualization users can request access to virtualized data or data in general by initiating a data request. Users with this role can create views of virtual tables to which they have access.

Data Virtualization Steward

Data Virtualization Stewards can access data in all user tables and views. Additionally, Stewards hold the Db2® DATAACCESS authority on the database.

The following table summarizes the Data Virtualization menu functions that each of the Data Virtualization user roles is able to access.

Data Virtualization features Admin Engineer User Steward
Provision Data Virtualization      
User management      
Data sources    
Virtualize    
Virtualized data
Connection Information
Service settings*
Run SQL
Required role: * To modify the service settings, you must have the Data Virtualization Admin role.

Permissions of Data Virtualization roles

The following table describes the permissions that are associated with each Data Virtualization role.
Roles Permissions
Data Virtualization Admin
  • Administer the service
  • Administer the database
  • Access data
  • Manage data sources
  • Manage users and assign Data Virtualization roles
  • Create and share any schema
  • Manage data caches
  • Manage data queries
Data Virtualization Engineer
  • Access connection information
  • Manage data sources
  • Create virtual tables and views
  • Create and manage private schema
Data Virtualization User
  • Access connection information
  • Create virtual views over existing virtual tables and views
  • Create and manage private schema
Data Virtualization Steward
  • Access connection information
  • Access data
  • Create virtual views over existing virtual tables and views
  • Create and manage private schema
Important: To grant another user control on an object, including privileges to grant permissions to other users, and to remove a virtual object, the target user or role must be granted the CONTROL privilege on that object. For example:
GRANT CONTROL on object to ROLE DV_ENGINEER
For more information about the CONTROL privilege, see the Db2 product documentation.

What to do next