Domino data sources use Domino connectors to connect to external data stores. Data source permissions determine who is authorized to access a data source.
Depending on their permissions and credentials, users can modify data in the external data store from Domino. By understanding how data source credentials and sharing work, you can ensure that your collaborators have the appropriate kind of access to your data sources.
There are two methods of initializing credentials when creating a Domino Data Source: service account, and individual credentials. These two methods are defined below:
-
Service account
With this approach, anyone with permissions to access the Domino Data Source uses the same credentials (those of the service account). Only a Domino admin can create a data source that uses a service account, at Admin > Data > Data Sources > Create a Data Source.
CautionIf the service account has write access to the data store, then anyone with access to the data source can modify data in the external data store from Domino. Make sure the service account has permissions that are appropriate for all of its Domino users. -
Individual credentials
Each user who accesses the data source must set up their own credentials. Once their credentials are set up in Domino, they do not need to re-enter them when accessing the data source.
CautionIf a user’s individual credentials give them write access to the data store, then they can modify data in the external data store from Domino.
The Data Source owner or a Domino admin can grant access to the Data Source for specific users or organizations. Admin can also make it available to everyone in the Domino deployment.
When multiple users collaborate on a project, a data source used by one user might not be properly configured for another. Domino will proactively surface such problems both from the project’s Data page as well as from the Data tab in Domino Workspaces.
Change a Data Source’s permissions
To edit the share permissions for a data source, go to Data > Data Sources, select your data source, and click Update Permissions.
-
To limit access to this data source, select Specific users or organizations and add or remove users or organizations as appropriate.
-
Admin can select Everyone to share this data source with all users in the deployment.
Note that you cannot change the credential method (service account or individual credentials) for an existing data source. To change the credential method, you must create a new data source. If you do this, consider deleting the old data source and notifying users that they should use the new one.
The Domino Data API is used to access Domino data sources. When you use the Data API from a Domino execution, your user identity is verified automatically to enforce Domino permissions. The library attempts to use a Domino JWT token, or, if not available, a user API key.
The following is a summary of the user identity that will be used for access to a data source based on the Domino execution type:
-
Workspaces and Jobs: The user who started the execution.
-
Launchers: The user who started the launcher regardless of who created the launcher.
-
Domino Apps: The user who published the app regardless of who is accessing the app.
-
Model API - No user identity.
For Model APIs and other advanced use cases that require establishing a different user identity, you inject an API key into an execution with an environment variable. Then, you can use it explicitly when retrieving a data source.
For detailed information, see Authentication in the API documentation.
When directly accessing an external data store, it is up to you to configure the appropriate authentication and access control.
In cases of directly accessing common AWS data stores (such as S3, Redshift, or Postgres) within an AWS deployment, Domino can propagate an IAM token down through your query.