Denodo Source Database Permissions For SQL Server

Denodo does not publish a concise list of what permissions denodo needs in a source database.  So, I thought I would document what is required for a SQL Server data source for denodo.

Source database Dendo Access Permissions

Assuming there is no need to write back to the source DB, the data source connection permissions in a SQL Server the denodo source database should be:

  • Read And View Definitions access
  • Create tables (for data movement optimization), and
  • Access to getSchemas()

Why Create Table, Not Just Temporary Table?

The reason by denodo needs create tables permissions, rather than just create temporary tables permissions, is that temporary tables are only valid for the same connection, and Data Movement makes use of multiple connections, so we can not rely on the temporary table mechanism.

What if you need to Write back capabilities to data sources connection?  

If you had a use case where users would need to write back to the SQL Server database via Denodo, the Insert/Update permissions would need to be added to the list above.

What is a SEM, SIEM, SIM?


What is a Security Event Manager (SEM) (also, SIEM and SIM)?

SIEM technology aggregates event data produced by security devices, network infrastructures, systems, and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as NetFlow and packet capture. Event data is combined with contextual information about users, assets, threats, and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time security monitoring, historical analysis and other support for incident investigation and compliance reporting.


The acronyms SEM, SIM, and SIEM are, often, used synonymously and mean:

  • Security Information Management (SIM)
  • Security information and event management (SIEM)
  • Security Event Manager (SEM)

Major Functions:

SIEM performs four major functions:

  1. Log Consolidation
  2. Threat Correlation
  3. Incident Management
  4. Reporting

Why Use SIEM?

SIEM is used:

  • To monitor and improve operational efficiency and effectiveness
  • Perform log management and aide performance
  • For compliance record keeping and reporting

Related References

What is Role-Based Access Control (RBAC)?

Role-Based Access Control (RBAC)

Role-based access control (RBAC) is a method of access security, which is based on a person’s role within a business. Role-based access control is a way to provide security because it only allows employees to access the information they need to do their jobs while preventing them from accessing additional information that is not relevant to them.  A security role is a collection of permission which grants access to applications and with applications appropriate to their business mission and, generally, uses the principle of least privilege (PoLP).

Related References

What is Secure Sockets Layer (SSL)?

Secure Sockets Layer (SSL)

SSL (Secure Sockets Layer) is a standard security technology for establishing encrypted communications between a server and a client. SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Specifically, SSL is a security protocol, which determines variables of the encryption for both the link and the data being transmitted.

Related References

Infosphere Information Server – Secure Sockets Layer (SSL)

One of the changes between the old versions of IBM Infosphere Information Server (IIS) and the 11.3 and 11.5 version, which may not be obvious is the improvement in Secure Socket Layer (SSL).  Beginning with 11.3 all communications between the client and services tier is done over HTTPS (SSL). This includes all clients that access the services tier, whether a rich desktop client, a browser-based client or a command-line client.


Related Reference

About SSL communication in InfoSphere Information Server

InfoSphere Information Server, InfoSphere Information Server 11.5.0, Administering, Managing security, Security setup, Managing certificates, About SSL communication in InfoSphere Information Server

What is Protected Health Information (PHI)?

Protected Health Information (PHI)

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.  Privacy Rules call this information, protected health information (PHI).

Protected Health Information (PHI) is information, including demographic data, which relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,
  • the individual’s identity, including Personally Identifiable Information (PII), or for which there is a reasonable basis to believe it can be used to identify the individual.

Related References:

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. It includes information that is linked or linkable to an individual, such as medical, educational, financial and employment information.

Furthermore, Personally Identifiable Information (PII) is information, which:

  •  directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or
  •  indirectly identifies an individual (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).
  • permits the physical or online contact of a specific individual.

Related Reference