Adding data source connections to Data Virtualization to connect with personal credentials

Last updated: Mar 17, 2025
Adding connections from existing data source connections to Data Virtualization by using personal credentials
By default, Data Virtualization connects to its data sources with the credentials of the user who added the data source connection to Data Virtualization, regardless of what user is using the system. You can enable connectivity to data sources using individual user's personal credentials, which allows the data source to enforce its access controls to individual users. You can use your personal credentials that are associated with platform connections when you add and use connections from the existing data source connections in Data Virtualization.
Note:

Pass-through authentication with the use of personal credentials in Data Virtualization is available only as an early preview. Do not use this feature in production environments.

When you enable pass-through authentication, a user can add a connection and define it so that when a virtual table is queried, the user’s personal credentials, as defined in the platform connection, are passed through to authenticate with the data source.

When pass-through authentication is disabled, the shared credentials for one account are used for every query, regardless of which user is connected and running the query. When a user creates a platform connection that uses personal credentials and then adds it to Data Virtualization, all users connect to the data source by using the credentials of that user because they added the connection.

Important:

When pass-through authentication is enabled, caches (including user and automatically generated caches) cannot be created for data sources that use personal credentials. To enable cache creation, see TOGGLEPERSONALCREDENTIALSUSEINCACHE stored procedure in Data Virtualization.

Also if a cache is created on a virtual object, the data is placed within the Data Virtualization access and governance model and bypasses any controls that might be implemented on the data source. To protect data properly, administrators must ensure that appropriate access lists and governance policies are defined on the virtual objects within Data Virtualization and the governed catalog before they create a cache.

Example with pass-through authentication enabled
Gina is a Data Virtualization Admin user who adds a Data Virtualization connection to Db2 for z/OS. To add this connection, Gina needs to use personal credentials that provide access to tables at the data source. After Gina adds the connection, Lee, a Data Virtualization engineer, virtualizes data in the source tables that Gina's personal credentials have access to. Kyle, a Data Virtualization user, then uses his own personal credentials, which he set up in platform connections, to add and use the virtualizations that Lee created.
Example with pass-through authentication disabled
Gina is a Data Virtualization Admin user who adds a Data Virtualization connection to Db2 for z/OS. To add this connection, Gina needs to use personal credentials that provide access to tables at the data source. After Gina adds the connection, Lee, a Data Virtualization engineer, virtualizes data in the source tables that Gina's personal credentials have access to. Kyle, a Data Virtualization user, then uses Gina's credentials to use the virtualizations that Lee created.

Before you begin

If you plan to query tables for a data source by using personal credentials, ensure that the following requirements are met:
  • Pass-through authentication must be enabled by an administrator. For more information, see Enabling and disabling pass-through authentication in Data Virtualization.
  • You must have access to the data source in platform connections so that you can add your credentials to the data source. For more information, see Managing collaborators on platform connections.
  • To enable personal credentials, you must first create the connection in the Platform connections page. Ensure you select Personal as the credential option, which requires each user to enter their own credentials for accessing data. You cannot change this option once you create the connection.
    Note: With personal credentials, each user must input their own credentials in Catalogs > Platform assets catalog, or else they will encounter errors when attempting to virtualize or preview Data Virtualization related tasks.
  • To use personal credentials, you need to set your API key in IAM by following these steps.
    1. In IAM, navigate to Access.
    2. Navigate to API keys and then select Create.
    3. Run the DVAASUSERAPIKEY stored procedure. For more information, see DVAASUSERAPIKEY stored procedure.
      call dvsys.setDVAASUSERAPIKEY(<USER_API_KEY>)`
Gather the following information that you need when you run the following commands, to set the configuration options and add the connection:
Hostname
The data source hostname.
Port
The network port of the data source service.
Database Name

The name of the database for the connection.

Connection Options
Specifies a comma-delimited list of extra options in the following format: '<key1>=<value1>, <key2>=<value2>, ...'.
User
The data source username. The username and password should have higher authority in the data source that you are connecting to. The username and password are used in operations such as getting database metadata or gathering statistics from a catalog or by a query.
Password

The password for the specified user.

SSL
Specifies whether the database connection uses SSL. Valid values are 0 (the connection does not use SSL) and 1 (the connection uses SSL).
Node Name
The node that you are adding the data source to. To find valid node names, run the following query:
SELECT * FROM DVSYS.LISTNODES;
Note: Adding too many data sources to the same node impacts performance. To check which nodes already have associated data sources, run the following query:
SELECT * FROM DVSYS.LISTRDBC;
CCID
The unique identifier of the platform connection, which can be found included in the URL of the connection.
To find the CCID, navigate to the Connectivity page, select the Platform connections tab, and then select the connection. Then refer to the URL to find the CCID.
Example URL
In the following URL, the CCID is 5728a13e-7e22-4182-82c5-51c246983745
https://dataplatform.dev.cloud.ibm.com/connections/5728a13e-7e22-4182-82c5-51c246983745?catalog_id=d3068196-b097-4244-88a2-4f83dd2ce087&context=cpdaas&redirect_url=https%3A%2F%2Fdataplatform.dev.cloud.ibm.com%2Fdata%2Fconnections%2F%3Fcontext%3Dcpdaas&cancel_url=https%3A%2F%2Fdataplatform.dev.cloud.ibm.com%2Fdata%2Fconnections%2F%3Fcontext%3Dcpdaas&global_connection=true&tearsheet_mode=false
CID
The unique identifier of the data source connection. Run the following command to get the cid from the dvsys.rdb_connections table:
select cid, url from dvsys.rdb_connections;
You can also find this identifier in the UI. Go to Data > Data virtualization and expand the connection on the Data sources page to see the CID.
CCDEFINER
The platform’s unique identifier for a user. This identifier is the same as the one that is used to identify the user that is adding the connection to Data Virtualization. This user is also the user who created the connection in platform connections and whose credentials to the data source are being passed in the User and Password parameters. To find a user’s unique identifier, go to Administration > Access Control. The identifier is the value in the User ID column.

The CCDEFINER is the Db2 session user, which you can obtain by running the following command:
SELECT SESSION_USER FROM SYSIBM.SYSDUMMY1

Adding connections to Data Virtualization by using personal credentials

To add the connection, set the configuration options on the Data Virtualization connection by running the setrdbcx SQL command in the Run SQL interface, as shown in the following example:

call dvsys.setrdbcx('DB2','9.30.167.128',50000,'SAMPLE','','<user>','<password>',0,0,'','','qpendpoint_1:6415','CCID=611335a2-164b-4873-be5e-074989d12dee,CCDEFINER=1000330999,USE_PERSONAL_CREDENTIALS=TRUE',?,?,?)

For more information about the setrdbcx stored procedure, see setRdbcX stored procedure (Variation 1) or setRdbcX stored procedure (Variation 2).

Editing connections that are added to Data Virtualization by using personal credentials

After you add a data source connection to Data Virtualization by using personal credentials, do not edit the data source connection in Data Virtualization user interface because the OPTIONS_CSV will be overwritten. To edit a connection that you added by using the setrdbcx, use the additional option EDITCID=CID (Connection ID) of the data source to be edited, as shown in the following example:

dvsys.setrdbcx('DB2','9.30.167.128',50000,'SAMPLE','','db2inst1','db2inst1',0,0,'','','qpendpoint_1:6415','CCID=611335a2-164b-4873-be5e-074989d12dee,CCDEFINER=1000330999,USE_PERSONAL_CREDENTIALS=TRUE,EDITCID=DB210000',?,?,?)

For more information about the setrdbcx stored procedure, see setRdbcX stored procedure (Variation 1) or setRdbcX stored procedure (Variation 2).

Limitations and known issues