0 / 0

Managing roles for users in Data Virtualization

Last updated: Mar 17, 2025
Managing roles for users and groups in Data Virtualization

Data Virtualization has four user roles: Admin, Engineer, User, and Steward. You can grant these roles to existing IBM Cloud account users.

The following information defines each Data Virtualization role and outlines their corresponding permissions and access.

Data Virtualization roles

Data Virtualization supports four roles: Manager (service administrator), Engineer, Steward, and User. For a user to be able to access and use the Data Virtualization service, you must assign them one of the four Data Virtualization roles. The Data Virtualization roles control access within a particular Data Virtualization instance and determine what users can do inside that Data Virtualization instance. Each of these roles can take advantage of different capabilities.

For a user to have access to the Data Virtualization service, you must assign them one of the following Data Virtualization roles.
Note: Users that are added with a Data Virtualization Manager role or a Data Virtualization Engineer role must also be added as a collaborator to the Platform assets catalog before they can add or configure data sources.
Note:
  • You assign Data Virtualization roles within the Data Virtualization service, not as part of the Identity Management Service (IAM) on IBM Cloud.
  • You can assign Data Virtualization roles directly to individual users only. You cannot assign Data Virtualization roles to IAM access groups.
Data Virtualization Manager
The Data Virtualization Manager role is automatically assigned to the user who provisions the Data Virtualization service. After the service is provisioned, the Data Virtualization Manager can give other users access to the service.

The Data Virtualization Manager is considered to be the manager of the Data Virtualization instance and assigns appropriate Data Virtualization roles to Cloud Pak for Data users.

Data Virtualization Engineer
The Data Virtualization Engineer configures the data sources, virtualizes data, and manages access to virtual objects. Users with this role can create a virtual table or views. They can also grant access of the virtual table to users with the Engineer or User role.

Data source administrators are expected to provide access to a user with a Data Virtualization Engineer or Manager role before that user can add a data source.

Data Virtualization User

The Data Virtualization User role can create views of virtual tables to which they have access.

Data Virtualization Steward

Data Virtualization Stewards can access data in all user tables and views. Data Virtualization automatically grants Db2 SELECTIN authority to the Steward role on all schemas.

Note: Users must have at least one Data Virtualization role (Manager, Engineer, Steward, or User) and at least one platform role (Platform administrator, Platform Operator, Platform Editor, or Platform Viewer). The Platform Viewer role is the minimum role that must be assigned along with each Data Virtualization role, unless otherwise indicated in the table.

The following table summarizes the Data Virtualization menu functions that each of the Data Virtualization user roles is able to access.

Menu Capabilities Sub items Manager Engineer Steward User Platform administrator Platform operator Platform editor Platform viewer
Virtualization Data sources              
  Virtualize              
  Virtualized data          
  Cache Management                
    Autocaching              
Monitor dashboard. Summary   1 1 1        
  Database Database partitions      
    Database time spent        
    Database usage        
  Statement Individual executions 2              
    In-flight executions        
    Package cache 2            
    Stored procedures              
  Applications Top consumers 2              
    Connections        
  Throughput Connection summary 2            
    Operating system time spent 2              
    Partition skew 2              
    Partition summary 2              
    WLM service class summary 2              
    WLM workload summary 2              
  I/O Buffer pools      
    Prefetchers        
    Logging performance        
  Storage Storage        
    Table performance        
    Table space performance        
                     
Run SQL Run SQL          
Explorer Tables          
  Views          
  Indexes          
  Remote tables          
  Aliases          
  MQTs                
  Schemas                
  Sequences          
  Application objects  
Note: Users with the User role can only view the User-defined Types tab on the Application objects page.
        
  Authorization                
  Workload                
User management User management  
Note: To access User management, a user must have both the Data Virtualization Manager role and the Platform administrator role.
            
Configure connection            
Settings Event monitor profile                
  Monitoring profile                
  Service settings General          
    Governance 3          
    Scaling   4 4 4  
    History   4 4 4  
    Access restriction         4 4 4 4

Permissions of Data Virtualization roles

The following table describes the permissions that are associated with each Data Virtualization role.
Data Virtualization features Manager Engineer User Steward
Provision Data Virtualization*      
User management      
Cache management      
Data sources    
Virtualize    
Virtualized data
Configure connection
Service settings**  
Explorer
Monitor dashboard
Run SQL
Roles Permissions
Data Virtualization Manager
  • Administer the service.
  • Administer the database.
  • Access data.
  • Access cache management.
  • Manage data sources.
  • Manage users and assign Data Virtualization roles.
  • Create and share any schema.
  • Manage data caches.
  • Manage data queries.
Data Virtualization Engineer
  • Access connection information.
  • Manage data sources.
  • Create virtual tables and views.
Data Virtualization User
  • Access connection information.
  • Create virtual views over existing virtual tables and views.
Data Virtualization Steward
  • Access connection information.
  • Access data.
  • Create virtual views over existing virtual tables and views.
  • Create and manage private schema.
Important: To grant another user control on an object, including privileges to grant permissions to other users, and to remove a virtual object, the target user or role must be granted the CONTROL privilege on that object as shown in the following example.
GRANT CONTROL on object to ROLE DV_ENGINEER
For more information about the CONTROL privilege, see the Db2 product documentation.

Platform roles

There are also IAM Platform access roles that apply to the user's Platform access. IAM Platform access roles provide permissions to manage the IBM Cloud account and to access IBM Cloud Pak for Data as a Service functions such as scaling and monitoring of Data Virtualization.

The Platform Operator and Editor can access the same set of common functions in Data Virtualization to configure and operate service instances. For more information, see Add users to the account.

An Operator can also perform the following tasks.
  • Configure and operate, but not provision, service instances of Data Virtualization.
  • View service dashboards for Data Virtualization.
The Editor role provides access to these permissions within Cloud Pak for Data as a Service.
  • All Viewer role permissions.
  • Permission to provision instances of services.
  • Permission to update plans for service instances.

For more information, see Identity and access management (IAM) on IBM Cloud®.

What to do next

1 For Engineer, Steward, and User roles, only Responsiveness and Throughput widgets are available on the Summary page.
2 Only the Manager role can access this item.
3 Only the Manager role can change the Governance setting.
4 A Data Virtualization user is needed.