Managing roles for users and groups in Data Virtualization
Data Virtualization has four user roles, which are specific to Data Virtualization. You can grant these roles to existing Cloud Pak for Data users or groups.
To learn more, review the following information.
To avoid double masking when you use preview in Watson™ services, access control in Data Virtualization is not applied when you preview a data asset (table or view) that comes from Data Virtualization. This happens only when data masking or row-level filtering applies to the preview in Watson services. Access control does not apply in this circumstance.
The preview is subject to the data protection rules and catalog or project access control only.
Even though a user does not have access to query an object from Data Virtualization, they might be able to preview it in a catalog or project if they have access to that catalog or project the data asset.
Tech preview This is a technology preview and is not supported for use in production environments.
Data Virtualization roles
- Data Virtualization Admin
- The user who provisions the Data
Virtualization service is automatically assigned the Data
Virtualization Admin role. After the service is provisioned, the Data
Virtualization Admin can
give other users or groups access to the service.
The Data Virtualization Admin is considered to be the manager of the Data Virtualization instance and assigns appropriate Data Virtualization roles to Cloud Pak for Data users or groups.
- Data Virtualization Engineer
- Configures the data sources, virtualizes data, and manages access to virtual objects. Users or
groups with this role can create a virtual table or view and grant access to it to users or groups
with any Data
Virtualization role. By default, every virtual object that is created in Data
Virtualization is private. This privacy means that in order for a virtual object to be accessed by
a user or group other than its creator, access to the virtual object must be granted.
Data source administrators are expected to provide access to a user or group with a Data Virtualization Engineer role before that user or group can add a data source. Users or groups with this role service and fulfill data requests from Data Virtualization users.
- Data Virtualization User
-
Data Virtualization users can request access to virtualized data or data in general by initiating a data request. Users with this role can create views of virtual tables to which they have access.
- Data Virtualization Steward
-
Data Virtualization Stewards can access data in all user tables and views.
4.5.0 4.5.1 In Data Virtualization on Cloud Pak for Data versions 4.5.0 and 4.5.1, Stewards also hold the Db2®
DATAACCESSauthority on the database.4.5.3 or later Data Virtualization on Cloud Pak for Data version 4.5.3 automatically grants Db2
SELECTINauthority to the Steward role on all schemas.
The following table summarizes the menu functions that each of the Data Virtualization user roles is able to access.
| Data Virtualization features | Admin | Engineer | User | Steward |
|---|---|---|---|---|
| Provision Data Virtualization | ✓ | |||
| User management | ✓ | |||
| Data sources | ✓ | ✓ | ||
| Virtualize | ✓ | ✓ | ||
| Virtualized data | ✓ | ✓ | ✓ | ✓ |
| Configure connection | ✓ | ✓ | ✓ | ✓ |
| Service settings* | ✓ | ✓ | ✓ | ✓ |
| Run SQL | ✓ | ✓ | ✓ | ✓ |
Permissions of Data Virtualization roles
| Roles | Permissions |
|---|---|
| Data Virtualization Admin |
|
| Data Virtualization Engineer |
|
| Data Virtualization User |
|
| Data Virtualization Steward |
|
CONTROL privilege on that object as shown in the following
example.GRANT CONTROL on object to ROLE DV_ENGINEERCONTROL privilege, see the Db2 product
documentation.