Managing users and roles (Data Virtualization)

Data Virtualization has four user roles, which are specific to the Data Virtualization environment. You can grant these roles to existing IBM® Cloud account users.

Restriction:

To avoid double masking when you use preview in Watsonâ„¢ services, access control in Data Virtualization is not applied when you preview a data asset (table or view) that comes from Data Virtualization. This happens only when data masking applies to the preview in Watson services.

The preview is subject to the data protection rules and catalog or project access control only.

This means that even though a user does not have access to query an object from Data Virtualization, they might still be able to preview it in a catalog or project if they have access to that catalog or project as well as the data asset.

Tech preview This is a technology preview and is not supported for use in production environments.

Data Virtualization as a service roles

There are four roles in Data Virtualization as a service: Manager (service administrator), Engineer, Steward, and User. Each of these roles can take advantage of different capabilities. These roles apply to the user's access to a Data Virtualization as a service instance, which is also known as Service access. There are also Platform roles that apply to the user's Platform access, which affects scaling and monitoring of Data Virtualization. For more information, see Identity and access management (IAM) on IBM Cloud.

For a user to have access to the Data Virtualization service, you must assign them one of the following Data Virtualization roles.
Note: Users that are added with a Data Virtualization Manager role or a Data Virtualization Engineer role must also be added as a collaborator to the Platform Assets Catalog before they can add or configure data sources.
Data Virtualization Manager
The user who provisions the Data Virtualization service is automatically assigned the Data Virtualization Manager role. After the service is provisioned, the Data Virtualization Manager can give other users access to the service.

The Data Virtualization Manager is considered to be the manager of the Data Virtualization instance and assigns appropriate Data Virtualization roles to Cloud Pak for Data users.

Data Virtualization Engineer
Configures the data sources, virtualizes data, and manages access to virtual objects. Users with this role can create a virtual table or view and grant access to it to users with the Engineer or User role.

Data source administrators are expected to provide access to a user with a Data Virtualization Engineer or Manager role before that user can add a data source.

Data Virtualization User

Users with this role can create views of virtual tables to which they have access.

Data Virtualization Steward

Data Virtualization Stewards can access data in all user tables and views. Additionally, Stewards hold the Db2® DATAACCESS authority on the database.

The following table summarizes the Data Virtualization menu functions that each of the Data Virtualization user roles is able to access.

Menu Capabilities Sub items Manager Engineer Steward User Platform administrator Platform operator Platform editor Platform viewer
Virtualization Data source   ✓ ✓            
  Virtualize   ✓ ✓            
  My virtualized data   ✓ ✓ ✓ ✓        
Monitor Summary   ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
  Database partitions   ✓              
  Statement In-flight executions ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
    Package cache ✓              
    Stored procedures ✓              
  Applications Top consumers ✓              
    Connections ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
  Throughput   ✓            
  Buffer pools   ✓            
  Table performance   ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
  Storage   ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Run SQL Run SQL   ✓ ✓ ✓ ✓        
Data Tables   ✓ ✓ ✓ ✓        
  Views   ✓ ✓ ✓ ✓        
  Remote tables   ✓ ✓ ✓ ✓        
  Aliases   ✓ ✓ ✓ ✓        
  MQTs   ✓              
  Schemas   ✓              
  Authorization   ✓              
  Sequences   ✓ ✓ ✓ ✓        
  Application objects   ✓1 ✓ ✓ ✓        
User management User management   ✓2              
Connection Information Connection Information   ✓ ✓ ✓ ✓        
Service settings Service settings General ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
  Service settings Governance ✓              
  Service settings Scaling         ✓ ✓ ✓  
  Service settings Maintenance update         ✓ ✓ ✓  
  Service settings Access restriction         ✓ ✓ ✓  

Permissions of Data Virtualization as a service roles

The following table describes the permissions that are associated with each Data Virtualization role.
Roles Permissions
Data Virtualization Manager
  • Administer the service
  • Administer the database
  • Access data
  • Manage data sources
  • Manage users and assign Data Virtualization roles
  • Create and share any schema
Data Virtualization Engineer
  • Access connection information
  • Manage data sources
  • Create virtual tables and views
Data Virtualization User
  • Access connection information
  • Create virtual views over existing virtual tables and views
Data Virtualization Steward
  • Access connection information
  • Access data
  • Create virtual views over existing virtual tables and views
Important: To grant another user control on an object, including privileges to grant permissions to other users, and to remove a virtual object, the target user or role must be granted the CONTROL privilege on that object. For example:
GRANT CONTROL on object to ROLE DV_ENGINEER
For more information about the CONTROL privilege, see the Db2 product documentation.
1 To explore workloads, you must have the Data Virtualization Manager role.
2 To use the user management capabilities, you must have the Data Virtualization Manager role and the Platform Administrator role.