About HCD Unified Authentication

HCD Unified Authentication facilitates connectivity to three primary backend authentication and authorization services: HCD Authenticator, HCD Role Manager, and HCD Authorizer.

HCD Authenticator

AdvancedAuthenticator supports validating user identity against any of the following authentication schemes:

When authenticating a connection request, HCD Authenticator attempts authentication in the order defined in the configuration, starting with the default_scheme and then additional_schemes.

If the connection specifies the authentication mechanism, HCD Authenticator might bypass the default_scheme if there is a known mismatch between the requested mechanism and the default_scheme. Otherwise, it tries all defined schemes in order.

It is possible to authenticate users without implementing access control using the HCD Authenticator; however, authentication is required for authorization and role management.

HCD Role Manager

HCD Role Manager assigns roles using one of the following modes:

  • Internal: One-to-one mapping using an internally stored password. Requires a role for each account. An HCD tool sets a salted hash password.

  • LDAP: One-to-many mapping. Assigns HCD roles that match the user’s LDAP groups. Passwords are stored in the LDAP server.

    For LDAP role management, HCD disables role nesting. You cannot use GRANT to assign a role to another role.

HCD Authorizer

HCD Authorizer analyzes the request against the role permissions on each affected resource before allowing the request to be executed.

Set and remove permissions on database resources with GRANT and REVOKE.

Next steps

Steps for new deployment

Enable HCD Unified Authentication on a new deployment.

Steps for production environments

Enable HCD Unified Authentication without downtime when implementing in a production or otherwise existing HCD environment.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM