Adding data source connections to Data Virtualization to connect with personal credentials
Pass-through authentication with the use of personal credentials in Data Virtualization is available only as an early preview. Do not use this feature in production environments.
When you enable pass-through authentication, a user can add a connection and define it so that when a virtual table is queried, the user’s personal credentials, as defined in the platform connection, are passed through to authenticate with the data source.
When pass-through authentication is disabled, the shared credentials for one account are used for every query, regardless of which user is connected and running the query. When a user creates a platform connection that uses personal credentials and then adds it to Data Virtualization, all users connect to the data source by using the credentials of that user because they added the connection.
When pass-through authentication is enabled, caches (including user and automatically generated caches) cannot be created for data sources that use personal credentials. To enable cache creation, see TOGGLEPERSONALCREDENTIALSUSEINCACHE stored procedure in Data Virtualization.
Also if a cache is created on a virtual object, the data is placed within the Data Virtualization access and governance model and bypasses any controls that might be implemented on the data source. To protect data properly, administrators must ensure that appropriate access lists and governance policies are defined on the virtual objects within Data Virtualization and the governed catalog before they create a cache.
- Example with pass-through authentication enabled
- Gina is a Data Virtualization Admin user who adds a Data Virtualization connection to Db2 for z/OS. To add this connection, Gina needs to use personal credentials that provide access to tables at the data source. After Gina adds the connection, Lee, a Data Virtualization engineer, virtualizes data in the source tables that Gina's personal credentials have access to. Kyle, a Data Virtualization user, then uses his own personal credentials, which he set up in platform connections, to add and use the virtualizations that Lee created.
- Example with pass-through authentication disabled
- Gina is a Data Virtualization Admin user who adds a Data Virtualization connection to Db2 for z/OS. To add this connection, Gina needs to use personal credentials that provide access to tables at the data source. After Gina adds the connection, Lee, a Data Virtualization engineer, virtualizes data in the source tables that Gina's personal credentials have access to. Kyle, a Data Virtualization user, then uses Gina's credentials to use the virtualizations that Lee created.
Before you begin
If you plan to query tables for a data source by using personal credentials, ensure that the following requirements are met:- Pass-through authentication must be enabled by an administrator. For more information, see Enabling and disabling pass-through authentication in Data Virtualization.
- You must have access to the data source in platform connections so that you can add your credentials to the data source. For more information, see Managing collaborators on platform connections.
- To enable personal credentials, you must first create the connection in the Platform
connections page. Ensure you select Personal as the credential
option, which requires each user to enter their own credentials for accessing data. You cannot
change this option once you create the connection.Note: With personal credentials, each user must input their own credentials in , or else they will encounter errors when attempting to virtualize or preview Data Virtualization related tasks.
-
To use personal credentials, you need to set your API key in IAM by following these steps.
- In IAM, navigate to Access.
- Navigate to API keys and then select Create.
- Run the DVAASUSERAPIKEY stored procedure. For more information, see DVAASUSERAPIKEY stored procedure.
call dvsys.setDVAASUSERAPIKEY(<USER_API_KEY>)`
- Hostname
- The data source hostname.
- Port
- The network port of the data source service.
- Database Name
-
The name of the database for the connection.
- Connection Options
- Specifies a comma-delimited list of extra options in the following format:
.'<key1>=<value1>, <key2>=<value2>, ...'
- User
- The data source username. The username and password should have higher authority in the data source that you are connecting to. The username and password are used in operations such as getting database metadata or gathering statistics from a catalog or by a query.
- Password
-
The password for the specified user.
- SSL
- Specifies whether the database connection uses SSL. Valid values are 0 (the connection does not use SSL) and 1 (the connection uses SSL).
- Node Name
- The node that you are adding the data source to. To find valid node names, run the following query:
SELECT * FROM DVSYS.LISTNODES;
Note: Adding too many data sources to the same node impacts performance. To check which nodes already have associated data sources, run the following query:SELECT * FROM DVSYS.LISTRDBC;
- CCID
- The unique identifier of the platform connection, which can be found included in the URL of the connection.
- CID
- The unique identifier of the data source connection. Run the following command to get the
from thecid
table:dvsys.rdb_connections
You can also find this identifier in the UI. Go to and expand the connection on the Data sources page to see the CID.select cid, url from dvsys.rdb_connections;
- CCDEFINER
- The platform’s unique identifier for a user. This identifier is the same as the one that is used
to identify the user that is adding the connection to Data Virtualization. This user is also the
user who created the connection in platform connections and whose credentials to the data source are
being passed in the User and Password parameters. To find
a user’s unique identifier, go to
. The identifier is the value in the User ID
column.
The CCDEFINER is the Db2 session user, which you can obtain by running the following command:
SELECT SESSION_USER FROM SYSIBM.SYSDUMMY1
Adding connections to Data Virtualization by using personal credentials
To add the connection, set the configuration options on the Data Virtualization connection by running the setrdbcx SQL command in the Run SQL interface, as shown in the following example:
call dvsys.setrdbcx('DB2','9.30.167.128',50000,'SAMPLE','','<user>','<password>',0,0,'','','qpendpoint_1:6415','CCID=611335a2-164b-4873-be5e-074989d12dee,CCDEFINER=1000330999,USE_PERSONAL_CREDENTIALS=TRUE',?,?,?)
For more information about the setrdbcx stored procedure, see setRdbcX stored procedure (Variation 1) or setRdbcX stored procedure (Variation 2).
Editing connections that are added to Data Virtualization by using personal credentials
After you add a data source connection to Data Virtualization by using personal credentials, do not edit the data source connection in Data Virtualization user interface because the OPTIONS_CSV will be overwritten. To edit a connection that you added by using the setrdbcx, use the additional option EDITCID=CID (Connection ID) of the data source to be edited, as shown in the following example:
dvsys.setrdbcx('DB2','9.30.167.128',50000,'SAMPLE','','db2inst1','db2inst1',0,0,'','','qpendpoint_1:6415','CCID=611335a2-164b-4873-be5e-074989d12dee,CCDEFINER=1000330999,USE_PERSONAL_CREDENTIALS=TRUE,EDITCID=DB210000',?,?,?)
For more information about the setrdbcx stored procedure, see setRdbcX stored procedure (Variation 1) or setRdbcX stored procedure (Variation 2).
Limitations and known issues
- The Explore view in the Data Virtualization web client only displays the tables and views that the user has access to for data sources that have personal credentials enabled.
- The List view on the Virtualize page does not consistently display tables or views.