Allowing and denying access to data in Data Virtualization
You can configure Data Virtualization to allow or restrict access to any objects through the Default data access convention or the Restrict access to ungoverned objects convention.
Default data access convention
The default data access convention is an IBM® Knowledge Catalog configuration that determines the access behavior for Data Virtualization assets. In this convention, you control whether access to data is Unlocked (allowed) or Locked (denied) by default, and as a result, whether governance rules are written to grant or restrict access to data.
This setting is unlocked by default.
The Data Virtualization native Db2 authorizations (GRANTs) are enforced at all times by default, regardless of the default data access convention settings. Allowing or denying access to data refers only to the enforcement of data protection rules (DPRs). See IBM Knowledge Catalog DPRs and Data Virtualization GRANTs in Governing virtual data with data protection rules in Data Virtualization. See also Managing access to virtual objects in Data Virtualization.
The following table describes the differences between the unlocked and locked conventions:
| Unlocked convention (default) | Locked convention |
|---|---|
|
In the unlocked convention, access to data is allowed by default. Users can query Data Virtualization objects unless a data protection rule explicitly denies access. You enforce governance by specifying deny rules that restrict access to data by specific users or groups. Objects that are published to a governed catalog are evaluated by Data Policy Service (DPS) against defined data protection rules. Objects that are not published to a governed catalog are accessible to all users unless you specify rules to deny it, as per the default setting in IBM Knowledge Catalog. For more information on changing the default settings, see Managing rule settings (IBM Knowledge Catalog). This convention allows users ease of access to data, and is the default configuration in IBM Knowledge Catalog. |
In the locked convention, access to data is denied by default. Users cannot query Data Virtualization objects unless a data protection rule explicitly allows access. Objects that are not published to a governed catalog are only accessible by the object owner (creator). You enforce governance by specifying allow rules which grant access permissions to specific users or groups. Governed objects are evaluated by Data Policy Service (DPS), and access is granted only where rules explicitly permit it. This convention emphasizes strong governance, useful in security‑sensitive environments. |
Configuring Restrict access to ungoverned objects
Restrict access to ungoverned objects is a Data Virtualization setting that enforces a governance-first model in which objects must be published to a governed catalog before it is accessible to users. When you enable this setting, Data Virtualization denies access to any object that is not represented by a data asset in a governed catalog (a catalog in IBM Knowledge Catalog that has data protection rules which DPS enforces).
This setting is disabled by default and must be explicitly enabled by a Data Virtualization Administrator.
- The owner of the object.
- Functional schemas, such as DVSYS and SYSCAT.
The Data Virtualization native Db2 authorizations (GRANTs) are enforced at all times by default, regardless of the default data access convention settings. Allowing or denying access to data refers only to the enforcement of data protection rules (DPRs). See IBM Knowledge Catalog DPRs and Data Virtualization GRANTs in Governing virtual data with data protection rules in Data Virtualization. See also Managing access to virtual objects in Data Virtualization.
| Unlocked convention (default) | Locked convention |
|---|---|
|
Ungoverned objects are accessible by default in the unlocked convention. By enabling Restrict access to ungoverned objects, you ensure that only objects published to a governed catalog are accessible by default. See the following table for more information. |
Ungoverned objects are not accessible by default in the lock convention, except to owners. By enabling Restrict access to ungoverned objects, access to these objects do not change for most users. |
This table describes what happens before and after you enable Restrict access to ungoverned objects for the unlocked convention:
| Use case | Before | After |
|---|---|---|
| Ungoverned object in the Unlocked convention. | Access to object is allowed. | Access to object is denied, except for the object owner. |
| Governed object in the Unlocked convention. | Access to object is subject to rules. | Access to object is subject to rules. |
| Objects created by running SQL statements. | Access to object is allowed immediately. | Access to object is denied until you publish it to a governed catalog. |
| Git-imported object without a catalog asset. | Access to object is allowed. | Access to object is denied until you catalog the object in a governed catalog. |
| Governed catalog asset is deleted. | Access to object is allowed. | Access to object is denied. |
| Object owner accesses the ungoverned object. | Access to object is allowed. | Access to object is allowed because the owner is exempt. |
Enabling Restrict access to ungoverned objects
- You must be a Data Virtualization Administrator to enable or disable this setting.
- Data Virtualization must be integrated with IBM Knowledge Catalog, and Data Policy Service (DPS) must be configured and enabled.
- In the Data Virtualization web client, navigate to page.
- Enable Restrict access to ungoverned objects.
- Save the configuration.
Enforcement takes effect immediately for all applicable users.
Learn more
- For more information on changing the default settings, see Managing rule settings (IBM Knowledge Catalog).