Managing roles for users and groups in Data Virtualization

Data Virtualization has four user roles: Admin, Engineer, User, and Steward. You can grant these roles to existing IBM® Software Hub users or groups.

The following information defines each Data Virtualization role and outlines their corresponding permissions and access.

Data Virtualization roles

For a user or group to have access to the Data Virtualization service, you must assign them one of the Data Virtualization roles.

Data Virtualization Admin
The Data Virtualization Admin role is automatically assigned to the user who provisions the Data Virtualization service. After the service is provisioned, the Data Virtualization Admin can give other users or groups access to the service.

The Data Virtualization Admin is considered to be the manager of the Data Virtualization instance and assigns appropriate Data Virtualization roles to IBM Software Hub users or groups.

Data Virtualization Admins only can access and work with data that they own or that they have been explicitly added to.
Important:

If you upgraded to Data Virtualization on IBM Software Hub 5.2.0 or later from an earlier version, the Admin role maintains access to all data. For information about revoking this access to limit the data access of upgraded Admin users, see Revoking data access authority from the Admin role in Data Virtualization.

Data Virtualization Engineer
The Data Virtualization Engineer role configures the data sources, virtualizes data, and manages access to virtual objects. Users or groups with this role can create a virtual table or view. They can also grant access of the virtual table to users or groups with any Data Virtualization role. By default, every virtual object that is created in Data Virtualization is private. This privacy means that in order for a virtual object to be accessed by a user or group other than its creator, access to the virtual object must be granted.

Data source administrators are expected to provide access to a user or group with a Data Virtualization Engineer role before that user or group can add a data source.

Data Virtualization User

Data Virtualization Users can create views of virtual tables to which they have access.

Data Virtualization Steward

Data Virtualization Stewards can access data in all user tables and views. Data Virtualization automatically grants Db2 SELECTIN authority to the Steward role on all schemas.

Menu access for each Data Virtualization role

The following table summarizes the menu functions that each of the Data Virtualization user roles can access.

Data Virtualization features Admin Engineer User Steward
Provision Data Virtualization*      
User management      
Cache management      
Data sources    
Virtualize    
Virtualized data
Configure connection
Service settings**
Run SQL

* To create a Data Virtualization service instance, the user must hold permission to create service instances. This permission is granted to some predefined roles by default.

** While all four roles can view the service settings, only the Data Virtualization Admin role can modify service settings.

Permissions of Data Virtualization roles

The following table describes the permissions that are associated with each Data Virtualization role.
Roles Permissions
Data Virtualization Admin
  • Administer the service.
  • Administer the database.
  • Access data that they own or that they have been explicitly assigned to.
  • Access cache management.
  • Manage data sources that they own or that they have been explicitly assigned to.
  • Manage users and assign Data Virtualization roles.
  • Create and manage private schema.
  • Manage data caches.
  • Manage data queries.
Data Virtualization Engineer
  • Access connection information.
  • Manage data sources.
  • Create virtual tables and views.
  • Create and manage private schema.
Data Virtualization User
  • Access connection information.
  • Create virtual views over existing virtual tables and views.
  • Create and manage private schema.
Data Virtualization Steward
  • Access connection information.
  • Access data.
  • Create virtual views over existing virtual tables and views.
  • Create and manage private schema.

Authorizations under Data Virtualization names and usernames

Object-level authorizations persist under user names for Data Virtualization users. If you revoke access to one user and then grant access to another user under the same username, the new user inherits the previously granted object-level authorizations with that username. As a best practice, do not reuse user names for different users in your organization. For more information, see Managing access to virtual objects in Data Virtualization.

Data Virtualization authorizations are assigned to role and group names. If a group is renamed, a Data Virtualization Admin must migrate the group-level authorizations.

Important: User control on an object includes privileges to grant permissions to other users and to remove a virtual object. A Data Virtualization Admin can grant a user or role with the CONTROL privilege on an object with the command:
GRANT CONTROL on object to ROLE DV_ENGINEER
For more information about the CONTROL privilege, see GRANT (table, view, or nickname privileges) statement.