Managing roles for users in Data Virtualization

Last updated: Mar 17, 2025

Managing roles for users and groups in Data Virtualization

Data Virtualization has four user roles: Admin, Engineer, User, and Steward. You can grant these roles to existing IBM Cloud account users.

The following information defines each Data Virtualization role and outlines their corresponding permissions and access.

Data Virtualization roles
Permissions of Data Virtualization roles
Platform roles

Data Virtualization roles

Data Virtualization supports four roles: Manager (service administrator), Engineer, Steward, and User. For a user to be able to access and use the Data Virtualization service, you must assign them one of the four Data Virtualization roles. The Data Virtualization roles control access within a particular Data Virtualization instance and determine what users can do inside that Data Virtualization instance. Each of these roles can take advantage of different capabilities.

For a user to have access to the Data Virtualization service, you must assign them one of the following Data Virtualization roles.

Note: Users that are added with a Data Virtualization Manager role or a Data Virtualization Engineer role must also be added as a collaborator to the Platform assets catalog before they can add or configure data sources.

Note:

You assign Data Virtualization roles within the Data Virtualization service, not as part of the Identity Management Service (IAM) on IBM Cloud.
You can assign Data Virtualization roles directly to individual users only. You cannot assign Data Virtualization roles to IAM access groups.

Data Virtualization Manager: The Data Virtualization Manager role is automatically assigned to the user who provisions the Data Virtualization service. After the service is provisioned, the Data Virtualization Manager can give other users access to the service.
The Data Virtualization Manager is considered to be the manager of the Data Virtualization instance and assigns appropriate Data Virtualization roles to Cloud Pak for Data users.
Data Virtualization Engineer: The Data Virtualization Engineer configures the data sources, virtualizes data, and manages access to virtual objects. Users with this role can create a virtual table or views. They can also grant access of the virtual table to users with the Engineer or User role.
Data source administrators are expected to provide access to a user with a Data Virtualization Engineer or Manager role before that user can add a data source.
Data Virtualization User: The Data Virtualization User role can create views of virtual tables to which they have access.
Data Virtualization Steward: Data Virtualization Stewards can access data in all user tables and views. Data Virtualization automatically grants Db2 SELECTIN authority to the Steward role on all schemas.

Note: Users must have at least one Data Virtualization role (Manager, Engineer, Steward, or User) and at least one platform role (Platform administrator, Platform Operator, Platform Editor, or Platform Viewer). The Platform Viewer role is the minimum role that must be assigned along with each Data Virtualization role, unless otherwise indicated in the table.

The following table summarizes the Data Virtualization menu functions that each of the Data Virtualization user roles is able to access.

Menu	Capabilities	Sub items	Manager	Engineer	Steward	User	Platform administrator	Platform operator	Platform editor	Platform viewer
Virtualization	Data sources		✓	✓
	Virtualize		✓	✓
	Virtualized data		✓	✓	✓	✓
	Cache Management		✓
		Autocaching	✓
Monitor dashboard.	Summary		✓	✓^¹	✓^¹	✓^¹
	Database	Database partitions	✓	✓	✓	✓				✓
		Database time spent	✓	✓	✓	✓
		Database usage	✓	✓	✓	✓
	Statement	Individual executions	✓^²
		In-flight executions	✓	✓	✓	✓
		Package cache	✓^²
		Stored procedures	✓
	Applications	Top consumers	✓^²
		Connections	✓	✓	✓	✓
	Throughput	Connection summary	✓^²
		Operating system time spent	✓^²
		Partition skew	✓^²
		Partition summary	✓^²
		WLM service class summary	✓^²
		WLM workload summary	✓^²
	I/O	Buffer pools	✓	✓	✓	✓
		Prefetchers	✓	✓	✓	✓
		Logging performance	✓	✓	✓	✓
	Storage	Storage	✓	✓	✓	✓
		Table performance	✓	✓	✓	✓
		Table space performance	✓	✓	✓	✓

Run SQL	Run SQL		✓	✓	✓	✓
Explorer	Tables		✓	✓	✓	✓
	Views		✓	✓	✓	✓
	Indexes		✓	✓	✓	✓
	Remote tables		✓	✓	✓	✓
	Aliases		✓	✓	✓	✓
	MQTs		✓
	Schemas		✓
	Sequences		✓	✓	✓	✓
	Application objects		✓	✓	✓	✓ Note: Users with the User role can only view the User-defined Types tab on the Application objects page.
	Authorization		✓
	Workload		✓
User management	User management		✓ Note: To access User management, a user must have both the Data Virtualization Manager role and the Platform administrator role.				✓
Configure connection			✓	✓	✓	✓
Settings	Event monitor profile		✓
	Monitoring profile		✓
	Service settings	General	✓	✓		✓
		Governance	✓^³	✓		✓
		Scaling	✓	✓		✓	✓^⁴	✓^⁴	✓^⁴
		History	✓	✓		✓	✓^⁴	✓^⁴	✓^⁴
		Access restriction					✓^⁴	✓^⁴	✓^⁴	✓^⁴

Permissions of Data Virtualization roles

The following table describes the permissions that are associated with each Data Virtualization role.

Data Virtualization features	Manager	Engineer	User	Steward
Provision Data Virtualization^*	✓
User management	✓
Cache management	✓
Data sources	✓	✓
Virtualize	✓	✓
Virtualized data	✓	✓	✓	✓
Configure connection	✓	✓	✓	✓
Service settings^**	✓	✓		✓
Explorer	✓	✓	✓	✓
Monitor dashboard	✓	✓	✓	✓
Run SQL	✓	✓	✓	✓

Roles	Permissions
Data Virtualization Manager	Administer the service. Administer the database. Access data. Access cache management. Manage data sources. Manage users and assign Data Virtualization roles. Create and share any schema. Manage data caches. Manage data queries.
Data Virtualization Engineer	Access connection information. Manage data sources. Create virtual tables and views.
Data Virtualization User	Access connection information. Create virtual views over existing virtual tables and views.
Data Virtualization Steward	Access connection information. Access data. Create virtual views over existing virtual tables and views. Create and manage private schema.

Important: To grant another user control on an object, including privileges to grant permissions to other users, and to remove a virtual object, the target user or role must be granted the CONTROL privilege on that object as shown in the following example.

GRANT CONTROL on object to ROLE DV_ENGINEER

For more information about the CONTROL privilege, see the Db2 product documentation.

Platform roles

There are also IAM Platform access roles that apply to the user's Platform access. IAM Platform access roles provide permissions to manage the IBM Cloud account and to access IBM Cloud Pak for Data as a Service functions such as scaling and monitoring of Data Virtualization.

The Platform Operator and Editor can access the same set of common functions in Data Virtualization to configure and operate service instances. For more information, see Add users to the account.

An Operator can also perform the following tasks.

Configure and operate, but not provision, service instances of Data Virtualization.
View service dashboards for Data Virtualization.

The Editor role provides access to these permissions within Cloud Pak for Data as a Service.

All Viewer role permissions.
Permission to provision instances of services.
Permission to update plans for service instances.

For more information, see Identity and access management (IAM) on IBM Cloud®.

What to do next

¹ For Engineer, Steward, and User roles, only Responsiveness and Throughput widgets are available on the Summary page.

² Only the Manager role can access this item.

³ Only the Manager role can change the Governance setting.

⁴ A Data Virtualization user is needed.

Was the topic helpful?

0/1000

Data Virtualization rolesCopy link to section

Permissions of Data Virtualization rolesCopy link to section

Platform rolesCopy link to section

What to do nextCopy link to section

Data Virtualization roles

Permissions of Data Virtualization roles

Platform roles

What to do next