After Hybrid Data Pipeline has been registered as a client application with the data store, OAuth 2.0 access may be implemented by creating OAuth application and profile objects. After creating the application and profile objects, you can then configure a data source to use the OAuth authorization code grant. OAuth 2.0 access to data stores using application and profile objects may be implemented in the Web UI or with the Hybrid Data Pipeline API. See the following topics for step-by-step instructions.

Permissions and limitations

OAuth application object

The OAuth application object contains the information that identifies Hybrid Data Pipeline as a registered application with the data store. In a multitenant environment, an OAuth application object can be created for a tenant. When an OAuth application is created for the system tenant, it can be used by users in either the system tenant or a child tenant to create data sources on supported data stores. When an OAuth application is created for a child tenant, it can only be used by users in the child tenant to create data sources. Even though they will be able to view OAuth application objects that exist in child tenants, administrators who reside in the system tenant can only use the OAuth application object in the system tenant when creating their own data sources. An OAuth application object must be created for the system tenant to permit the creation of data sources by users, including administrators, in the system tenant.

The permissions required to create and modify OAuth application objects for data stores depend on the tenant in which the user resides and the tenants for which the user has administrative access. With the Administrator (12) permission, a user can create an OAuth application object in any tenant across the system. With the MgmtAPI (11) and OAuth (28) permissions, a user in the system tenant can create an OAuth application object for the system tenant. This user can also create OAuth application objects for tenants for which he or she has administrative access. With the MgmtAPI (11) and OAuth (28) permissions, a user in a child tenant can create an OAuth application object only in the tenant in which he or she resides.

OAuth profile object

The profile object contains the OAuth refresh and access tokens that Hybrid Data Pipeline uses to access resources in the data store. The OAuth profile object is associated with an OAuth application object. The availability of a profile object follows from the availability of the application object in a given Hybrid Data Pipeline tenant as described above.

To create and manage OAuth profile objects, the Hybrid Data Pipeline user must have data source permissions such as CreateDataSource (1), ViewDataSource (2), ModifyDataSource (3). and DeleteDataSource (4).