Data source connection access restrictions in Watson Query

With data source connection access restrictions in Watson Query, you can determine who can access data sources that use shared credentials, and what those users can do with the data source.

Collaborators

You can explicitly manage access to individual data source connections that use shared credentials in Watson Query by adding collaborators to the connection. When you create a data source connection, you can assign users, user groups, and roles as collaborators. Only those collaborators can access the data source connection.

For example, after a data source is added, you can add the Engineer as a collaborator. All users who are assigned that role can access the connection. If you want some engineers, but not all users with that role, to have access to a data source, you would remove the role as a collaborator and then add individual users as collaborators.

If no collaborators are added other than the connection owner, then the connection is private and no one else can access it.

You can transfer ownership of a data source connection to a different user. For more information, see Transferring ownership of data sources in Watson Query.

Note: Users with certain Db2® authorities might be able to view and take action on data sources even if they are not assigned as collaborators, or are not assigned the required privileges.

For more information about how to add collaborators and grant privileges, see Connecting to data sources in Watson Query.

Connection privileges

You assign specific privileges to collaborators to manage the actions that they can perform on a restricted data source.

If you assign the Engineer as a collaborator for a connection, and then grant the role the REF privileges, all engineers can virtualize data using the connection.

You can assign the following connection privileges to users, user groups, or roles (Grantees) when you manage access restrictions for data source connection:

CONTROL: The CONTROL privilege enables collaborators to drop or transfer the connection. This privilege includes the ALTER, DATAACCESS, and REF privileges. The CONTROL privilege cannot be regranted to collaborators.
ALTER: The ALTER privilege enables collaborators to edit the connection and set filters on it.
DATAACCESS: The DATAACCESS privilege enables collaborators to preview an object from the connection.
REF: The REF privilege enables collaborators to browse schemas, tables, and views, and to virtualize objects from the connection.

For more information about how to add collaborators and grant privileges, see Connecting to data sources in Watson Query.

Access control

Watson Query APIs and stored procedures explicitly check a user's privileges before allowing the user access to the data source connection to browse, preview, or virtualize data.

In the setRdbcX stored procedure, use the Options argument to enable and add access restrictions in Watson Query. For more information, see setRdbcX stored procedure (Variation 2). or setRdbcX stored procedure (Variation 1).