The CData Sync App provides a straightforward way to continuously pipeline your Microsoft Excel data to any database, data lake, or data warehouse, making it easily available for Analytics, Reporting, AI, and Machine Learning.
The Microsoft Excel connector can be used from the CData Sync application to pull data from Microsoft Excel and move it to any of the supported destinations.
The CData Sync App supports the Office Open XML spreadsheets used by Microsoft Excel 2007 and later.
The CData Sync App is designed for streaming Microsoft Excel only.
This streamed file content does not include all of the metadata associated with remotely stored Microsoft Excel files, such as file and folder name.
If access to both the file metadata and the actual file content is needed, then the CData Sync App must be used in tandem with the associated file system driver(s) for the service the Microsoft Excel files are remotely stored in.
The following file system drivers are available:
See the relevant CData file system driver's documentation for a configuration guide for connecting to stored Microsoft Excel file metadata.
For required properties, see the Settings tab.
For connection properties that are not typically required, see the Advanced tab.
The CData Sync App allows connecting to local and remote Excel resources. Set the URI property to the Excel resource location, in addition to any other properties necessary to connect to your data source.
If you need INSERT/UPDATE/DELETE cloud files, you can download the corresponding CData Sync App for that cloud host (supported via stored procedures), make changes with the local file's corresponding Sync App, then upload the file using the cloud source's stored procedures.
As an example, if you wanted to update a file stored on SharePoint, you could use the CData SharePoint Sync App's DownloadDocument procedure to download the Microsoft Excel file, update the local Microsoft Excel file with the CData Microsoft Excel Sync App, then use the SharePoint Sync App's UploadDocument procedure to upload the changed file to SharePoint.
A unique prefix at the beginning of the URI connection property is used to identify the cloud data store being targed by the Sync App and the remainder of the path is a relative path to the desired folder (one table per file) or single file (a single table).
Set the following to identify your Microsoft Excel resources stored on Amazon S3:
See Connecting to Amazon S3 for more information regarding how to connect and authenticate to Excel files hosted on Amazon S3.
Set the following to identify your Microsoft Excel resources stored on Azure Blob Storage:
See Connecting to Azure Blob Storage for more information regarding how to connect and authenticate to Excel files hosted on Amazon Blob Storage.
Set the following to identify your Microsoft Excel resources stored on Azure Data Lake Storage:
See Connecting to Azure Data Lake Storage for more information regarding how to connect and authenticate to Excel files hosted on Azure Data Lake Storage.
Set the following properties to connect:
You can authenticate either an Azure access key or an Azure shared access signature. Set one of the following:
Set the following to identify your Microsoft Excel resources stored on Box:
See Connecting to Box for more information regarding how to connect and authenticate to Excel files hosted on Box.
Set the following to identify your Microsoft Excel resources stored on Dropbox:
See Connecting to Dropbox for more information regarding how to connect and authenticate to Excel files hosted on Dropbox.
The Sync App supports both plaintext and SSL/TLS connections to FTP servers.
Set the following connection properties to connect:
Set the following to identify your Microsoft Excel resources stored on Google Cloud Storage:
See Connecting to Google Cloud Storage for more information regarding how to connect and authenticate to Excel files hosted on Google Cloud Storage.
Set the following to identify your Microsoft Excel resources stored on Google Drive:
See Connecting to Google Drive for more information regarding how to connect and authenticate to Excel files hosted on Google Drive.
Set the following to identify your Microsoft Excel resources stored on HDFS:
There are two authentication methods available for connecting to HDFS data source, Anonymous Authentication and Negotiate (Kerberos) Authentication.
Anonymous Authentication
In some situations, you can connect to HDFS without any authentication connection properties. To do so, set the AuthScheme property to None (default).
Authenticate using Kerberos
When authentication credentials are required, you can use Kerberos for authentication. See Using Kerberos for details on how to authenticate with Kerberos.
Set the following to identify your Microsoft Excel resources stored on HTTP streams:
See Connecting to HTTP Streams for more information regarding how to connect and authenticate to Excel files hosted on HTTP Streams.
Set the following to identify your Microsoft Excel resources stored on IBM Cloud Object Storage:
See Connecting to IBM Object Storage for more information regarding how to connect and authenticate to Excel files hosted on IBM Cloud Object Storage.
Set the following to identify your Microsoft Excel resources stored on OneDrive:
See Connecting to OneDrive for more information regarding how to connect and authenticate to Excel files hosted on OneDrive.
Set the following to identify your Microsoft Excel resources stored on OneLake:
See Connecting to OneLake for more information regarding how to connect and authenticate to Excel files hosted on OneLake.
Set the following properties to authenticate with IAMSecretKey:
Set the following to identify your Microsoft Excel resources stored on SFTP:
See Connecting to SFTP for more information regarding how to connect and authenticate to Excel files hosted on SFTP.
Set the following to identify your Microsoft Excel resources stored on SharePoint Online:
Use the Sharepoint URL as the remote path. Not the display name.
If your files are stored in a non-root-level SharePoint Online site (for example, under /sites/<your site>/), be sure to set the StorageBaseURL property to the full path of the SharePoint site.
Using the full SharePoint site URL ensures the Sync App can properly locate files stored in non-root-level locations within your organization's SharePoint Online environment.
See Connecting to SharePoint Online for more information regarding how to connect and authenticate to Excel files hosted on SharePoint Online.
Set the following to identify your Microsoft Excel resources stored on SharePoint On Premise:
Use the Sharepoint URL as the remote path. Not the display name.
See Connecting to SharePoint On Premise for more information regarding how to connect and authenticate to Excel files hosted on SharePoint On Premise.
The URI, under the Connection section, must be set to a valid Excel File (including the file path). The Sync App supports the Office Open XML format used by Excel 2007 and later.
You can then execute SELECT, INSERT, UPDATE, and DELETE statements to spreadsheets and ranges in the workbook. See Excel Operations for details on querying spreadsheet data as tables.
To obtain the credentials for an IAM user:
To obtain the credentials for your AWS root account:
Specify the following to connect to data:
There are several authentication methods available for connecting to Microsoft Excel including:
To authenticate using account root credentials, set these parameters:
Note: Amazon discourages using root credentials for anything beyond simple testing. The account root credentials have the full permissions of the user, posing a security risk and making this the least secure authentication method.
If multi-factor authentication is required, specify the following:
Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).
Set AuthScheme to AwsEC2Roles.
If you are using the Sync App from an EC2 Instance and have an IAM Role assigned to the instance, you can use the IAM Role to authenticate. Since the Sync App automatically obtains your IAM Role credentials and authenticates with them, it is not necessary to specify AWSAccessKey and AWSSecretKey.
If you are also using an IAM role to authenticate, you must additionally specify the following:
The Microsoft Excel Sync App now supports IMDSv2. Unlike IMDSv1, the new version requires an authentication token. Endpoints and response are the same in both versions.
In IMDSv2, the Microsoft Excel Sync App first attempts to retrieve the IMDSv2 metadata token and then uses it to call AWS metadata endpoints. If it is unable to retrieve the token, the Sync App reverts to IMDSv1.
Set AuthScheme to AwsWebIdentity.
If you are either using Microsoft Excel from a container configured to assume role with web identity (such as a Pod in an EKS cluster with an OpenID Provider) or have authenticated with a web identity provider associated with an IAM role (and have thus obtained an identity token), you can exchange the web identity token and IAM role information for temporary security credentials to authenticate and access AWS services.
If the container has AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE specified in the environment variables, Microsoft Excel automatically obtains the credentials.
You can also authenticate by specifying both AWSRoleARN and AWSWebIdentityToken to execute the AssumeRoleWithWebIdentity API operation.
To authenticate as an AWS role, set these properties:
If multi-factor authentication is required, specify the following:
Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).
Note: In some circumstances it might be preferable to use an IAM role for authentication, rather than the direct security credentials of an AWS root user. If you are specifying the AWSAccessKey and AWSSecretKey of an AWS root user, you cannot use roles.
To connect to ADFS, set these properties:
To authenticate to ADFS, set these SSOProperties:
Example connection string:
AuthScheme=ADFS;User=username;Password=password;SSOLoginURL='https://sts.company.com';SSOProperties='RelyingParty=https://saml.salesforce.com';
The ADFS Integrated flow indicates you are connecting with the user credentials of the currently logged in Windows user. To use the ADFS Integrated flow, do not specify the User and Password, but otherwise follow the same steps noted above under ADFS.
To connect to Okta, set these properties:
If you are either using a trusted application or proxy that overrides the Okta client request OR configuring MFA, you must use combinations of SSOProperties to authenticate using Okta. Set any of the following, as applicable:
Example connection string:
AuthScheme=Okta;SSOLoginURL='https://example.okta.com/home/appType/0bg4ivz6cJRZgCz5d6/46';User=oktaUserName;Password=oktaPassword;
To enable mutual SSL authentication for SSOLoginURL, the WS-Trust STS endpoint, configure these SSOProperties:
Example connection string:
authScheme=pingfederate;SSOLoginURL=https://mycustomserver.com:9033/idp/sts.wst;SSOExchangeURL=https://us-east-1.signin.aws.amazon.com/platform/saml/acs/764ef411-xxxxxx;user=admin;password=PassValue;AWSPrincipalARN=arn:aws:iam::215338515180:saml-provider/pingFederate;AWSRoleArn=arn:aws:iam::215338515180:role/SSOTest2;
To authenticate using temporary credentials, specify the following:
The Sync App can now request resources using the same permissions provided by long-term credentials (such as IAM user credentials) for the lifespan of the temporary credentials.
To authenticate using both temporary credentials and an IAM role, set all the parameters described above, and specify these additional parameters:
If multi-factor authentication is required, specify the following:
Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).
You can use any credentials file to authenticate, including any configurations related to AccessKey/SecretKey authentication, temporary credentials, role authentication, or MFA.
To do this, set these properties:
This configuration requires two separate Azure AD applications:
To connect to Azure AD, set the AuthScheme to AzureAD, and set these properties:
To authenticate to Azure AD, set these SSOProperties:
Example connection string:
AuthScheme=AzureAD;OAuthClientId=3ea1c786-d527-4399-8c3b-2e3696ae4b48;OauthClientSecret=xxx;CallbackUrl=https://localhost:33333;SSOProperties='Resource=https://signin.aws.amazon.com/saml;AzureTenant=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';
To obtain the credentials for an AzureBlob user, follow the steps below:
Set AzureStorageAccount to your Azure Blob Storage account name.
You can authenticate to Azure Blob Storage via Access Key, Shared Access Signatures (SAS), AzureAD user, Azure MSI, or Azure Service Principal.
Set the following to authenticate with an Azure Access Key:
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
Set AzureStorageAccount to your Azure Data Lake Storage account name.
You can authenticate to Azure Data Lake Storage via Access Key, Shared Access Signature (SAS), AzureAD user, Azure MSI, or Azure Service Principal.
Set the following to authenticate with an Azure Access Key:
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
Use the OAuth authentication standard to connect to Box. You can authenticate with a user account or with a service account. A service account is required to grant organization-wide access scopes to the Sync App. The Sync App facilitates these authentication flows as described below.
AuthScheme must be set to OAuth in all user account flows.
Set the AuthScheme to OAuthJWT to authenticate with this method.
Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the Sync App.
You need to create an OAuth application in this flow. See Create a Custom OAuth App to create and authorize an app. You can then connect to Box data that the service account has permission to access.
After setting the following connection properties, you are ready to connect:
You may choose to use your own OAuth Application Credentials when you want to:
At the Box Enterprise Developer Console:
Note: Box does not back up private keys for security reasons. Be careful to back up the Public/Private JSON file. If you lose your private key, you must reset the entire keypair.
openssl genrsa -des3 -out private.pem 2048 openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Note: To run OpenSSL in a Windows environment, install the Cygwin package.
After your application is created and registered, click Configuration from the main menu to access your settings. Note the displayed Redirect URI, Client ID, and Client Secret. You will need these values later.
If you change the JWT access scopes, you must reauthorize the application in the enterprise admin console:
Dropbox uses the OAuth authentication standard.
You need to choose between using CData's embedded OAuth app or Create a Custom OAuth App.
The embedded app includes the following scopes:
You may choose to use your own OAuth Application Credentials when you want to
No further values need to be specified in the Microsoft Excel app settings.
Set the ProjectId property to the Id of the project you want to connect to.
The Sync App supports using user accounts and GCP instance accounts for authentication.
The following sections discuss the available authentication schemes for Google Cloud Storage:
AuthScheme must be set to OAuth in all user account flows.
Get an OAuth Access Token
Set the following connection properties to obtain the OAuthAccessToken:
Then call stored procedures to complete the OAuth exchange:
Once you have obtained the access and refresh tokens, you can connect to data and refresh the OAuth access token either automatically or manually.
Automatic Refresh of the OAuth Access Token
To have the driver automatically refresh the OAuth access token, set the following on the first data connection:
Manual Refresh of the OAuth Access Token
The only value needed to manually refresh the OAuth access token when connecting to data is the OAuth refresh token.
Use the RefreshOAuthAccessToken stored procedure to manually refresh the OAuthAccessToken after the ExpiresIn parameter value returned by GetOAuthAccessToken has elapsed, then set the following connection properties:
Then call RefreshOAuthAccessToken with OAuthRefreshToken set to the OAuth refresh token returned by GetOAuthAccessToken. After the new tokens have been retrieved, open a new connection by setting the OAuthAccessToken property to the value returned by RefreshOAuthAccessToken.
Finally, store the OAuth refresh token so that you can use it to manually refresh the OAuth access token after it has expired.
Option 1: Obtain and Exchange a Verifier Code
To obtain a verifier code, you must authenticate at the OAuth authorization URL.
Follow the steps below to authenticate from the machine with an internet browser and obtain the OAuthVerifier connection property.
On the headless machine, set the following connection properties to obtain the OAuth authentication values:
After the OAuth settings file is generated, you need to re-set the following properties to connect:
Option 2: Transfer OAuth Settings
Prior to connecting on a headless machine, you need to create and install a connection with the driver on a device that supports an internet browser. Set the connection properties as described in "Desktop Applications" above.
After completing the instructions in "Desktop Applications", the resulting authentication values are encrypted and written to the location specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.
Once you have successfully tested the connection, copy the OAuth settings file to your headless machine.
On the headless machine, set the following connection properties to connect to data:
When running on a GCP virtual machine, the Sync App can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.
(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to Microsoft Excel".)
However, you must create a custom OAuth application to connect to Microsoft Excel via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.
Custom OAuth applications are useful if you want to:
The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).
For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)
Do the following:
Note: The client secret remains accessible from from the Google Cloud Console.
To create a new service account:
In the service account flow, the Sync App exchanges a JSON Web Token (JWT) for the OAuthAccessToken. The private key downloaded in the steps above is used to sign the JWT. The Sync App inherits the permissions granted to the service account, including any scopes configured through domain-wide delegation.
The Sync App supports using user accounts and GCP instance accounts for authentication.
The following sections discuss the available authentication schemes for Google Drive:
AuthScheme must be set to OAuth in all user account flows.
When running on a GCP virtual machine, the Sync App can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.
(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to Microsoft Excel".)
However, you must create a custom OAuth application to connect to Microsoft Excel via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.
Custom OAuth applications are useful if you want to:
The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).
For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)
Do the following:
Note: The client secret remains accessible from from the Google Cloud Console.
To create a new service account:
In the service account flow, the Sync App exchanges a JSON Web Token (JWT) for the OAuthAccessToken. The private key downloaded in the steps above is used to sign the JWT. The Sync App inherits the permissions granted to the service account, including any scopes configured through domain-wide delegation.
The Sync App generically supports connecting to Microsoft Excel data stored on HTTP(S) streams.
Several authentication methods, such as user/password, digest access, OAuth, OAuthJWT, and OAuth PASSWORD flow are supported.
You can also connect to streams that have no authentication set up.
Connect to an HTTP(S) stream with no authentication by setting the AuthScheme connection property to None.
Set the following to connect:
Set the following to connect:
OAuth requires the authenticating user to interact with Microsoft Excel using the browser. The Sync App facilitates this in various ways as described in the following sections.
Before following the procedures below, you need to register an OAuth app with the service containing the Microsoft Excel data you want to work with.
Creating a custom application in most services requires registering as a developer and creating an app in the UI of the service.
This is not necessarily true for all services. In some you must contact the service provider to create the app for you. However it is done, you must obtain the values for OAuthClientId, OAuthClientSecret, and CallbackURL.
Set AuthScheme to OAuthJWT.
The Sync App supports using JWT as an authorization grant in situations where a user cannot perform an interactive sign-on. After setting the following connection properties, you are ready to connect:
Note that the JWT signature algorithm cannot be set directly. The Sync App only supports the RS256 algorithm.
The Sync App will then construct a JWT including the following fields, and submit it to OAuthAccessTokenURL for an access token.
AuthScheme: Set this to OAuthPassword.
OAuth requires the authenticating user to interact with Microsoft Excel using the browser. The Sync App facilitates this in various ways as described in the following sections.
Before following the procedures below, you need to register an OAuth app with the service containing the Microsoft Excel data you want to work with.
Creating a custom application in most services requires registering as a developer and creating an app in the UI of the service.
This is not necessarily true for all services. In some you must contact the service provider to create the app for you. However it is done, you must obtain the values for OAuthClientId, OAuthClientSecret, and CallbackURL.
After setting the following connection properties, you are ready to connect:
If you do not already have Cloud Object Storage in your IBM Cloud account, you can follow the procedure below to install an instance of SQL Query in your account:
To connect with IBM Cloud Object Storage, you will need an ApiKey. You can obtain this as follows:
Set Region to to your IBM instance region.
You can authenticate to IBM Cloud Object Storage using either IAMSecretKey, or OAuth authentication.
Set the following properties to authenticate:
For example:ConnectionType=IBM Object Storage Source;URI=ibmobjectstorage://bucket1/folder1; AccessKey=token1; SecretKey=secret1; Region=eu-gb;
Set the following to authenticate using OAuth authentication.
ConnectionType=IBM Object Storage Source;URI=ibmobjectstorage://bucket1/folder1; ApiKey=key1; Region=eu-gb; AuthScheme=OAuth; InitiateOAuth=GETANDREFRESH;
When you connect, the Sync App completes the OAuth process.
You can connect to OneDrive using an AzureAD user, with MSI authentication, or using an Azure Service Principal.
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
You can authenticate to OneLake via AzureAD user, Azure MSI, or Azure Service Principal.
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
Follow the steps below to add a service principal to a workspace.
You can authenticate to SFTP using a user and password or an SSH certificate. Additionally, you can connect to an SFTP server that has no authentication enabled.
Set SSHAuthMode to None to connect without authentication, assuming your server supports doing so.
Provide user credentials associated with your SFTP server:
Set the following to connect.
| Service provider | Okta | OneLogin | ADFS | AzureAD |
| Amazon S3 | Y | Y | Y | |
| Azure Blob Storage | ||||
| Azure Data Lake Store Gen1 | ||||
| Azure Data Lake Store Gen2 | ||||
| Azure Data Lake Store Gen2 with SSL | ||||
| Google Drive | ||||
| OneDrive | ||||
| Box | ||||
| Dropbox | ||||
| SharePoint Online SOAP | Y | Y | Y | |
| SharePoint Online REST | ||||
| Wasabi | ||||
| Google Cloud Storage | ||||
| Oracle Cloud Storage | ||||
| Azure File |
Azure AD Configuration
The main theme behind this configuration is the OAuth 2.0 On-Behalf-Of flow. It requires two Azure AD applications:
Save the step "Assign the Azure AD test user" until after provisioning so that you can select the AWS roles when assigning the user.
CData Driver Common Properties
The following SSOProperties are needed to authenticate to Azure Active Directory and must be specified for every service provider.
We will retrieve the SSO SAML response from an OAuth 2.0 On-Behalf-Of flow so the following OAuth connection properties must be specified:
Amazon S3
In addition to the common properties, the following properties must be specified when connecting to Amazon S3 service provider:
AuthScheme=AzureAD;InitiateOAuth=GETANDREFRESH;OAuthClientId=d593a1d-ad89-4457-872d-8d7443aaa655;OauthClientSecret=g9-oy5D_rl9YEKfN-45~3Wm8FgVa2F;SSOProperties='Tenant=94be7-edb4-4fda-ab12-95bfc22b232f;Resource=https://signin.aws.amazon.com/saml;';AWSRoleARN=arn:aws:iam::2153385180:role/AWS_AzureAD;AWSPrincipalARN=arn:aws:iam::215515180:saml-provider/AzureAD;
OneLogin Configuration
You must create an application used for the single sign-on process to a specific provider.
Sharepoint SOAP
The following properties must be specified when connecting to Sharepoint SOAP service provider:
AuthScheme='OneLogin';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Okta Configuration
You must create an application used for the single sign-on process to a specific provider.
Sharepoint SOAP
The following properties must be specified when connecting to Sharepoint SOAP service provider:
AuthScheme='Okta';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Amazon S3
The following properties must be specified when connecting to an Amazon S3 service provider:
AuthScheme=Okta;User=OktaUser;Password=OktaPassword;SSOLoginURL='https://{subdomain}.okta.com/home/amazon_aws/0oan2hZLgQiy5d6/272';
ADFS Configuration
You must create an application used for the single sign-on process to a specific provider.
Sharepoint SOAP
The following properties must be specified when connecting to a Sharepoint SOAP service provider:
AuthScheme='ADFS';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Amazon S3
The following properties must be specified when connecting to a Sharepoint SOAP service provider:
AuthScheme=ADFS;User=username;Password=password;SSOLoginURL='https://sts.company.com';ADFS Integrated
The ADFS Integrated flow indicates you are connecting with the currently logged in Windows user credentials. To use the ADFS Integrated flow, simply do not specify the User and Password, but otherwise follow the same steps in the ADFS guide above.
Use the following properties to control the tables the Sync App discovers, return values, and other aspects of data access.
DefineTables="Table1=Sheet1!A1:N25,Table2=Sheet2!C3:M53"
Note that the Sync App automatically detects the named ranges in a sheet and reports them as tables. You can also specify a range in the FROM clause:
SELECT * FROM Excel_Sheet#A5:F*
To authenticate to Microsoft Excel with Kerberos, set AuthScheme to NEGOTIATE.
Authenticating to Microsoft Excel via Kerberos requires you to define authentication properties and to choose how Kerberos should retrieve authentication tickets.
The Sync App provides three ways to retrieve the required Kerberos ticket, depending on whether or not the KRB5CCNAME and/or KerberosKeytabFile variables exist in your environment.
MIT Kerberos Credential Cache File
This option enables you to use the MIT Kerberos Ticket Manager or kinit command to get tickets. With this option there is no need to set the User or Password connection properties.
This option requires that KRB5CCNAME has been created in your system.
To enable ticket retrieval via MIT Kerberos Credential Cache Files:
If the ticket is successfully obtained, the ticket information appears in Kerberos Ticket Manager and is stored in the credential cache file.
The Sync App uses the cache file to obtain the Kerberos ticket to connect to Microsoft Excel.
Note: If you would prefer not to edit KRB5CCNAME, you can use the KerberosTicketCache property to set the file path manually. After this is set, the Sync App uses the specified cache file to obtain the Kerberos ticket to connect to Microsoft Excel.
Keytab File
If your environment lacks the KRB5CCNAME environment variable, you can retrieve a Kerberos ticket using a Keytab File.
To use this method, set the User property to the desired username, and set the KerberosKeytabFile property to a file path pointing to the keytab file associated with the user.
User and Password
If your environment lacks the KRB5CCNAME environment variable and the KerberosKeytabFile property has not been set, you can retrieve a ticket using a user and password combination.
To use this method, set the User and Password properties to the user/password combination that you use to authenticate with Microsoft Excel.
To enable this kind of cross-realm authentication, set the KerberosRealm and KerberosKDC properties to the values required for user authentication. Also, set the KerberosServiceRealm and KerberosServiceKDC properties to the values required to obtain the service ticket.
The CData Sync App allows you to manipulate Excel files in a variety of ways. The Sync App supports reading data vertically and horizontally as well as from user-defined ranges and named ranges. Refer to Selecting Data and Modifying Data for examples of different ways of querying and modifying spreadsheet data.
Excel worksheets can be organized in different ways. The Sync App offers settings to select data based on various organizational methods.
SELECT RowId, Name, Item, Quantity, Amount FROM Sheet1 WHERE Amount > '50'The query above assumes that the first row of the spreadsheet has the column names RowId, Name, Quantity, and Amount. The spreadsheet may have more columns than were selected and they can be in any order.
SELECT A, B, C, D FROM Sheet1 WHERE D > '50'
If header columns are not set and the orientation is horizontal, the column names will be R1, R2, R3, ...
SELECT R1, R2, R3 FROM Sheet1 WHERE R2 > '50'
SELECT * FROM Excel_Sheet#A1:E5In case the sheet name contains a quote, if you want to select only a range, the correct Excel syntax involves using an extra quote as an escape character and enclosing the full sheet name with quotes. For example the following command will select the range of cells between A1 and E5 for the sheet named Excel'Sheet:
SELECT * FROM ['Excel''Sheet'#A1:E5]You can also use wildcards (*) in the ending cell for the range. Ranges similar to '#A5:F*', '#A5:*20', and '#A5:**' are supported. For example the following command will select the range of cells between A5 and column F, up to the last row in the spreadsheet:
SELECT * FROM Excel_Sheet#A5:F*
SELECT * FROM SALES
The CData Sync App supports INSERT, UPDATE, and DELETE; more details are below.
Updates and deletes require you to uniquely identify a single row by specifying the RowId column.
See Using Formulas to insert formulas.
You can insert new rows anywhere in the sheet, including inserting to named ranges.
It is also possible to insert a row at the end of a range of cells. To do so, simply use the range in the table name while inserting a row.
INSERT INTO Sheet1#C1:D5 (A, B) VALUES ('Brian', '30')
The code above will add Brian and 30 to the end of the range; i.e., the cells C6 and D6.
INSERT INTO Sheet1 (RowId, A, B) VALUES (5, 'Brian', '30')The code above will insert the values Brian and 30 to the cells A5 and B5. The existing data in row 5 and below will be moved down one row.
INSERT INTO SALES (Year, Category, Total) VALUES (1997, 'Beverage', 30000)
Excel formulas are recalculated when the spreadsheet is opened. The Sync App includes a formula engine that can natively calculate most of the commonly used Excel formulas. The Sync App stores the state of a previous calculation in the spreadsheet and uses it to make efficient choices of when recalculation is necessary.
Calculating formula cells can add to the processing time. If a spreadsheet has not been modified since the last recalculation, you may choose to omit the calculation and simply read the previously calculated value in the formula cell. To skip recalculation, set Recalculate to False. You may also want to omit formula calculation when you are opening a spreadsheet just to insert or update cells and not reading anything from it.
INSERT INTO Excel_Sheet (A, B) VALUES ('Bill', '=SUM(B1:B5)')
This section details a selection of advanced features of the Microsoft Excel Sync App.
The Sync App supports the use of user defined views, virtual tables whose contents are decided by a pre-configured user defined query. These views are useful when you cannot directly control queries being issued to the drivers. For an overview of creating and configuring custom views, see User Defined Views .
Use SSL Configuration to adjust how Sync App handles TLS/SSL certificate negotiations. You can choose from various certificate formats;. For further information, see the SSLServerCert property under "Connection String Options" .
Configure the Sync App for compliance with Firewall and Proxy, including Windows proxies and HTTP proxies. You can also set up tunnel connections.
For further information, see Query Processing.
By default, the Sync App attempts to negotiate TLS with the server. The server certificate is validated against the default system trusted certificate store. You can override how the certificate gets validated using the SSLServerCert connection property.
To specify another certificate, see the SSLServerCert connection property.
The Microsoft Excel Sync App also supports setting client certificates. Set the following to connect using a client certificate.
To authenticate to an HTTP proxy, set the following:
Set the following properties:
The CData Sync App models Excel workbooks as relational databases. Spreadsheets and ranges comprise the tables.
Excel Operations shows various ways to work with spreadsheet data.
You can fine-tune the data model to match your workbook's organization. The Sync App supports reading data that is oriented vertically or horizontally, as well as sparse spreadsheets organized in user-defined ranges and named ranges.
See Fine-Tuning Data Access to configure the connection string to control the tables the Sync App discovers, return values, and other aspects of data access.
Stored procedures are function-like interfaces that extend the functionality of the Sync App beyond simple SELECT/INSERT/UPDATE/DELETE operations with Microsoft Excel.
Stored procedures accept a list of parameters, perform their intended function, and then return any relevant response data from Microsoft Excel, along with an indication of whether the procedure succeeded or failed.
| Name | Description |
| CreateWorksheet | Creates a new worksheet within a specified Excel workbook. If the target workbook does not already exist, this procedure will create the workbook first and then add the new worksheet. |
| DeleteFile | Delete a file from a local or cloud storage. |
| FreezePanes | Locks specific rows and/or columns in an Excel worksheet so they remain visible while a user scrolls through the rest of the data. This feature enhances readability and is used for header rows or important reference columns in large datasets. |
Generates a schema file that defines the structure of data within an Excel resource, including table layouts, column types, and metadata. This is typically used to initialize or validate workbook content against a defined schema.
Creates a local schema file (.rsd) from an existing table or view in the data model.
The schema file is created in the directory set in the Location connection property when this procedure is executed. You can edit the file to include or exclude columns, rename columns, or adjust column datatypes.
The Sync App checks the Location to determine if the names of any .rsd files match a table or view in the data model. If there is a duplicate, the schema file will take precedence over the default instance of this table in the data model. If a schema file is present in Location that does not match an existing table or view, a new table or view entry is added to the data model of the Sync App.
| Name | Type | Description |
| TableName | String | Specifies the logical name of the Excel dataset to be exposed as a table, which also determines the name of the resulting schema file (.rsd). This name acts as both an identifier for the resource and the basis for schema generation. |
| URI | String | Provides the Uniform Resource Identifier (URI) pointing to the Excel data source. This input is deprecated, as the URI is now derived automatically from the TableName parameter. It remains for backward compatibility. |
| FileName | String | Defines the target name for the schema file to be generated, including the .rsd extension. The exact location is controlled by the Location connection property, which should point to the desired output directory. |
| Name | Type | Description |
| Result | String | Indicates the result of the schema creation process. It returns either Success if the operation completed without errors, or Failure if an issue was encountered during execution. |
| FileData | String | Contains the raw schema file data in binary form when the FileName input is not specified. This allows clients to handle the file contents directly in memory without writing to disk. |
Creates a new worksheet within a specified Excel workbook. If the target workbook does not already exist, this procedure will create the workbook first and then add the new worksheet.
| Name | Type | Description |
| File | String | The full file path to the target Excel workbook where the new worksheet will be created. If the file does not exist, it will be generated during the operation. |
| Sheet | String | The desired name for the new worksheet to be added within the Excel workbook. The name must be unique within the workbook to avoid naming conflicts.
The default value is sheet1. |
| Columnnames | String | Comma-separated list of column headers to include in the new worksheet. Each name in the list must not contain any white space characters. Format: Column1, Column2, Column3. |
| Name | Type | Description |
| File | String | Returns the name of the Excel workbook that was modified or created during the procedure execution. This helps confirm the destination file that was affected. |
| Sheet | String | Returns the final name of the worksheet that was created within the workbook. This can differ from the original input if a naming conflict required the system to rename the worksheet. |
Delete a file from a local or cloud storage.
| Name | Type | Description |
| Path | String | The full path of the file to delete. Relative to the path provided in the URI connection property. |
| Name | Type | Description |
| Success | Bool | Boolean indicating if the procedure was executed successfully. If false, the output parameter 'Details' will contain the failure details. |
| Details | String | Details of execution failure. NULL if success=true. |
Download a file.
| Name | Type | Description |
| Path | String | The full path of the file to download. Relative to the path provided in the URI connection property. |
| LocalPath | String | The absolute path where the file will be saved. |
| Name | Type | Description |
| Success | Bool | Boolean indicating if the procedure was executed successfully. If false, the output parameter 'Details' will contain the failure details. |
| Details | String | Details of execution failure. NULL if success=true. |
| FileData | String | The file data encoded as BASE64. Returns a value only if LocalPath and OutputStream inputs are empty. |
Locks specific rows and/or columns in an Excel worksheet so they remain visible while a user scrolls through the rest of the data. This feature enhances readability and is used for header rows or important reference columns in large datasets.
| Name | Type | Description |
| File | String | The full path to the Excel workbook file where the freeze operation will be performed. This should include the file name and extension, such as C:\Reports\SalesData.xlsx. |
| Sheet | String | The name of the worksheet within the specified Excel file where the freeze panes operation will take place. The name must match an existing worksheet in the workbook.
The default value is sheet1. |
| Freezeposition | String | Specifies the top-left cell that defines the freeze panes region. All rows above and columns to the left of this cell will remain visible when scrolling. To remove any existing freeze, set this value to 'UnFreeze'. |
| Name | Type | Description |
| Result | String | Returns the status of the operation, indicating whether the freeze panes action was successfully applied or if it failed during execution. |
Fetches the OAuth Access Token, which is used to authenticate and authorize API calls made to Excel.
| Name | Type | Description |
| Other_Options | String | Other options to control behavior of OAuth. |
| Cert | String | Path for a personal certificate .pfx file. Only available for OAuth 1.0. |
| Cert_Password | String | Personal certificate password. Only available for OAuth 1.0. |
| AuthToken | String | The request token returned by GetOAuthAuthorizationUrl. Available only for OAuth 1.0. |
| AuthKey | String | The request secret key returned by GetOAuthAuthorizationUrl. Available only for OAuth 1.0. |
| AuthSecret | String | This field is deprecated. Please use AuthKey going forward. |
| Sign_Method | String | The signature method used to calculate the signature for OAuth 1.0.
The allowed values are HMAC-SHA1, PLAINTEXT. The default value is HMAC-SHA1. |
| GrantType | String | Authorization grant type. Only available for OAuth 2.0.
The allowed values are CODE, PASSWORD, CLIENT, REFRESH. |
| Post_Data | String | The post data to submit, if any. |
| AuthMode | String | The type of authentication mode to use.
The allowed values are APP, WEB. The default value is WEB. |
| Verifier | String | The verifier code returned by the data source after permission for the app to connect has been granted. WEB AuthMode only. |
| Scope | String | The scope of access to the APIs. By default, access to all APIs used by this data provider will be specified. |
| CallbackURL | String | This field determines where the response is sent. |
| Prompt | String | This field indicates the prompt to present the user. It accepts one of the following values: NONE, CONSENT, SELECT ACCOUNT. The default is SELECT_ACCOUNT, so a given user will be prompted to select the account to connect to. If it is set to CONSENT, the user will see a consent page every time, even if they have previously given consent to the application for a given set of scopes. Lastly, if it is set to NONE, no authentication or consent screens will be displayed to the user.
The default value is SELECT_ACCOUNT. |
| AccessType | String | This field indicates if your application needs to access a Google API when the user is not present at the browser. This parameter defaults to ONLINE. If your application needs to refresh access tokens when the user is not present at the browser, then use OFFLINE. This will result in your application obtaining a refresh token the first time your application exchanges an authorization code for a user. |
| State | String | This field indicates any state that may be useful to your application upon receipt of the response. Your application receives the same value it sent, as this parameter makes a round-trip to Google authorization server and back. Uses include redirecting the user to the correct resource in your site, using nonces, and mitigating cross-site request forgery. |
| Name | Type | Description |
| OAuthAccessToken | String | The authentication token returned from Google. This can be used in subsequent calls to other operations for this particular service. |
| OAuthAccessTokenSecret | String | The OAuth access token secret. |
| OAuthRefreshToken | String | A token that may be used to obtain a new access token. |
| ExpiresIn | String | The remaining lifetime on the access token. |
| * | String | Other outputs that may be returned by the data source. |
Retrieves the OAuth Authorization URL, allowing the client to direct the user's browser to the authorization server and initiate the OAuth process.
| Name | Type | Description |
| Cert | String | Path for a personal certificate .pfx file. Only available for OAuth 1.0. |
| Cert_Password | String | Personal certificate password. Only available for OAuth 1.0. |
| Sign_Method | String | The signature method used to calculate the signature for OAuth 1.0.
The allowed values are HMAC-SHA1, PLAINTEXT. The default value is HMAC-SHA1. |
| Scope | String | The scope of access to the APIs. By default, access to all APIs used by this data provider will be specified. |
| CallbackURL | String | The URL the user will be redirected to after authorizing your application. |
| Prompt | String | This field indicates the prompt to present the user. It accepts one of the following values: NONE, CONSENT, SELECT ACCOUNT. The default is SELECT_ACCOUNT, so a given user will be prompted to select the account to connect to. If it is set to CONSENT, the user will see a consent page every time, even if they have previously given consent to the application for a given set of scopes. Lastly, if it is set to NONE, no authentication or consent screens will be displayed to the user.
The default value is SELECT_ACCOUNT. |
| AccessType | String | This field indicates if your application needs to access a Google API when the user is not present at the browser. This parameter defaults to ONLINE. If your application needs to refresh access tokens when the user is not present at the browser, then use OFFLINE. This will result in your application obtaining a refresh token the first time your application exchanges an authorization code for a user. |
| State | String | This field indicates any state that may be useful to your application upon receipt of the response. Your application receives the same value it sent, as this parameter makes a round-trip to the Google authorization server and back. Possible uses include redirecting the user to the correct resource in your site, using nonces, and mitigating cross-site request forgery. |
| Other_Options | String | Other options to control the behavior of OAuth. |
| Name | Type | Description |
| AuthToken | String | The authorization token, passed into the GetOAuthAccessToken stored procedure. |
| AuthKey | String | The authorization key, passed into the GetOAuthAccessToken stored procedure. |
| AuthSecret | String | This field is deprecated. Use AuthKey going forward. |
| URL | String | The URL to complete user authentication. |
Refreshes an expired OAuth Access Token to maintain continuous authenticated access to Excel resources without requiring reauthorization from the user.
| Name | Type | Description |
| OAuthRefreshToken | String | The refresh token returned from the original authorization code exchange. |
| Name | Type | Description |
| OAuthAccessToken | String | The authentication token returned from the data source. This can be used in subsequent calls to other operations for this particular service. |
| OAuthRefreshToken | String | The authentication token returned from the data source. This can be used in subsequent calls to other operations for this particular service. |
| ExpiresIn | String | The remaining lifetime on the access token. |
Upload file to destination.
| Name | Type | Description |
| DestinationPath | String | The full path where the file should be uploaded to. Relative to the path provided in the URI connection property. |
| LocalPath | String | The path of the local file to upload. |
| InputData | String | Base64 string representation of the file content. Only used if LocalPath and InputStream are not set. |
| Name | Type | Description |
| Success | Bool | Boolean indicating if the procedure was executed successfully. If false, the output parameter 'Details' will contain the failure details. |
| Details | String | Details of execution failure. NULL if success=true. |
The connection string properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure in the connection string for this provider. Click the links for further details.
For more information on establishing a connection, see Establishing a Connection.
| Property | Description |
| AuthScheme | The type of authentication to use when connecting to remote services. |
| AccessKey | The access key used to authenticate to Microsoft Excel. This value is accessible from your security credentials page. |
| SecretKey | Your account secret key. This value is accessible from your security credentials page. |
| User | The user account used to authenticate. |
| Password | The password used to authenticate the user. |
| SharePointEdition | The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise. |
| Property | Description |
| ConnectionType | Specifies the file storage service, server, or file access protocol through which your Microsoft Excel files are stored and retreived. |
| URI | A Uniform Resource Identifier (URI) to a resource location containing Excel workbook file(s). |
| DefineTables | A list of cell ranges within spreadsheets to model as tables. |
| Header | Specifies whether the first row (or column, when Orientation=Horizontal) is used as a source of column names. |
| Orientation | Indicates whether the data in Excel is laid out horizontally or vertically. |
| ExcelFile | The location of an Excel file. |
| BufferChanges | Specifies whether to wait until the connection is closed to apply changes made to workbook data. |
| Region | The hosting region for your S3-like Web Services. |
| OracleNamespace | The Oracle Cloud Object Storage namespace to use. |
| StorageBaseURL | Specifies the URL of a cloud storage service provider. |
| UseVirtualHosting | If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified. |
| TestConnectionBehavior | Specifies the behavior of the test connection operation. |
| UseLakeFormation | When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion. |
| Property | Description |
| AWSAccessKey | Specifies your AWS account access key. This value is accessible from your AWS security credentials page. |
| AWSSecretKey | Your AWS account secret key. This value is accessible from your AWS security credentials page. |
| AWSRoleARN | The Amazon Resource Name of the role to use when authenticating. |
| AWSPrincipalARN | The ARN of the SAML Identity provider in your AWS account. |
| AWSRegion | The hosting region for your Amazon Web Services. |
| AWSSessionToken | Your AWS session token. |
| AWSExternalId | A unique identifier that might be required when you assume a role in another account. |
| MFASerialNumber | The serial number of the MFA device if one is being used. |
| MFAToken | The temporary token available from your MFA device. |
| TemporaryTokenDuration | The amount of time (in seconds) a temporary token will last. |
| AWSWebIdentityToken | The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. |
| Property | Description |
| AzureStorageAccount | The name of your Azure storage account. |
| AzureAccessKey | The storage key associated with your Azure account. |
| AzureSharedAccessSignature | A shared access key signature that may be used for authentication. |
| AzureTenant | Identifies the Microsoft Excel tenant being used to access data. Accepts either the tenant's domain name (for example, contoso.onmicrosoft.com ) or its directory (tenant) ID. |
| AzureEnvironment | Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added. |
| Property | Description |
| SSOLoginURL | The identity provider's login URL. |
| SSOProperties | Additional properties required to connect to the identity provider, formatted as a semicolon-separated list. |
| SSOExchangeURL | The URL used for consuming the SAML response and exchanging it for service specific credentials. |
| Property | Description |
| AllowFormula | Specifies whether to treat values starting with an equals (=) sign as formulas during inserts and updates. |
| EmptyValueMode | Specifies whether to read cells containing empty strings as empty or as null. |
| NullValues | Identifies a comma-separated list of values to read as null. |
| IgnoreCalcError | Specifies whether to include spreadsheet calculation error types in query results. |
| NullValueMode | Indicates whether empty cells are read as null or as empty. |
| HasCrossSheetReferences | Specifies how cross-sheet references are handled. |
| Recalculate | Specifies whether to recalculate formula values when cells involved in formula calculation are updated. |
| ShowEmptyRows | Determines whether empty rows are included in query results. |
| TypeDetectionScheme | Determines how the provider detects the data types of columns. |
| EnableOleDbCompatibility | Specifies whether to emulate how the Microsoft OLE DB Driver reports newline characters. |
| UseFastInsert | Indicates whether to use the efficient insert mode, which forces inserts to append new lines to the bottom of the spreadsheet. |
| AggregateFiles | Enables the ability to aggregate the content of identically-named sheets across multiple workbook files. |
| SkipTop | Specifies the number of rows (or columns, when Orientation=Horizontal) immediately after the header to omit from query results. |
| IncludeCustomNames | Indicates whether or not the defined names should be pushed. |
| IncludeSubdirectories | Indicates whether to include workbook files in subdirectories when list. |
| MetadataDiscoveryURI | Identifies the workbook that is used as the source of metadata when aggregating sheets with the AggregateFiles connection property. |
| PathSeparator | The character used to represent path separators when calculating the names of tables based on spreadsheets in nested folders. |
| Property | Description |
| OAuthVersion | Identifies the version of OAuth being used. |
| OAuthClientId | Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication. |
| OAuthClientSecret | Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server. (Custom OAuth applications only.). |
| Scope | Specifies the scope of the authenticating user's access to the application, to ensure they get appropriate access to data. If a custom OAuth application is needed, this is generally specified at the time the application is created. |
| OAuthPasswordGrantMode | Specifies how the OAuth Client ID and Client Secret are sent to the authorization server. |
| OAuthIncludeCallbackURL | Whether to include the callback URL in an access token request. |
| OAuthAuthorizationURL | The authorization URL for the OAuth service. |
| OAuthAccessTokenURL | The URL from which the OAuth access token is retrieved. |
| OAuthRefreshTokenURL | The URL to refresh the OAuth token from. |
| OAuthRequestTokenURL | The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0. |
| AuthToken | The authentication token used to request and obtain the OAuth Access Token. |
| AuthKey | The authentication secret used to request and obtain the OAuth Access Token. |
| OAuthParams | A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value. |
| Property | Description |
| OAuthJWTCert | Supplies the name of the client certificate's JWT Certificate store. |
| OAuthJWTCertType | Identifies the type of key store containing the JWT Certificate. |
| OAuthJWTCertPassword | Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank. |
| OAuthJWTCertSubject | Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate. |
| OAuthJWTIssuer | The issuer of the Java Web Token. |
| OAuthJWTSubject | The user subject for which the application is requesting delegated access. |
| Property | Description |
| KerberosKDC | Identifies the Kerberos Key Distribution Center (KDC) service used to authenticate the user. (SPNEGO or Windows authentication only). |
| KerberosRealm | Identifies the Kerberos Realm used to authenticate the user. |
| KerberosSPN | Identifies the service principal name (SPN) for the Kerberos Domain Controller. |
| KerberosUser | Confirms the principal name for the Kerberos Domain Controller, which uses the format host/user@realm. |
| KerberosKeytabFile | Identifies the Keytab file containing your pairs of Kerberos principals and encrypted keys. |
| KerberosServiceRealm | Identifies the service's Kerberos realm. (Cross-realm authentication only). |
| KerberosServiceKDC | Identifies the service's Kerberos Key Distribution Center (KDC). |
| KerberosTicketCache | Specifies the full file path to an MIT Kerberos credential cache file. |
| Property | Description |
| SSLClientCert | Specifies the TLS/SSL client certificate store for SSL Client Authentication (2-way SSL). This property works in conjunction with other SSL-related properties to establish a secure connection. |
| SSLClientCertType | Specifies the type of key store containing the TLS/SSL client certificate for SSL Client Authentication. Choose from a variety of key store formats depending on your platform and certificate source. |
| SSLClientCertPassword | Specifes the password required to access the TLS/SSL client certificate store. Use this property if the selected certificate store type requires a password for access. |
| SSLClientCertSubject | Specifes the subject of the TLS/SSL client certificate to locate it in the certificate store. Use a comma-separated list of distinguished name fields, such as CN=www.server.com, C=US. The wildcard * selects the first certificate in the store. |
| SSLMode | The authentication mechanism to be used when connecting to the FTP or FTPS server. |
| SSLServerCert | Specifies the certificate to be accepted from the server when connecting using TLS/SSL. |
| Property | Description |
| SSHAuthMode | The authentication method used when establishing an SSH Tunnel to the service. |
| SSHClientCert | A certificate to be used for authenticating the SSHUser. |
| SSHClientCertPassword | The password of the SSHClientCert key if it has one. |
| SSHClientCertSubject | The subject of the SSH client certificate. |
| SSHClientCertType | The type of SSHClientCert private key. |
| SSHUser | The SSH user. |
| SSHPassword | The SSH password. |
| Property | Description |
| FirewallType | Specifies the protocol the provider uses to tunnel traffic through a proxy-based firewall. |
| FirewallServer | Identifies the IP address, DNS name, or host name of a proxy used to traverse a firewall and relay user queries to network resources. |
| FirewallPort | Specifies the TCP port to be used for a proxy-based firewall. |
| FirewallUser | Identifies the user ID of the account authenticating to a proxy-based firewall. |
| FirewallPassword | Specifies the password of the user account authenticating to a proxy-based firewall. |
| Property | Description |
| ProxyAutoDetect | Specifies whether the provider checks your system proxy settings for existing proxy server configurations, rather than using a manually specified proxy server. |
| ProxyServer | Identifies the hostname or IP address of the proxy server through which you want to route HTTP traffic. |
| ProxyPort | Identifies the TCP port on your specified proxy server that has been reserved for routing HTTP traffic to and from the client. |
| ProxyAuthScheme | Specifies the authentication method the provider uses when authenticating to the proxy server specified in the ProxyServer connection property. |
| ProxyUser | Provides the username of a user account registered with the proxy server specified in the ProxyServer connection property. |
| ProxyPassword | Specifies the password of the user specified in the ProxyUser connection property. |
| ProxySSLType | Specifies the SSL type to use when connecting to the proxy server specified in the ProxyServer connection property. |
| ProxyExceptions | Specifies a semicolon-separated list of destination hostnames or IPs that are exempt from connecting through the proxy server set in the ProxyServer connection property. |
| Property | Description |
| LogModules | Specifies the core modules to include in the log file. Use a semicolon-separated list of module names. By default, all modules are logged. |
| Property | Description |
| Location | Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path. |
| BrowsableSchemas | Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC . |
| Tables | Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC . |
| Views | Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC . |
| Property | Description |
| AWSCertificate | The absolute path to the certificate file or the certificate content in PEM format encoded in base64. |
| AWSCertificatePassword | The password for the certificate if applicable, otherwise leave blank. |
| AWSCertificateType | The type of AWSCertificate . |
| AWSPrivateKey | The absolute path to the private key file or the private key content in PEM format encoded in base64. |
| AWSPrivateKeyPassword | The password for the private key if it is encrypted, otherwise leave blank. |
| AWSPrivateKeyType | The type of AWSPrivateKey . |
| AWSProfileARN | Profile to pull policies from. |
| AWSSessionDuration | Duration, in seconds, for the resulting session. |
| AWSTrustAnchorARN | Trust anchor to use for authentication. |
| Charset | Specifies the session character set for encoding and decoding character data transferred to and from the Microsoft Excel file. The default value is UTF-8. |
| ClientCulture | This property can be used to specify the format of data (e.g., currency values) that is accepted by the client application. This property can be used when the client application does not support the machine's culture settings. For example, Microsoft Access requires 'en-US'. |
| Culture | This setting can be used to specify culture settings that determine how the provider interprets certain data types that are passed into the provider. For example, setting Culture='de-DE' will output German formats even on an American machine. |
| CustomHeaders | Specifies additional HTTP headers to append to the request headers created from other properties, such as ContentType and From. Use this property to customize requests for specialized or nonstandard APIs. |
| CustomURLParams | A string of custom URL parameters to be included with the HTTP request, in the form field1=value1&field2=value2&field3=value3. |
| DirectoryRetrievalDepth | Specifies how many levels of subfolders are scanned when IncludeSubdirectories is enabled. |
| ExcludeFiles | A comma-separated list of filters to exclude from the set of files. |
| FolderId | The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations. |
| GenerateSchemaFiles | Indicates the user preference as to when schemas should be generated and saved. |
| IncludeDropboxTeamResources | Indicates if you want to include Dropbox team files and folders. |
| IncludeFiles | A comma-separated list of filters to include from the set of files. |
| IncludeItemsFromAllDrives | Whether Google Drive shared drive items should be included in results. If not present or set to false, then shared drive items are not returned. |
| MaxRows | Specifies the maximum number of rows returned for queries that do not include either aggregation or GROUP BY. |
| Other | Specifies advanced connection properties for specialized scenarios. Use this property only under the guidance of our Support team to address specific issues. |
| PseudoColumns | Specifies the pseudocolumns to expose as table columns, expressed as a string in the format 'TableName=ColumnName;TableName=ColumnName'. |
| RowScanDepth | The maximum number of rows to scan to look for the columns available in a table. |
| StringDecode | Specifies whether hexadecimal characters are decoded in query results. |
| Timeout | Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. |
| UserDefinedViews | Specifies a filepath to a JSON configuration file that defines custom views. The provider automatically detects and uses the views specified in this file. |
| UseSimpleNames | Specifies whether or not simple names should be used for schemas, tables and columns. |
This section provides a complete list of the Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AuthScheme | The type of authentication to use when connecting to remote services. |
| AccessKey | The access key used to authenticate to Microsoft Excel. This value is accessible from your security credentials page. |
| SecretKey | Your account secret key. This value is accessible from your security credentials page. |
| User | The user account used to authenticate. |
| Password | The password used to authenticate the user. |
| SharePointEdition | The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise. |
The type of authentication to use when connecting to remote services.
The following options are available when ConnectionType is set to Amazon S3:
The following options are available when ConnectionType is set to Azure Blob Storage, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure Data Lake Storage Gen2 SSL, or OneDrive:
The following options are available when ConnectionType is set to OneLake:
The following options are available when ConnectionType is set to Box:
Only the following option is available when ConnectionType is set to Dropbox:
OAuth: Uses OAuth2 with the authorization code grant type. OAuthVersion must be set to 2.0.
Only the following option is available when ConnectionType is set to FTP or FTPS:
Basic: Basic user credentials (user/password).
The following options are available when ConnectionType points Google Cloud Storage or Google Drive:
The following options are available when ConnectionType is set to HDFS or HDFS Secure:
The following options are available when ConnectionType is set to HTTP or HTTPS:
The following options are also available when ConnectionType is set to IBM Object Storage Source:
Only the following option is available when ConnectionType is set to Oracle Cloud Storage:
IAMSecretKey: Uses AccessKey and SecretKey to authenticate to the Oracle Cloud Storage.
When ConnectionType is set to SFTP, the Sync App sets AuthScheme to SFTP. When AuthScheme is set to SFTP, the precise authentication method is controlled using the SSHAuthMode property. See this property's documentation for further information.
The following options are also available when ConnectionType is set to SharePoint REST:
The following options are also available when ConnectionType is set to SharePoint SOAP:
The access key used to authenticate to Microsoft Excel. This value is accessible from your security credentials page.
User is used with AccessKey to authenticate the user against the Microsoft Excel server.
Your account secret key. This value is accessible from your security credentials page.
Your account secret key. This value is accessible from your security credentials page depending on the service you are using.
The user account used to authenticate.
The name of a user account associated with the Microsoft Excel database you want to connect to.
The User and Password connection properties, if they are applicable to the current ConnectionType and AuthScheme, are used together to authenticate to the service or platform containing your Microsoft Excel files.
This property will refer to different things based on the context, namely the value of ConnectionType and AuthScheme:
The password used to authenticate the user.
The password associated with the authenticating user account (specified in the User connection property).
The User and Password connection properties, if they are applicable to the current ConnectionType and AuthScheme, are used together to authenticate to the service or platform containing your Microsoft Excel files.
This property will refer to different things based on the context, namely the value of ConnectionType and AuthScheme:
This section provides a complete list of the Connection properties you can configure in the connection string for this provider.
| Property | Description |
| ConnectionType | Specifies the file storage service, server, or file access protocol through which your Microsoft Excel files are stored and retreived. |
| URI | A Uniform Resource Identifier (URI) to a resource location containing Excel workbook file(s). |
| DefineTables | A list of cell ranges within spreadsheets to model as tables. |
| Header | Specifies whether the first row (or column, when Orientation=Horizontal) is used as a source of column names. |
| Orientation | Indicates whether the data in Excel is laid out horizontally or vertically. |
| ExcelFile | The location of an Excel file. |
| BufferChanges | Specifies whether to wait until the connection is closed to apply changes made to workbook data. |
| Region | The hosting region for your S3-like Web Services. |
| OracleNamespace | The Oracle Cloud Object Storage namespace to use. |
| StorageBaseURL | Specifies the URL of a cloud storage service provider. |
| UseVirtualHosting | If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified. |
| TestConnectionBehavior | Specifies the behavior of the test connection operation. |
| UseLakeFormation | When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion. |
Specifies the file storage service, server, or file access protocol through which your Microsoft Excel files are stored and retreived.
Set the ConnectionType to one of the following:
A Uniform Resource Identifier (URI) to a resource location containing Excel workbook file(s).
This connection property, alongside IncludeSubdirectories, specifies the selected workbook(s): the pool of workbook(s) whose spreadsheets the Sync App models as tables. The AggregateFiles connection property only operates on the workbook(s) in this pool (others are ignored).
If this connection property is set to the path of an individual workbook file, only the sheets from that workbook are listed as tables.
If this connection property is set to a folder path, sheets from all spreadsheets in that immediate folder, as well as nested folders (if IncludeSubdirectories is set to True) are listed as tables. The DirectoryRetrievalDepth connection property operates relative to this folder.
Below are example connection strings to Excel files or streams.
| Service provider | URI formats | Connection example |
| Local | localPath
file://localPath/file.xlsx | URI=C:/folder1/file.xlsx |
| HTTP or HTTPS | http://remoteStream
https://remoteStream | URI=http://www.host1.com/streamname1; |
| Amazon S3 | s3://bucket1/folder1/file.xlsx | URI=s3://bucket1/folder1/file.xlsx; AWSAccessKey=token1; AWSSecretKey=secret1; AWSRegion=OHIO; |
| Google Drive | gdrive://remotePath/file.xlsx | URI=gdrive://folder1/file.xlsx; |
| Box | box://remotePath/file.xlsx | URI=box://folder1/file.xlsx; OAuthClientId=oauthclientid1; OAuthClientSecret=oauthcliensecret1; CallbackUrl=http://localhost:12345; |
| FTP or FTPS | ftp://server:port/remotePath/file.xlsx
ftps://server:port/remotepath/file.xlsx | URI=ftps://localhost:990/folder1/file.xlsx; User=user1; Password=password1; |
| SFTP | sftp://server:port/remotePath/file.xlsx | URI=sftp://127.0.0.1:22/remotePath/file.xlsx; User=user1; Password=password1; |
| Sharepoint | sp://https://server/remotePath/file.xlsx | URI=sp://https://domain.sharepoint.com/Documents/file.xlsx; User=user1; Password=password1; |
A list of cell ranges within spreadsheets to model as tables.
This connection property models cell ranges from an Excel workbook as tables. Specify the workbook from which you want to expose sheet ranges as tables with the URI connection property. You must set URI to a single workbook file's path, not a folder, for this connection property to function properly.
To specify which ranges from which sheets in the workbook are modeled as tables, set this connection property's value to a comma-separated list of name-value pairs in the form:
<User-Defined Table Name>=<Sheet Name>!<Starting Cell of Range>:<Ending Cell of Range>
For example, to create tables called "Table1" and "Table2" from the sheet "Sheet1" using ranges A1:N25 and C3:M53, supply the following value for this connection property:
Table1=Sheet1!A1:N25,Table2=Sheet2!C3:M53
Specifies whether the first row (or column, when Orientation=Horizontal) is used as a source of column names.
This connection property determines whether, among the sheets in the selected workbooks, the first row (or, if the Orientation connection property is set to Horizontal, the first column) is used as the source of column names for sheet table(s) in the Sync App.
When this connection property is set to True, all sheets in selected workbooks source column names from the first row, or, if the Orientation connection property is set to Horizontal, the first column, of the sheet. When set to False, the Sync App, by default, uses generic column names, such as A, B, C, or, if the Orientation connection property is set to Horizontal, R1, R2, R3, etc., in the resulting sheet tables exposed by the Sync App.
A value of True or False triggers the corresponding behavior for all sheets in selected workbooks, but you can override the specified behavior on a sheet-by-sheet basis by appending a comma-separated list of rules to this connection property's value (you must add a comma after the initial "True" or "False" as well).
The syntax for these additional rules is <Sheet Name>=<"True" or "False">, where "Sheet Name" is the name of a sheet in one of the selected workbooks.
For example, the value True,Sheet1=False means all sheets named "Sheet1" (among sheets in the selected workbooks) use generic column names, and all other sheets in the selected workbooks get their column names from the first row of the sheet (assuming the Orientation connection property is set to Vertical). If there are multiple sheets across the selected workbooks that share the name "Sheet1", the same rule applies to all sheets by that name.
Indicates whether the data in Excel is laid out horizontally or vertically.
By default, this connection property is set to Vertical, meaning the Sync App models vertically oriented spreadsheet data -- the Sync App regards the rows in the spreadsheet, arranged below a header row, as rows.
If this connection property is set to Horizontal, the Sync App regards the columns in the spreadsheet, arranged to the right of a header column, as rows.
A value of "Vertical" or "Horizontal" triggers the corresponding behavior for all sheets in selected workbooks, but you can override the set behavior on a sheet-by-sheet basis by appending a comma-separated list of rules to this connection property's value (you must add a comma after the initial "Horizontal" or "Vertical" as well).
The syntax for these additional rules is <Sheet Name>=<"Horizontal" or "Vertical">, where "Sheet Name" is the name of a sheet in one of the selected workbooks.
For example, a value of Orientation=Horizontal, Sheet1=Vertical means that the orientation is set to horizontal for all sheets except Sheet1, which is vertical. If there are multiple sheets across the selected workbooks that share the name "Sheet1", the same rule applies to all sheets by that name.
When this connection property is set to Horizontal, the Header connection property uses the rows in the first column, rather than the columns in the first row, as the source of column names for the sheet tables in the Sync App.
The location of an Excel file.
This property is deprecated and is replaced with URI.
A path that points to an Excel file. The file must exist. The Sync App implements support for Office Open XML spreadsheets used by Excel 2007 and later.
Specifies whether to wait until the connection is closed to apply changes made to workbook data.
If this connection property is set to True, changes made to workbook data via the Sync App are applied when the Sync App's connection is closed.
If this connection property is set to False, changes are reflected in the affected workbook files immediately, though the repeated opening and closing of workbook files necessary to make these immediate updates causes a reduction in query performance.
The hosting region for your S3-like Web Services.
The hosting region for your S3-like Web Services.
| Value | Region |
| Commercial Cloud Regions | |
| ap-hyderabad-1 | India South (Hyderabad) |
| ap-melbourne-1 | Australia Southeast (Melbourne) |
| ap-mumbai-1 | India West (Mumbai) |
| ap-osaka-1 | Japan Central (Osaka) |
| ap-seoul-1 | South Korea Central (Seoul) |
| ap-sydney-1 | Australia East (Sydney) |
| ap-tokyo-1 | Japan East (Tokyo) |
| ca-montreal-1 | Canada Southeast (Montreal) |
| ca-toronto-1 | Canada Southeast (Toronto) |
| eu-amsterdam-1 | Netherlands Northwest (Amsterdam) |
| eu-frankfurt-1 | Germany Central (Frankfurt) |
| eu-zurich-1 | Switzerland North (Zurich) |
| me-jeddah-1 | Saudi Arabia West (Jeddah) |
| sa-saopaulo-1 | Brazil East (Sao Paulo) |
| uk-london-1 | UK South (London) |
| us-ashburn-1 (default) | US East (Ashburn, VA) |
| us-phoenix-1 | US West (Phoenix, AZ) |
| US Gov FedRAMP High Regions | |
| us-langley-1 | US Gov East (Ashburn, VA) |
| us-luke-1 | US Gov West (Phoenix, AZ) |
| US Gov DISA IL5 Regions | |
| us-gov-ashburn-1 | US DoD East (Ashburn, VA) |
| us-gov-chicago-1 | US DoD North (Chicago, IL) |
| us-gov-phoenix-1 | US DoD West (Phoenix, AZ) |
| Value | Region |
| eu-central-1 | Europe (Amsterdam) |
| us-east-1 (Default) | US East (Ashburn, VA) |
| us-east-2 | US East (Manassas, VA) |
| us-west-1 | US West (Hillsboro, OR) |
The Oracle Cloud Object Storage namespace to use.
The Oracle Cloud Object Storage namespace to use. This setting must be set to the Oracle Cloud Object Storage namespace associated with the Oracle Cloud account before any requests can be made. Refer to the Understanding Object Storage Namespaces page of the Oracle Cloud documentation for instructions on how to find your account's Object Storage namespace.
Specifies the URL of a cloud storage service provider.
This connection property is used to specify:
If the domain for this option ends in -my (for example, https://bigcorp-my.sharepoint.com) then you may need to use the onedrive:// scheme instead of the sp:// or sprest:// scheme.
When connecting to files in a non–root-level SharePoint Online site (for example, under /sites/<your site>/), set this property to the full site path. For example: StorageBaseURL=https://<your domain>.sharepoint.com/sites/<your site>/
Using the full SharePoint site URL ensures the connector can locate files stored in subsites or other non-root-level site structures.
If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.
If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.
Specifies the behavior of the test connection operation.
Change how the Sync App responds to a test connection operation based on the integration scenario.
When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.
When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.
This section provides a complete list of the AWS Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AWSAccessKey | Specifies your AWS account access key. This value is accessible from your AWS security credentials page. |
| AWSSecretKey | Your AWS account secret key. This value is accessible from your AWS security credentials page. |
| AWSRoleARN | The Amazon Resource Name of the role to use when authenticating. |
| AWSPrincipalARN | The ARN of the SAML Identity provider in your AWS account. |
| AWSRegion | The hosting region for your Amazon Web Services. |
| AWSSessionToken | Your AWS session token. |
| AWSExternalId | A unique identifier that might be required when you assume a role in another account. |
| MFASerialNumber | The serial number of the MFA device if one is being used. |
| MFAToken | The temporary token available from your MFA device. |
| TemporaryTokenDuration | The amount of time (in seconds) a temporary token will last. |
| AWSWebIdentityToken | The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. |
Specifies your AWS account access key. This value is accessible from your AWS security credentials page.
To find your AWS account access key:
Your AWS account secret key. This value is accessible from your AWS security credentials page.
Your AWS account secret key. This value is accessible from your AWS security credentials page:
The Amazon Resource Name of the role to use when authenticating.
When authenticating outside of AWS, it is common to use a Role for authentication instead of your direct AWS account credentials. Entering the AWSRoleARN will cause the CData Sync App to perform a role based authentication instead of using the AWSAccessKey and AWSSecretKey directly. The AWSAccessKey and AWSSecretKey must still be specified to perform this authentication. You cannot use the credentials of an AWS root user when setting RoleARN. The AWSAccessKey and AWSSecretKey must be those of an IAM user.
The ARN of the SAML Identity provider in your AWS account.
The ARN of the SAML Identity provider in your AWS account.
The hosting region for your Amazon Web Services.
The hosting region for your Amazon Web Services. Available values are OHIO, NORTHERNVIRGINIA, NORTHERNCALIFORNIA, OREGON, CAPETOWN, HONGKONG, TAIPEI, HYDERABAD, JAKARTA, MALAYSIA, MELBOURNE, MUMBAI, OSAKA, SEOUL, SINGAPORE, SYDNEY, THAILAND, TOKYO, CENTRAL, CALGARY, BEIJING, NINGXIA, FRANKFURT, IRELAND, LONDON, MILAN, PARIS, SPAIN, STOCKHOLM, ZURICH, TELAVIV, MEXICOCENTRAL, BAHRAIN, UAE, SAOPAULO, GOVCLOUDEAST, GOVCLOUDWEST, ISOLATEDUSEAST, ISOLATEDUSEASTB, ISOLATEDUSEASTF, ISOLATEDUSSOUTHF, ISOLATEDUSWEST and ISOLATEDEUWEST.
Your AWS session token.
Your AWS session token. This value can be retrieved in different ways. See this link for more info.
A unique identifier that might be required when you assume a role in another account.
A unique identifier that might be required when you assume a role in another account.
The serial number of the MFA device if one is being used.
You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials. For virtual devices, this is actually an Amazon Resource Name (such as arn:aws:iam::123456789012:mfa/user).
The temporary token available from your MFA device.
If MFA is required, this value will be used along with the MFASerialNumber to retrieve temporary credentials to login. The temporary credentials available from AWS will only last up to 1 hour by default (see TemporaryTokenDuration). Once the time is up, the connection must be updated to specify a new MFA token so that new credentials may be obtained. %AWSpSecurityToken; %AWSpTemporaryTokenDuration;
The amount of time (in seconds) a temporary token will last.
Temporary tokens are used with both MFA and Role based authentication. Temporary tokens will eventually time out, at which time a new temporary token must be obtained. For situations where MFA is not used, this is not a big deal. The CData Sync App will internally request a new temporary token once the temporary token has expired.
However, for MFA required connection, a new MFAToken must be specified in the connection to retrieve a new temporary token. This is a more intrusive issue since it requires an update to the connection by the user. The maximum and minimum that can be specified will depend largely on the connection being used.
For Role based authentication, the minimum duration is 900 seconds (15 minutes) while the maximum if 3600 (1 hour). Even if MFA is used with role based authentication, 3600 is still the maximum.
For MFA authentication by itself (using an IAM User or root user), the minimum is 900 seconds (15 minutes), the maximum is 129600 (36 hours).
The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider.
The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. An application can get this token by authenticating a user with a web identity provider. If not specified, the value for this connection property is automatically obtained from the value of the 'AWS_WEB_IDENTITY_TOKEN_FILE' environment variable.
This section provides a complete list of the Azure Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AzureStorageAccount | The name of your Azure storage account. |
| AzureAccessKey | The storage key associated with your Azure account. |
| AzureSharedAccessSignature | A shared access key signature that may be used for authentication. |
| AzureTenant | Identifies the Microsoft Excel tenant being used to access data. Accepts either the tenant's domain name (for example, contoso.onmicrosoft.com ) or its directory (tenant) ID. |
| AzureEnvironment | Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added. |
The name of your Azure storage account.
The name of your Azure storage account.
The storage key associated with your Azure account.
The storage key associated with your Microsoft Excel account. You can retrieve it as follows:
Identifies the Microsoft Excel tenant being used to access data. Accepts either the tenant's domain name (for example, contoso.onmicrosoft.com ) or its directory (tenant) ID.
A tenant is a digital container for your organization's users and resources, managed through Microsoft Entra ID (formerly Azure AD). Each tenant is associated with a unique directory ID, and often with a custom domain (for example, microsoft.com or contoso.onmicrosoft.com).
To find the directory (tenant) ID in the Microsoft Entra Admin Center, navigate to Microsoft Entra ID > Properties and copy the value labeled "Directory (tenant) ID".
This property is required in the following cases:
You can provide the tenant value in one of two formats:
Specifying the tenant explicitly ensures that the authentication request is routed to the correct directory, which is especially important when a user belongs to multiple tenants or when using service principal–based authentication.
If this value is omitted when required, authentication may fail or connect to the wrong tenant. This can result in errors such as unauthorized or resource not found.
Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added.
Required if your Azure account is part of a different network than the Global network, such as China, USGOVT, or USGOVTDOD.
This section provides a complete list of the SSO properties you can configure in the connection string for this provider.
| Property | Description |
| SSOLoginURL | The identity provider's login URL. |
| SSOProperties | Additional properties required to connect to the identity provider, formatted as a semicolon-separated list. |
| SSOExchangeURL | The URL used for consuming the SAML response and exchanging it for service specific credentials. |
The identity provider's login URL.
The identity provider's login URL.
Additional properties required to connect to the identity provider, formatted as a semicolon-separated list.
Additional properties required to connect to the identity provider, formatted as a semicolon-separated list.
This is used with the SSOLoginURL.
SSO configuration is discussed further in .
The URL used for consuming the SAML response and exchanging it for service specific credentials.
The CData Sync App will use the URL specified here to consume a SAML response and exchange it for service specific credentials. The retrieved credentials are the final piece during the SSO connection that are used to communicate with Microsoft Excel.
This section provides a complete list of the Data properties you can configure in the connection string for this provider.
| Property | Description |
| AllowFormula | Specifies whether to treat values starting with an equals (=) sign as formulas during inserts and updates. |
| EmptyValueMode | Specifies whether to read cells containing empty strings as empty or as null. |
| NullValues | Identifies a comma-separated list of values to read as null. |
| IgnoreCalcError | Specifies whether to include spreadsheet calculation error types in query results. |
| NullValueMode | Indicates whether empty cells are read as null or as empty. |
| HasCrossSheetReferences | Specifies how cross-sheet references are handled. |
| Recalculate | Specifies whether to recalculate formula values when cells involved in formula calculation are updated. |
| ShowEmptyRows | Determines whether empty rows are included in query results. |
| TypeDetectionScheme | Determines how the provider detects the data types of columns. |
| EnableOleDbCompatibility | Specifies whether to emulate how the Microsoft OLE DB Driver reports newline characters. |
| UseFastInsert | Indicates whether to use the efficient insert mode, which forces inserts to append new lines to the bottom of the spreadsheet. |
| AggregateFiles | Enables the ability to aggregate the content of identically-named sheets across multiple workbook files. |
| SkipTop | Specifies the number of rows (or columns, when Orientation=Horizontal) immediately after the header to omit from query results. |
| IncludeCustomNames | Indicates whether or not the defined names should be pushed. |
| IncludeSubdirectories | Indicates whether to include workbook files in subdirectories when list. |
| MetadataDiscoveryURI | Identifies the workbook that is used as the source of metadata when aggregating sheets with the AggregateFiles connection property. |
| PathSeparator | The character used to represent path separators when calculating the names of tables based on spreadsheets in nested folders. |
Specifies whether to treat values starting with an equals (=) sign as formulas during inserts and updates.
When this connection property is set to True, values starting with an equals sign (=) are treated as formulas when executing INSERT and UPDATE queries. The specified formula is embedded into the affected cell(s) and the result of the formula is returned in query results.
When this connection property is set to False, values starting with an equals sign (=) are treated as literal strings when executing INSERT and UPDATE queries.
To illustrate this, suppose you have the following sheet ...
| ColA | ColB |
| 1 | 5 |
| 4 | 6 |
INSERT INTO Sheet1 (ColA,ColB) VALUES ("=SUM(A2:A3)","8"),
If this connection property is set to True, the sheet now contains:
| ColA | ColB |
| 1 | 5 |
| 4 | 6 |
| 5 (result of this cell's now-embedded formula: =SUM(A2:A3) ) | 8 |
| ColA | ColB |
| 1 | 5 |
| 4 | 6 |
| =SUM(A2:A3) (literal string) | 8 |
Specifies whether to read cells containing empty strings as empty or as null.
An empty value is a cell which contains an empty string (e.g., ""). Empty values are different from cells that have not been set, which contain null values.
To treat empty values as empty strings, set this connection property to ReadAsEmpty.
To treat empty values as NULL, set this connection property to ReadAsNull .
Identifies a comma-separated list of values to read as null.
Set this connection property to a comma-separated list of values that you want the Sync App to regard as null in query results.
For example: if you set this connection property to NaN,\N,N/A, then any cell containing "NaN", "\N", or "N/A" returns a null value.
Specifies whether to include spreadsheet calculation error types in query results.
This connection property controls how the Sync App treats cells containing invalid calculations in query results.
When this connection property is set to True, the Sync App returns the name of the error type, as it appears in the spreadsheet, (e.g. "#Name?") for these cells in query results.
When this connection property is set to False, the Sync App returns a null value for these cells in query results.
Note that, regardless of how this connection property is set, the Sync App does not halt query execution or display a Sync App-level error message when it detects a cell with invalid calculations.
Indicates whether empty cells are read as null or as empty.
An empty cell is a cell that has not been set and thus contains a null string.
Set this connection property to ReadAsEmpty to treat empty cells as empty strings.
Set this connection property to ReadAsNull to treat empty cells as NULL.
Set this connection property to ReadAsEmptyOrNull to return String values as empty strings, while all other data types are returned as NULL.
Specifies how cross-sheet references are handled.
If this connection property is set to True, all sheets in the workbook are loaded into memory and the values of cells with cross-sheet references are reflected correctly in query results. However, doing so may impact query performance because all sheets involved in the cross-sheet references must be read by the Sync App to correctly calculate their values.
If this connection property is set to False, the referenced external sheets are not loaded into memory, meaning that, if the referenced external sheet changes, the Sync App does not detect those changes when reporting the value of cells with cross-sheet references.
Specifies whether to recalculate formula values when cells involved in formula calculation are updated.
If this connection property is set to True, the Sync App recalculates the value of cells containing formulas when any of the cells targeted by the calculation are updated. This recalculated value is then sent back to the corresponding sheet in the workbook file.
If this connection property is set to False, cells containing formulas are not recalculated when any of the cells targeted by the calculation are updated.
Determines whether empty rows are included in query results.
If this connection property is set to True, empty rows are included in query results.
If this connection property is set to False, empty rows are excluded from query results.
Determines how the provider detects the data types of columns.
Set this connection property to one of the following:
| None | Returns all columns as string type. |
| RowScan | Scans rows to determine the data type. The RowScanDepth determines the number of rows that the Sync App scans when determining the data type. |
| ColumnFormat | Reports the data type based on the cell format (Number, Currency, Date, etc.) of the column. |
| ColumnStyle | Scans rows to determine the data type. The RowScanDepth determines the number of rows to be scanned. This retrieves more specific data types (date / time instead of just timestamp), but is more likely to cause values to be truncated due to values in the cells not completely following the associated conventions for those types. |
Specifies whether to emulate how the Microsoft OLE DB Driver reports newline characters.
If this connection property is set to True, the Sync App reports newline characters as '\n' instead of '\r\n', as the Microsoft OLE DB Driver does.
If this connection property is set to False, the Sync App reports newline characters as '\r\n'.
Indicates whether to use the efficient insert mode, which forces inserts to append new lines to the bottom of the spreadsheet.
When this connection property is set to True, the Sync App always appends inserted values onto the end and cannot insert rows in the middle of the sheet with the ROWID. This allows INSERT queries to have better performance at the cost of flexibility regarding where rows are inserted. The results of insertions are reflected immediately in the workbook file containing the sheet you're inserting into, regardless of how the BufferChanges connection property is set.
When this connection property is set to False, INSERT queries targeting a specific ROWID are supported. If data already exists on the row corresponding to the ROWID, the Sync App updates the data -- otherwise, data is inserted in that row.
Enables the ability to aggregate the content of identically-named sheets across multiple workbook files.
When this connection property is set to True, and if the URI connection property is set to a folder, the Sync App aggregates the content of identically-named sheets from multiple workbook files into consolidated tables called aggregate sheet tables.
These aggregate sheet tables only draw from the workbooks that fall within the scope specified by the URI and IncludeSubdirectories connection properties -- all others are ignored.
To facilitate aggregation of identically-named sheets, a metadata source workbook must be selected. The Sync App models each sheet from this workbook as an aggregate sheet table named after that sheet.
Each aggregate sheet table contains the combined content of all sheets that share the same name, across all selected workbooks.
You can explicitly designate a workbook file as the metadata source workbook with the MetadataDiscoveryURI connection property. If MetadataDiscoveryURI is not set, the first workbook file in the directory specified by the URI connection property is used as the metadata source workbook.
For example, if the metadata source workbook has a sheet named "SheetA", with this content:
| ColA | ColB | ColC |
| 1 | 2 | 3 |
| ColA | ColB | ColC |
| 4 | 5 | 6 |
| ColA | ColB | ColC |
| 1 | 2 | 3 |
| 4 | 5 | 6 |
Specifies the number of rows (or columns, when Orientation=Horizontal) immediately after the header to omit from query results.
This connection property omits the specified the number of rows, among the rows immediately following the header row, to omit query results.
If the Orientation connection property is set to Horizontal, this applies to columns immediately following the header column.
Indicates whether or not the defined names should be pushed.
If true, the defined names will be pushed.
Indicates whether to include workbook files in subdirectories when list.
This connection property only takes effect if the URI connection property is set to a folder, rather than a workbook file.
When this connection property is set to True, workbook files in subfolders of the folder specified in the URI property (alongside the workbook files in that folder itself) are used to source sheets, which are exposed as tables. If the AggregateFiles connection property is set to True, sheets from workbook files in subdirectories are candidates for inclusion in aggregate tables.
When this connection property is set to False, the contents of subfolders are ignored.
Identifies the workbook that is used as the source of metadata when aggregating sheets with the AggregateFiles connection property.
When the AggregateFiles connection property is enabled, the Sync App aggregates the content of identically-named sheets from multiple workbook files into consolidated tables called aggregate sheet tables.
To facilitate aggregation of identically-named sheets, a metadata source workbook must be selected. The Sync App models each sheet from this workbook as an aggregate sheet table named after that sheet.
You can use this connection property to explicitly designate a workbook file as the metadata source workbook. If this connection properly is not set, the first workbook file in the directory is used as the metadata source workbook.
The character used to represent path separators when calculating the names of tables based on spreadsheets in nested folders.
The character used to separate path components in such scenarios is taken from the value of this connection property. By default, this separator character is "_".
When the URI connection property is set to a folder, and the IncludeSubdirectories connection property is set to True, workbooks in nested folders are included in the pool of workbooks whose spreadsheets the Sync App models as tables.
Tables based on spreadsheets in workbooks inside nested folders include the names of all path components relative to the folder specified in URI.
For example, suppose the following:
The Sync App, by default, calls the resulting table for the "MySheet" sheet: NestedWorkbooks_MyWorkbook.xlsx.MySheet
Note that this includes a character ("_") separating the nested folder ("NestedWorkbooks") and the workbook ("MyWorkbook.xlsx") therein.
This separator applies to an arbitrary number of nested folder levels (as far as the DirectoryRetrievalDepth connection property's value allows).
This section provides a complete list of the OAuth properties you can configure in the connection string for this provider.
| Property | Description |
| OAuthVersion | Identifies the version of OAuth being used. |
| OAuthClientId | Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication. |
| OAuthClientSecret | Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server. (Custom OAuth applications only.). |
| Scope | Specifies the scope of the authenticating user's access to the application, to ensure they get appropriate access to data. If a custom OAuth application is needed, this is generally specified at the time the application is created. |
| OAuthPasswordGrantMode | Specifies how the OAuth Client ID and Client Secret are sent to the authorization server. |
| OAuthIncludeCallbackURL | Whether to include the callback URL in an access token request. |
| OAuthAuthorizationURL | The authorization URL for the OAuth service. |
| OAuthAccessTokenURL | The URL from which the OAuth access token is retrieved. |
| OAuthRefreshTokenURL | The URL to refresh the OAuth token from. |
| OAuthRequestTokenURL | The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0. |
| AuthToken | The authentication token used to request and obtain the OAuth Access Token. |
| AuthKey | The authentication secret used to request and obtain the OAuth Access Token. |
| OAuthParams | A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value. |
Identifies the version of OAuth being used.
Accepted entries are: 1.0,2.0
Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication.
This property is required in two cases:
(When the driver provides embedded OAuth credentials, this value may already be provided by the Sync App and thus not require manual entry.)
OAuthClientId is generally used alongside other OAuth-related properties such as OAuthClientSecret and OAuthSettingsLocation when configuring an authenticated connection.
OAuthClientId is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can usually find this value in your identity provider’s application registration settings. Look for a field labeled Client ID, Application ID, or Consumer Key.
While the client ID is not considered a confidential value like a client secret, it is still part of your application's identity and should be handled carefully. Avoid exposing it in public repositories or shared configuration files.
For more information on how this property is used when configuring a connection, see Establishing a Connection.
Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server. (Custom OAuth applications only.).
This property (sometimes called the application secret or consumer secret) is required when using a custom OAuth application in any flow that requires secure client authentication, such as web-based OAuth, service-based connections, or certificate-based authorization flows. It is not required when using an embedded OAuth application.
The client secret is used during the token exchange step of the OAuth flow, when the driver requests an access token from the authorization server. If this value is missing or incorrect, authentication fails with either an invalid_client or an unauthorized_client error.
OAuthClientSecret is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can obtain this value from your identity provider when registering the OAuth application.
Notes:
For more information on how this property is used when configuring a connection, see Establishing a Connection
Specifies the scope of the authenticating user's access to the application, to ensure they get appropriate access to data. If a custom OAuth application is needed, this is generally specified at the time the application is created.
Scopes are set to define what kind of access the authenticating user will have; for example, read, read and write, restricted access to sensitive information. System administrators can use scopes to selectively enable access by functionality or security clearance.
When InitiateOAuth is set to GETANDREFRESH, you must use this property if you want to change which scopes are requested.
When InitiateOAuth is set to either REFRESH or OFF, you can change which scopes are requested using either this property or the Scope input.
Specifies how the OAuth Client ID and Client Secret are sent to the authorization server.
The OAuth RFC provides two methods of passing the OAuthClientId and OAuthClientSecret:
Whether to include the callback URL in an access token request.
This defaults to true since standards-compliant OAuth services will ignore the redirect_uri parameter for grant types like CLIENT or PASSWORD that do not require it.
This option should only be enabled for OAuth services that report errors when redirect_uri is included.
The authorization URL for the OAuth service.
The authorization URL for the OAuth service. At this URL, the user logs into the server and grants permissions to the application. In OAuth 1.0, if permissions are granted, the request token is authorized.
The URL from which the OAuth access token is retrieved.
In OAuth 1.0, the authorized request token is exchanged for the access token at this URL.
The URL to refresh the OAuth token from.
The URL to refresh the OAuth token from. In OAuth 2.0, this URL is where the refresh token is exchanged for a new access token when the old access token expires.
The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0.
The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0. In OAuth 1.0, this is the URL where the app makes a request for the request token.
The authentication token used to request and obtain the OAuth Access Token.
This property is required only when performing headless authentication in OAuth 1.0. It can be obtained from the GetOAuthAuthorizationUrl stored procedure.
It can be supplied alongside the AuthKey in the GetOAuthAccessToken stored procedure to obtain the OAuthAccessToken.
The authentication secret used to request and obtain the OAuth Access Token.
This property is required only when performing headless authentication in OAuth 1.0. It can be obtained from the GetOAuthAuthorizationUrl stored procedure.
It can be supplied alongside the AuthToken in the GetOAuthAccessToken stored procedure to obtain the OAuthAccessToken.
A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value.
A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value.
This section provides a complete list of the JWT OAuth properties you can configure in the connection string for this provider.
| Property | Description |
| OAuthJWTCert | Supplies the name of the client certificate's JWT Certificate store. |
| OAuthJWTCertType | Identifies the type of key store containing the JWT Certificate. |
| OAuthJWTCertPassword | Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank. |
| OAuthJWTCertSubject | Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate. |
| OAuthJWTIssuer | The issuer of the Java Web Token. |
| OAuthJWTSubject | The user subject for which the application is requesting delegated access. |
Supplies the name of the client certificate's JWT Certificate store.
The OAuthJWTCertType field specifies the type of the certificate store specified in OAuthJWTCert. If the store is password-protected, use OAuthJWTCertPassword to supply the password..
OAuthJWTCert is used in conjunction with the OAuthJWTCertSubject field in order to specify client certificates. If OAuthJWTCert has a value, and OAuthJWTCertSubject is set, the CData Sync App initiates a search for a certificate. For further information, see OAuthJWTCertSubject.
Designations of certificate stores are platform-dependent.
Notes
Identifies the type of key store containing the JWT Certificate.
| Value | Description | Notes |
| USER | A certificate store owned by the current user. | Only available in Windows. |
| MACHINE | A machine store. | Not available in Java or other non-Windows environments. |
| PFXFILE | A PFX (PKCS12) file containing certificates. | |
| PFXBLOB | A string (base-64-encoded) representing a certificate store in PFX (PKCS12) format. | |
| JKSFILE | A Java key store (JKS) file containing certificates. | Only available in Java. |
| JKSBLOB | A string (base-64-encoded) representing a certificate store in Java key store (JKS) format. | Only available in Java. |
| PEMKEY_FILE | A PEM-encoded file that contains a private key and an optional certificate. | |
| PEMKEY_BLOB | A string (base64-encoded) that contains a private key and an optional certificate. | |
| PUBLIC_KEY_FILE | A file that contains a PEM- or DER-encoded public key certificate. | |
| PUBLIC_KEY_BLOB | A string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate. | |
| SSHPUBLIC_KEY_FILE | A file that contains an SSH-style public key. | |
| SSHPUBLIC_KEY_BLOB | A string (base-64-encoded) that contains an SSH-style public key. | |
| P7BFILE | A PKCS7 file containing certificates. | |
| PPKFILE | A file that contains a PPK (PuTTY Private Key). | |
| XMLFILE | A file that contains a certificate in XML format. | |
| XMLBLOB | Astring that contains a certificate in XML format. | |
| BCFKSFILE | A file that contains an Bouncy Castle keystore. | |
| BCFKSBLOB | A string (base-64-encoded) that contains a Bouncy Castle keystore. | |
| GOOGLEJSON | A JSON file containing the service account information. | Only valid when connecting to a Google service. |
| GOOGLEJSONBLOB | A string that contains the service account JSON. | Only valid when connecting to a Google service. |
| BOXJSON | A JSON file containing the service account credentials. | Only valid when connecting to Box. |
| BOXJSONBLOB | The certificate store is a string that contains the service account JSON. | Only valid when connecting to Box. |
Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank.
This property specifies the password needed to open a password-protected certificate store. To determine if a password is necessary, refer to the documentation or configuration for your specific certificate store.
This is not required when using the GOOGLEJSON OAuthJWTCertType. Google JSON keys are not encrypted.
Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate.
The value of this property is used to locate a matching certificate in the store. The search process works as follows:
You can set the value to '*' to automatically select the first certificate in the store. The certificate subject is a comma-separated list of distinguished name fields and values. For example: CN=www.server.com, OU=test, C=US, [email protected].
Common fields include:
| Field | Meaning |
| CN | Common Name. This is commonly a host name like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
If a field value contains a comma, enclose it in quotes. For example: "O=ACME, Inc.".
The issuer of the Java Web Token.
The issuer of the Java Web Token. In most cases, this takes the value of the OAuth App Id (Client Id) connection property and does not need to be individually set.
This is not required when using the GOOGLEJSON OAuthJWTCertType. Google JSON keys contain a copy of the issuer account.
The user subject for which the application is requesting delegated access.
The user subject for which the application is requesting delegated access. In most cases, this takes the value of the OAuth App Id (Client Id) connection property and does not need to be individually set.
This section provides a complete list of the Kerberos properties you can configure in the connection string for this provider.
| Property | Description |
| KerberosKDC | Identifies the Kerberos Key Distribution Center (KDC) service used to authenticate the user. (SPNEGO or Windows authentication only). |
| KerberosRealm | Identifies the Kerberos Realm used to authenticate the user. |
| KerberosSPN | Identifies the service principal name (SPN) for the Kerberos Domain Controller. |
| KerberosUser | Confirms the principal name for the Kerberos Domain Controller, which uses the format host/user@realm. |
| KerberosKeytabFile | Identifies the Keytab file containing your pairs of Kerberos principals and encrypted keys. |
| KerberosServiceRealm | Identifies the service's Kerberos realm. (Cross-realm authentication only). |
| KerberosServiceKDC | Identifies the service's Kerberos Key Distribution Center (KDC). |
| KerberosTicketCache | Specifies the full file path to an MIT Kerberos credential cache file. |
Identifies the Kerberos Key Distribution Center (KDC) service used to authenticate the user. (SPNEGO or Windows authentication only).
The Kerberos properties are used when using SPNEGO or Windows Authentication. The Sync App requests session tickets and temporary session keys from the Kerberos KDC service, which is usually co-located with the domain controller.
If KerberosKDC is not specified, the Sync App tries to detect these properties automatically from the following locations:
Identifies the Kerberos Realm used to authenticate the user.
A realm is a logical network, similar to a domain, that defines a group of systems under the same master KDC. Some realms are hierarchical, where one realm is a superset of the other realm, but usually realms are nonhierarchical (or “direct”) and the mapping between the two realms must be defined. Kerberos cross-realm authentication enables authentication across realms. Each realm only needs to have a principal entry for the other realm in its KDC.
The Kerberos properties are used when using SPNEGO or Windows Authentication. The Sync App requests session tickets and temporary session keys from the Kerberos KDC service, which is usually co-located with the domain controller. The Kerberos Realm can be configured by an administrator to be any string, but it is usually based on the domain name.
If Kerberos Realm is not specified, the Sync App will attempt to detect these properties automatically from the following locations:
Identifies the service principal name (SPN) for the Kerberos Domain Controller.
If the SPN on the Kerberos Domain Controller is not the same as the URL that you are authenticating to, use this property to set the SPN to the KDC's URL.
Confirms the principal name for the Kerberos Domain Controller, which uses the format host/user@realm.
If there is a Kerberos principal, that Kerberos principal name should always be used to authenticate to the database.
Identifies the Keytab file containing your pairs of Kerberos principals and encrypted keys.
A keytab (short for “key table”) stores long-term keys for one or more principals. In most cases, end users authenticate to the KDC using their client secret (password). However, in situations where authentication or re-authentication happen using automated scripts and applications, it may be more efficient to use a keytab, which sends passwords to the KDC in encrypted form, automatically.
Keytabs are normally represented by files in a standard format, and named using the format type:value. Usually type is FILE and value is the absolute pathname of the file. The other possible value for type is MEMORY, which indicates a temporary keytab stored in the memory of the current process.
A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. They can be generated using kutil.
For example:
[admin@myhost]# ktutil ktutil: addent -password -p starlord/[email protected] -k 1 -e aes256-cts-hmac-sha1-96 Password for starlord/myhost.galaxy.com: ktutil: addent -password -p starlord/[email protected] -k 1 -e aes128-cts-hmac-sha1-96 Password for starlord/myhost.galaxy.com: ktutil: addent -password -p starlord/[email protected] -k 1 -e des3-cbc-sha1 Password for starlord/myhost.galaxy.com: ktutil: wkt /path/to/starlord.keytab
Note: You must create principals for all authentication methods (encryption types) you want to support.
To display a keytab, use klist -k.
A keytab (short for “key table”) stores long-term keys for one or more principals. In most cases, end users authenticate to the KDC using their client secret (password). However, in situations where authentication or re-authentication happen using automated scripts and applications, it may be more efficient to use a keytab, which sends passwords to the KDC in encrypted form, automatically.
Keytabs are normally represented by files in a standard format, and named using the format type:value. Usually type is FILE and value is the absolute pathname of the file. The other possible value for type is MEMORY, which indicates a temporary keytab stored in the memory of the current process.
A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. They can be generated using kutil.
For example:
[admin@myhost]# ktutil ktutil: addent -password -p starlord/[email protected] -k 1 -e aes256-cts-hmac-sha1-96 Password for starlord/myhost.galaxy.com: ktutil: addent -password -p starlord/[email protected] -k 1 -e aes128-cts-hmac-sha1-96 Password for starlord/myhost.galaxy.com: ktutil: addent -password -p starlord/[email protected] -k 1 -e des3-cbc-sha1 Password for starlord/myhost.galaxy.com: ktutil: wkt /path/to/starlord.keytab
Note: You must create principals for all authentication methods (encryption types) you want to support.
To display a keytab, use klist -k.
Identifies the service's Kerberos realm. (Cross-realm authentication only).
The KerberosServiceRealm is used to specify a service's KerberosRealm when using cross-realm Kerberos authentication.
In most cases, a single realm and KDC machine are used to perform the Kerberos authentication, which means that this property would not be required. However, the property is available for complex setups where a different realm and KDC machine are used to obtain an authentication ticket (AS request) and a service ticket (TGS request).
Identifies the service's Kerberos Key Distribution Center (KDC).
The KerberosServiceKDC is used to specify the service Kerberos KDC when using cross-realm Kerberos authentication.
In most cases, a single realm and KDC machine are used to perform the Kerberos authentication, which means that this property would not be required. However, the property is available for complex setups where a different realm and KDC machine are used to obtain an authentication ticket (AS request) and a service ticket (TGS request).
Specifies the full file path to an MIT Kerberos credential cache file.
Set this property if you want to use a credential cache file that was created using the MIT Kerberos Ticket Manager or kinit command.
This section provides a complete list of the SSL properties you can configure in the connection string for this provider.
| Property | Description |
| SSLClientCert | Specifies the TLS/SSL client certificate store for SSL Client Authentication (2-way SSL). This property works in conjunction with other SSL-related properties to establish a secure connection. |
| SSLClientCertType | Specifies the type of key store containing the TLS/SSL client certificate for SSL Client Authentication. Choose from a variety of key store formats depending on your platform and certificate source. |
| SSLClientCertPassword | Specifes the password required to access the TLS/SSL client certificate store. Use this property if the selected certificate store type requires a password for access. |
| SSLClientCertSubject | Specifes the subject of the TLS/SSL client certificate to locate it in the certificate store. Use a comma-separated list of distinguished name fields, such as CN=www.server.com, C=US. The wildcard * selects the first certificate in the store. |
| SSLMode | The authentication mechanism to be used when connecting to the FTP or FTPS server. |
| SSLServerCert | Specifies the certificate to be accepted from the server when connecting using TLS/SSL. |
Specifies the TLS/SSL client certificate store for SSL Client Authentication (2-way SSL). This property works in conjunction with other SSL-related properties to establish a secure connection.
This property specifies the client certificate store for SSL Client Authentication. Use this property alongside SSLClientCertType, which defines the type of the certificate store, and SSLClientCertPassword, which specifies the password for password-protected stores. When SSLClientCert is set and SSLClientCertSubject is configured, the driver searches for a certificate matching the specified subject.
Certificate store designations vary by platform. On Windows, certificate stores are identified by names such as MY (personal certificates), while in Java, the certificate store is typically a file containing certificates and optional private keys.
The following are designations of the most common User and Machine certificate stores in Windows:
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
| SPC | Software publisher certificates. |
For PFXFile types, set this property to the filename. For PFXBlob types, set this property to the binary contents of the file in PKCS12 format.
Specifies the type of key store containing the TLS/SSL client certificate for SSL Client Authentication. Choose from a variety of key store formats depending on your platform and certificate source.
This property determines the format and location of the key store used to provide the client certificate. Supported values include platform-specific and universal key store formats. The available values and their usage are:
| USER - default | For Windows, this specifies that the certificate store is a certificate store owned by the current user. Note that this store type is not available in Java. |
| MACHINE | For Windows, this specifies that the certificate store is a machine store. Note that this store type is not available in Java. |
| PFXFILE | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
| PFXBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in PFX (PKCS12) format. |
| JKSFILE | The certificate store is the name of a Java key store (JKS) file containing certificates. Note that this store type is only available in Java. |
| JKSBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in JKS format. Note that this store type is only available in Java. |
| PEMKEY_FILE | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
| PEMKEY_BLOB | The certificate store is a string (base64-encoded) that contains a private key and an optional certificate. |
| PUBLIC_KEY_FILE | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
| PUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate. |
| SSHPUBLIC_KEY_FILE | The certificate store is the name of a file that contains an SSH-style public key. |
| SSHPUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains an SSH-style public key. |
| P7BFILE | The certificate store is the name of a PKCS7 file containing certificates. |
| PPKFILE | The certificate store is the name of a file that contains a PuTTY Private Key (PPK). |
| XMLFILE | The certificate store is the name of a file that contains a certificate in XML format. |
| XMLBLOB | The certificate store is a string that contains a certificate in XML format. |
| BCFKSFILE | The certificate store is the name of a file that contains an Bouncy Castle keystore. |
| BCFKSBLOB | The certificate store is a string (base-64-encoded) that contains a Bouncy Castle keystore. |
Specifes the password required to access the TLS/SSL client certificate store. Use this property if the selected certificate store type requires a password for access.
This property provides the password needed to open a password-protected certificate store. This property is necessary when using certificate stores that require a password for decryption, as is often recommended for PFX or JKS type stores.
If the certificate store type does not require a password, for example USER or MACHINE on Windows, this property can be left blank. Ensure that the password matches the one associated with the specified certificate store to avoid authentication errors.
Specifes the subject of the TLS/SSL client certificate to locate it in the certificate store. Use a comma-separated list of distinguished name fields, such as CN=www.server.com, C=US. The wildcard * selects the first certificate in the store.
This property determines which client certificate to load based on its subject. The Sync App searches for a certificate that exactly matches the specified subject. If no exact match is found, the Sync App looks for certificates containing the value of the subject. If no match is found, no certificate is selected.
The subject should follow the standard format of a comma-separated list of distinguished name fields and values. For example, CN=www.server.com, OU=Test, C=US. Common fields include the following:
| Field | Meaning |
| CN | Common Name. This is commonly a host name like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
Note: If any field contains special characters, such as commas, the value must be quoted. For example: CN="Example, Inc.", C=US.
The authentication mechanism to be used when connecting to the FTP or FTPS server.
If SSLMode is set to NONE, default plaintext authentication is used to log in to the server. If SSLMode is set to IMPLICIT, the SSL negotiation will start immediately after the connection is established. If SSLMode is set to EXPLICIT, the Sync App will first connect in plaintext, and then explicitly start SSL negotiation through a protocol command such as STARTTLS. If SSLMode is set to AUTOMATIC, if the remote port is set to the standard plaintext port of the protocol (where applicable), the component will behave the same as if SSLMode is set to EXPLICIT. In all other cases, SSL negotiation will be IMPLICIT.
Specifies the certificate to be accepted from the server when connecting using TLS/SSL.
If you are using a TLS/SSL connection, use this property to specify the TLS/SSL certificate to be accepted from the server. If you specify a value for this property, all other certificates that are not trusted by the machine are rejected.
This property can take the following forms:
| Description | Example |
| A full PEM Certificate (example shortened for brevity) | -----BEGIN CERTIFICATE----- MIIChTCCAe4CAQAwDQYJKoZIhv......Qw== -----END CERTIFICATE----- |
| A path to a local file containing the certificate | C:\cert.cer |
| The public key (example shortened for brevity) | -----BEGIN RSA PUBLIC KEY----- MIGfMA0GCSq......AQAB -----END RSA PUBLIC KEY----- |
| The MD5 Thumbprint (hex values can also be either space- or colon-separated) | ecadbdda5a1529c58a1e9e09828d70e4 |
| The SHA1 Thumbprint (hex values can also be either space- or colon-separated) | 34a929226ae0819f2ec14b4a3d904f801cbb150d |
Note: It is possible to use '*' to signify that all certificates should be accepted, but due to security concerns this is not recommended.
This section provides a complete list of the SSH properties you can configure in the connection string for this provider.
| Property | Description |
| SSHAuthMode | The authentication method used when establishing an SSH Tunnel to the service. |
| SSHClientCert | A certificate to be used for authenticating the SSHUser. |
| SSHClientCertPassword | The password of the SSHClientCert key if it has one. |
| SSHClientCertSubject | The subject of the SSH client certificate. |
| SSHClientCertType | The type of SSHClientCert private key. |
| SSHUser | The SSH user. |
| SSHPassword | The SSH password. |
The authentication method used when establishing an SSH Tunnel to the service.
A certificate to be used for authenticating the SSHUser.
SSHClientCert must contain a valid private key in order to use public key authentication. A public key is optional, if one is not included then the Sync App generates it from the private key. The Sync App sends the public key to the server and the connection is allowed if the user has authorized the public key.
The SSHClientCertType field specifies the type of the key store specified by SSHClientCert. If the store is password protected, specify the password in SSHClientCertPassword.
Some types of key stores are containers which may include multiple keys. By default the Sync App will select the first key in the store, but you can specify a specific key using SSHClientCertSubject.
The password of the SSHClientCert key if it has one.
This property is required for SSH tunneling when using certificate-based authentication. If the SSH certificate is in a password-protected key store, provide the password using this property to access the certificate.
The subject of the SSH client certificate.
When loading a certificate the subject is used to locate the certificate in the store.
If an exact match is not found, the store is searched for subjects containing the value of the property.
If a match is still not found, the property is set to an empty string, and no certificate is selected.
The special value "*" picks the first certificate in the certificate store.
The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, [email protected]". Common fields and their meanings are displayed below.
| Field | Meaning |
| CN | Common Name. This is commonly a host name like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
If a field value contains a comma it must be quoted.
The type of SSHClientCert private key.
This property can take one of the following values:
| Types | Description | Allowed Blob Values |
| MACHINE/USER | Blob values are not supported. | |
| JKSFILE/JKSBLOB | base64-only | |
| PFXFILE/PFXBLOB | A PKCS12-format (.pfx) file. Must contain both a certificate and a private key. | base64-only |
| PEMKEY_FILE/PEMKEY_BLOB | A PEM-format file. Must contain an RSA, DSA, or OPENSSH private key. Can optionally contain a certificate matching the private key. | base64 or plain text. |
| PPKFILE/PPKBLOB | A PuTTY-format private key created using the puttygen tool. | base64-only |
| XMLFILE/XMLBLOB | An XML key in the format generated by the .NET RSA class: RSA.ToXmlString(true). | base64 or plain text. |
The SSH user.
The SSH user.
The SSH password.
The SSH password.
This section provides a complete list of the Firewall properties you can configure in the connection string for this provider.
| Property | Description |
| FirewallType | Specifies the protocol the provider uses to tunnel traffic through a proxy-based firewall. |
| FirewallServer | Identifies the IP address, DNS name, or host name of a proxy used to traverse a firewall and relay user queries to network resources. |
| FirewallPort | Specifies the TCP port to be used for a proxy-based firewall. |
| FirewallUser | Identifies the user ID of the account authenticating to a proxy-based firewall. |
| FirewallPassword | Specifies the password of the user account authenticating to a proxy-based firewall. |
Specifies the protocol the provider uses to tunnel traffic through a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Note: By default, the Sync App connects to the system proxy. To disable this behavior and connect to one of the following proxy types, set ProxyAutoDetect to false.
The following table provides port number information for each of the supported protocols.
| Protocol | Default Port | Description |
| TUNNEL | 80 | The port where the Sync App opens a connection to Microsoft Excel. Traffic flows back and forth via the proxy at this location. |
| SOCKS4 | 1080 | The port where the Sync App opens a connection to Microsoft Excel. SOCKS 4 then passes theFirewallUser value to the proxy, which determines whether the connection request should be granted. |
| SOCKS5 | 1080 | The port where the Sync App sends data to Microsoft Excel. If the SOCKS 5 proxy requires authentication, set FirewallUser and FirewallPassword to credentials the proxy recognizes. |
To connect to HTTP proxies, use ProxyServer and ProxyPort. To authenticate to HTTP proxies, use ProxyAuthScheme, ProxyUser, and ProxyPassword.
Identifies the IP address, DNS name, or host name of a proxy used to traverse a firewall and relay user queries to network resources.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Specifies the TCP port to be used for a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Identifies the user ID of the account authenticating to a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Specifies the password of the user account authenticating to a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
This section provides a complete list of the Proxy properties you can configure in the connection string for this provider.
| Property | Description |
| ProxyAutoDetect | Specifies whether the provider checks your system proxy settings for existing proxy server configurations, rather than using a manually specified proxy server. |
| ProxyServer | Identifies the hostname or IP address of the proxy server through which you want to route HTTP traffic. |
| ProxyPort | Identifies the TCP port on your specified proxy server that has been reserved for routing HTTP traffic to and from the client. |
| ProxyAuthScheme | Specifies the authentication method the provider uses when authenticating to the proxy server specified in the ProxyServer connection property. |
| ProxyUser | Provides the username of a user account registered with the proxy server specified in the ProxyServer connection property. |
| ProxyPassword | Specifies the password of the user specified in the ProxyUser connection property. |
| ProxySSLType | Specifies the SSL type to use when connecting to the proxy server specified in the ProxyServer connection property. |
| ProxyExceptions | Specifies a semicolon-separated list of destination hostnames or IPs that are exempt from connecting through the proxy server set in the ProxyServer connection property. |
Specifies whether the provider checks your system proxy settings for existing proxy server configurations, rather than using a manually specified proxy server.
When this connection property is set to True, the Sync App checks your system proxy settings for existing proxy server configurations (no need to manually supply proxy server details).
This connection property takes precedence over other proxy settings. If you want to configure the Sync App to connect to a specific proxy server, set ProxyAutoDetect to False.
To connect to an HTTP proxy, see ProxyServer. For other proxies, such as SOCKS or tunneling, see FirewallType.
Identifies the hostname or IP address of the proxy server through which you want to route HTTP traffic.
The Sync App only routes HTTP traffic through the proxy server specified in this connection property when ProxyAutoDetect is set to False.
If ProxyAutoDetect is set to True (the default), the Sync App instead routes HTTP traffic through the proxy server specified in your system proxy settings.
Identifies the TCP port on your specified proxy server that has been reserved for routing HTTP traffic to and from the client.
The Sync App only routes HTTP traffic through the ProxyServer port specified in this connection property when ProxyAutoDetect is set to False.
If ProxyAutoDetect is set to True (the default), the Sync App instead routes HTTP traffic through the proxy server port specified in your system proxy settings.
For other proxy types, see FirewallType.
Specifies the authentication method the provider uses when authenticating to the proxy server specified in the ProxyServer connection property.
Supported authentication types :
For all values other than NONE, you must also set the ProxyUser and ProxyPassword connection properties.
If you need to use another authentication type, such as SOCKS 5 authentication, see FirewallType.
Provides the username of a user account registered with the proxy server specified in the ProxyServer connection property.
The ProxyUser and ProxyPassword connection properties are used to connect and authenticate against the HTTP proxy specified in ProxyServer.
After selecting one of the available authentication types in ProxyAuthScheme, set this property as follows:
| ProxyAuthScheme Value | Value to set for ProxyUser |
| BASIC | The username of a user registered with the proxy server. |
| DIGEST | The username of a user registered with the proxy server. |
| NEGOTIATE | The username of a Windows user who is a valid user in the domain or trusted domain that the proxy server is part of, in the format user@domain or domain\user. |
| NTLM | The username of a Windows user who is a valid user in the domain or trusted domain that the proxy server is part of, in the format user@domain or domain\user. |
| NONE | Do not set the ProxyPassword connection property. |
Note: The Sync App only uses this username if ProxyAutoDetect is set to False. If ProxyAutoDetect is set to True (the default), the Sync App instead uses the username specified in your system proxy settings.
Specifies the password of the user specified in the ProxyUser connection property.
The ProxyUser and ProxyPassword connection properties are used to connect and authenticate against the HTTP proxy specified in ProxyServer.
After selecting one of the available authentication types in ProxyAuthScheme, set this property as follows:
| ProxyAuthScheme Value | Value to set for ProxyPassword |
| BASIC | The password associated with the proxy server user specified in ProxyUser. |
| DIGEST | The password associated with the proxy server user specified in ProxyUser. |
| NEGOTIATE | The password associated with the Windows user account specified in ProxyUser. |
| NTLM | The password associated with the Windows user account specified in ProxyUser. |
| NONE | Do not set the ProxyPassword connection property. |
For SOCKS 5 authentication or tunneling, see FirewallType.
Note: The Sync App only uses this password if ProxyAutoDetect is set to False. If ProxyAutoDetect is set to True (the default), the Sync App instead uses the password specified in your system proxy settings.
Specifies the SSL type to use when connecting to the proxy server specified in the ProxyServer connection property.
This property determines when to use SSL for the connection to the HTTP proxy specified by ProxyServer. You can set this connection property to the following values :
| AUTO | Default setting. If ProxyServer is set to an HTTPS URL, the Sync App uses the TUNNEL option. If ProxyServer is set to an HTTP URL, the component uses the NEVER option. |
| ALWAYS | The connection is always SSL enabled. |
| NEVER | The connection is not SSL enabled. |
| TUNNEL | The connection is made through a tunneling proxy. The proxy server opens a connection to the remote host and traffic flows back and forth through the proxy. |
Specifies a semicolon-separated list of destination hostnames or IPs that are exempt from connecting through the proxy server set in the ProxyServer connection property.
The ProxyServer is used for all addresses, except for addresses defined in this property. Use semicolons to separate entries.
Note: The Sync App uses the system proxy settings by default, without further configuration needed. If you want to explicitly configure proxy exceptions for this connection, set ProxyAutoDetect to False.
This section provides a complete list of the Logging properties you can configure in the connection string for this provider.
| Property | Description |
| LogModules | Specifies the core modules to include in the log file. Use a semicolon-separated list of module names. By default, all modules are logged. |
Specifies the core modules to include in the log file. Use a semicolon-separated list of module names. By default, all modules are logged.
The Sync App writes details about each operation it performs into the logfile specified by the Logfile connection property.
Each of these logged operations are assigned to a themed category called a module, and each module has a corresponding short code used to labels individual Sync App operations as belonging to that module.
When this connection property is set to a semicolon-separated list of module codes, only operations belonging to the specified modules are written to the logfile. Note that this only affects which operations are logged moving forward and doesn't retroactively alter the existing contents of the logfile. For example: INFO;EXEC;SSL;META;
By default, logged operations from all modules are included.
You can explicitly exclude a module by prefixing it with a "-". For example: -HTTP
To apply filters to submodules, identify them with the syntax <module name>.<submodule name>. For example, the following value causes the Sync App to only log actions belonging to the HTTP module, and further refines it to exclude actions belonging to the Res submodule of the HTTP module: HTTP;-HTTP.Res
Note that the logfile filtering triggered by the Verbosity connection property takes precedence over the filtering imposed by this connection property. This means that operations of a higher verbosity level than the level specified in the Verbosity connection property are not printed in the logfile, even if they belong to one of the modules specified in this connection property.
The available modules and submodules are:
| Module Name | Module Description | Submodules |
| INFO | General Information. Includes the connection string, product version (build number), and initial connection messages. |
|
| EXEC | Query Execution. Includes execution messages for user-written SQL queries, parsed SQL queries, and normalized SQL queries. Success/failure messages for queries and query pages appear here as well. |
|
| HTTP | HTTP protocol messages. Includes HTTP requests/responses (including POST messages), as well as Kerberos related messages. |
|
| WSDL | Messages pertaining to the generation of WSDL/XSD files. | — |
| SSL | SSL certificate messages. |
|
| AUTH | Authentication related failure/success messages. |
|
| SQL | Includes SQL transactions, SQL bulk transfer messages, and SQL result set messages. |
|
| META | Metadata cache and schema messages. |
|
| FUNC | Information related to executing SQL functions. |
|
| TCP | Incoming and outgoing raw bytes on TCP transport layer messages. |
|
| FTP | Messages pertaining to the File Transfer Protocol. |
|
| SFTP | Messages pertaining to the Secure File Transfer Protocol. |
|
| POP | Messages pertaining to data transferred via the Post Office Protocol. |
|
| SMTP | Messages pertaining to data transferred via the Simple Mail Transfer Protocol. |
|
| CORE | Messages relating to various internal product operations not covered by other modules. | — |
| DEMN | Messages related to SQL remoting. | — |
| STRG | Messages related to reading from and writing to raw files in formats like CSV and JSON. | — |
| CLJB | Messages about bulk data uploads (cloud job). |
|
| SRCE | Miscellaneous messages produced by the product that don't belong in any other module. | — |
| TRANCE | Advanced messages concerning low-level product operations. | — |
This section provides a complete list of the Schema properties you can configure in the connection string for this provider.
| Property | Description |
| Location | Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path. |
| BrowsableSchemas | Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC . |
| Tables | Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC . |
| Views | Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC . |
Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path.
The Location property is only needed if you want to either customize definitions (for example, change a column name, ignore a column, etc.) or extend the data model with new tables, views, or stored procedures.
If left unspecified, the default location is %APPDATA%\\CData\\Excel Data Provider\\Schema, where %APPDATA% is set to the user's configuration directory:
| Platform | %APPDATA% |
| Windows | The value of the APPDATA environment variable |
| Linux | ~/.config |
Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC .
Listing all available database schemas can take extra time, thus degrading performance. Providing a list of schemas in the connection string saves time and improves performance.
Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC .
Listing all available tables from some databases can take extra time, thus degrading performance. Providing a list of tables in the connection string saves time and improves performance.
If there are lots of tables available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those tables. To do this, specify the tables you want in a comma-separated list. Each table should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Tables=TableA,[TableB/WithSlash],WithCatalog.WithSchema.`TableC With Space`.
Note: If you are connecting to a data source with multiple schemas or catalogs, you must specify each table you want to view by its fully qualified name. This avoids ambiguity between tables that may exist in multiple catalogs or schemas.
Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC .
Listing all available views from some databases can take extra time, thus degrading performance. Providing a list of views in the connection string saves time and improves performance.
If there are lots of views available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those views. To do this, specify the views you want in a comma-separated list. Each view should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Views=ViewA,[ViewB/WithSlash],WithCatalog.WithSchema.`ViewC With Space`.
Note: If you are connecting to a data source with multiple schemas or catalogs, you must specify each view you want to examine by its fully qualified name. This avoids ambiguity between views that may exist in multiple catalogs or schemas.
This section provides a complete list of the Miscellaneous properties you can configure in the connection string for this provider.
| Property | Description |
| AWSCertificate | The absolute path to the certificate file or the certificate content in PEM format encoded in base64. |
| AWSCertificatePassword | The password for the certificate if applicable, otherwise leave blank. |
| AWSCertificateType | The type of AWSCertificate . |
| AWSPrivateKey | The absolute path to the private key file or the private key content in PEM format encoded in base64. |
| AWSPrivateKeyPassword | The password for the private key if it is encrypted, otherwise leave blank. |
| AWSPrivateKeyType | The type of AWSPrivateKey . |
| AWSProfileARN | Profile to pull policies from. |
| AWSSessionDuration | Duration, in seconds, for the resulting session. |
| AWSTrustAnchorARN | Trust anchor to use for authentication. |
| Charset | Specifies the session character set for encoding and decoding character data transferred to and from the Microsoft Excel file. The default value is UTF-8. |
| ClientCulture | This property can be used to specify the format of data (e.g., currency values) that is accepted by the client application. This property can be used when the client application does not support the machine's culture settings. For example, Microsoft Access requires 'en-US'. |
| Culture | This setting can be used to specify culture settings that determine how the provider interprets certain data types that are passed into the provider. For example, setting Culture='de-DE' will output German formats even on an American machine. |
| CustomHeaders | Specifies additional HTTP headers to append to the request headers created from other properties, such as ContentType and From. Use this property to customize requests for specialized or nonstandard APIs. |
| CustomURLParams | A string of custom URL parameters to be included with the HTTP request, in the form field1=value1&field2=value2&field3=value3. |
| DirectoryRetrievalDepth | Specifies how many levels of subfolders are scanned when IncludeSubdirectories is enabled. |
| ExcludeFiles | A comma-separated list of filters to exclude from the set of files. |
| FolderId | The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations. |
| GenerateSchemaFiles | Indicates the user preference as to when schemas should be generated and saved. |
| IncludeDropboxTeamResources | Indicates if you want to include Dropbox team files and folders. |
| IncludeFiles | A comma-separated list of filters to include from the set of files. |
| IncludeItemsFromAllDrives | Whether Google Drive shared drive items should be included in results. If not present or set to false, then shared drive items are not returned. |
| MaxRows | Specifies the maximum number of rows returned for queries that do not include either aggregation or GROUP BY. |
| Other | Specifies advanced connection properties for specialized scenarios. Use this property only under the guidance of our Support team to address specific issues. |
| PseudoColumns | Specifies the pseudocolumns to expose as table columns, expressed as a string in the format 'TableName=ColumnName;TableName=ColumnName'. |
| RowScanDepth | The maximum number of rows to scan to look for the columns available in a table. |
| StringDecode | Specifies whether hexadecimal characters are decoded in query results. |
| Timeout | Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. |
| UserDefinedViews | Specifies a filepath to a JSON configuration file that defines custom views. The provider automatically detects and uses the views specified in this file. |
| UseSimpleNames | Specifies whether or not simple names should be used for schemas, tables and columns. |
The absolute path to the certificate file or the certificate content in PEM format encoded in base64.
The absolute path to the certificate file or the certificate file content in PEM format encoded in base64, depending on the value of AWSCertificateType.
The password for the certificate if applicable, otherwise leave blank.
The password for the certificate if applicable, otherwise leave blank.
The type of AWSCertificate .
This property can take one of the following values:
| PEM_FILE | Absolute path to a certificate file in PEM format. |
| PEM_BLOB | A string (base64-encoded) representing a PEM-encoded certificate. |
The absolute path to the private key file or the private key content in PEM format encoded in base64.
The absolute path to the private key file or the private key file content in PEM format encoded in base64, depending on the value of AWSPrivateKeyType.
The password for the private key if it is encrypted, otherwise leave blank.
The password for the private key if it is encrypted, otherwise leave blank.
The type of AWSPrivateKey .
This property can take one of the following values:
| PEM_FILE | Absolute path to a private key file in PEM format. |
| PEM_BLOB | A string (base64-encoded) representing a PEM-encoded private key. |
Profile to pull policies from.
Profile to pull policies from.
Duration, in seconds, for the resulting session.
Duration, in seconds, for the resulting session. Default: 3600 seconds.
Trust anchor to use for authentication.
Trust anchor to use for authentication.
Specifies the session character set for encoding and decoding character data transferred to and from the Microsoft Excel file. The default value is UTF-8.
Specifies the session character set for encoding and decoding character data transferred to and from the Microsoft Excel file. The default value is UTF-8.
This property can be used to specify the format of data (e.g., currency values) that is accepted by the client application. This property can be used when the client application does not support the machine's culture settings. For example, Microsoft Access requires 'en-US'.
This option affects the format of Sync App output. To specify the format that defines how input should be interpreted, use the Culture option. By default the Sync App uses the current locale settings of the machine to interpret input and format output.
This setting can be used to specify culture settings that determine how the provider interprets certain data types that are passed into the provider. For example, setting Culture='de-DE' will output German formats even on an American machine.
This property affects the Sync App input. To interpret values in a different cultural format, use the Client Culture property. By default the Sync App uses the current locale settings of the machine to interpret input and format output.
Specifies additional HTTP headers to append to the request headers created from other properties, such as ContentType and From. Use this property to customize requests for specialized or nonstandard APIs.
Use this property to add custom headers to HTTP requests sent by the Sync App.
This property is useful when fine-tuning requests to interact with APIs that require additional or nonstandard headers. Headers must follow the format "header: value" as described in the HTTP specifications and each header line must be separated by the carriage return and line feed (CRLF) characters. Important: Use caution when setting this property. Supplying invalid headers may cause HTTP requests to fail.
A string of custom URL parameters to be included with the HTTP request, in the form field1=value1&field2=value2&field3=value3.
This property enables you to specify custom query string parameters that are included with the HTTP request. The parameters must be encoded as a query string in the form field1=value1&field2=value2&field3=value3, where each value is URL encoded. URL encoding converts the characters in the string that can be transmitted over the internet as follows:
Specifies how many levels of subfolders are scanned when IncludeSubdirectories is enabled.
This connection property only takes effect when the IncludeSubdirectories connection property is set to True and the URI connection property is set to a folder, rather than a workbook file.
When IncludeSubdirectories is enabled, this connection property specifies how many layers of nested folders, relative to the target folder (specified in the URI connection property), the Sync App includes when it searches for workbook files.
For example, a DirectoryRetrievalDepth of 2 means that subfolders of the target folder, and subfolders of those folders, are included, but not further subfolders.
A DirectoryRetrievalDepth of -1 specifies that all subfolders are scanned.
A comma-separated list of filters to exclude from the set of files.
This connection property only takes effect if the URI connection property is set to a folder, rather than a workbook file.
The URI and IncludeSubdirectories connection properties determine which folders the Sync App sources workbooks from when listing metadata.
By default, all workbooks in the specified folders are used to calculate metadata.
However, using this connection property, you can refine this list further to ignore certain workbook files based on filters. If you want to use multiple filters, you can provide them in a comma-separated list.
Supported filters include:
The Sync App also supports the use of DATE Functions to calculate portions of date filters.
For example:
ModifiedDate>=DATETIMEFROMPARTS(2020, 11, 26, 7, 40, 49, 000),ModifiedDate<=CURRENT_TIMESTAMP()
The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations.
The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations.
Indicates the user preference as to when schemas should be generated and saved.
This property outputs schemas to .rsd files in the path specified by Location.
Available settings are the following:
When you set GenerateSchemaFiles to OnUse, the Sync App generates schemas as you execute SELECT queries. Schemas are generated for each table referenced in the query.
When you set GenerateSchemaFiles to OnCreate, schemas are only generated when a CREATE TABLE query is executed.
Another way to use this property is to obtain schemas for every table in your database when you connect. To do so, set GenerateSchemaFiles to OnStart and connect.
Indicates if you want to include Dropbox team files and folders.
In order to access Dropbox team folders and files, please set this connection property to True.
A comma-separated list of filters to include from the set of files.
This connection property only takes effect if the URI connection property is set to a folder, rather than a workbook file.
The URI and IncludeSubdirectories connection properties determine which folders the Sync App sources workbooks from when listing metadata.
By default, all workbooks in the specified folders are used to calculate metadata.
However, using this connection property, you can refine this list further to only include certain workbook files based on filters. If you want to use multiple filters, you can provide them in a comma-separated list.
Supported filters include:
The Sync App also supports the use of DATE Functions to calculate portions of date filters.
For example:
ModifiedDate>=DATETIMEFROMPARTS(2020, 11, 26, 7, 40, 49, 000),ModifiedDate<=CURRENT_TIMESTAMP()
Whether Google Drive shared drive items should be included in results. If not present or set to false, then shared drive items are not returned.
If this property is set to 'True', files will be retrieved from all drives, including shared drives. The file retrieval can be limited a specific shared drive or a specific folder in that shared drive by setting the start of the URI to the path of the shared drive and optionally any folder within, for example: 'gdrive://SharedDriveA/FolderA/...'. Additionally, the FolderId property can be used to limit the search to an exact subdirectory.
Specifies the maximum number of rows returned for queries that do not include either aggregation or GROUP BY.
The default value for this property, -1, means that no row limit is enforced unless the query explicitly includes a LIMIT clause. (When a query includes a LIMIT clause, the value specified in the query takes precedence over the MaxRows setting.)
Setting MaxRows to a whole number greater than 0 ensures that queries do not return excessively large result sets by default.
This property is useful for optimizing performance and preventing excessive resource consumption when executing queries that could otherwise return very large datasets.
Specifies advanced connection properties for specialized scenarios. Use this property only under the guidance of our Support team to address specific issues.
This property allows advanced users to configure hidden properties for specialized situations, with the advice of our Support team. These settings are not required for normal use cases but can address unique requirements or provide additional functionality. To define multiple properties, use a semicolon-separated list.
Note: It is strongly recommended to set these properties only when advised by the Support team to address specific scenarios or issues.
| Property | Description |
| DefaultColumnSize | Sets the default length of string fields when the data source does not provide column length in the metadata. The default value is 2000. |
| ConvertDateTimeToGMT=True | Converts date-time values to GMT, instead of the local time of the machine. The default value is False (use local time). |
| RecordToFile=filename | Records the underlying socket data transfer to the specified file. |
Specifies the pseudocolumns to expose as table columns, expressed as a string in the format 'TableName=ColumnName;TableName=ColumnName'.
This property allows you to define which pseudocolumns the Sync App exposes as table columns.
To specify individual pseudocolumns, use the following format:
Table1=Column1;Table1=Column2;Table2=Column3
To include all pseudocolumns for all tables use:
*=*
The maximum number of rows to scan to look for the columns available in a table.
The columns in a table must be determined by scanning table rows. This value determines the maximum number of rows that will be scanned.
Setting a high value may decrease performance. Setting a low value may prevent the data type from being determined properly, especially when there is null data.
Specifies whether hexadecimal characters are decoded in query results.
If this connection property is set to True, hexadecimal characters are decoded and displayed as the special characters they correspond to (for example, [RS]6[GS]).
If this connection property is set to False, hexadecimal characters are displayed as-is (for example, _x001E_6_x001D_).
Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error.
The timeout applies to each individual communication with the server rather than the entire query or operation. For example, a query could continue running beyond 60 seconds if each paging call completes within the timeout limit.
Timeout is set to 60 seconds by default. To disable timeouts, set this property to 0.
Disabling the timeout allows operations to run indefinitely until they succeed or fail due to other conditions such as server-side timeouts, network interruptions, or resource limits on the server.
Note: Use this property cautiously to avoid long-running operations that could degrade performance or result in unresponsive behavior.
Specifies a filepath to a JSON configuration file that defines custom views. The provider automatically detects and uses the views specified in this file.
UserDefinedViews allows you to define and manage custom views through a JSON-formatted configuration file called UserDefinedViews.json. These views are automatically recognized by the Sync App and enable you to execute custom SQL queries as if they were standard database views. The JSON file defines each view as a root element with a child element called "query", which contains the SQL query for the view.
For example:
{
"MyView": {
"query": "SELECT * FROM Sheet WHERE MyColumn = 'value'"
},
"MyView2": {
"query": "SELECT * FROM MyTable WHERE Id IN (1,2,3)"
}
}
You can use this property to define multiple views in a single file and specify the filepath.
For example:
UserDefinedViews=C:\Path\To\UserDefinedViews.jsonWhen you specify a view in UserDefinedViews, the Sync App only sees that view.
For further information, see User Defined Views.
Specifies whether or not simple names should be used for schemas, tables and columns.
Microsoft Excel schemas, tables and columns can use special characters in names that are normally not allowed in standard databases. UseSimpleNames makes the Sync App easier to use with traditional database tools.
Setting UseSimpleNames to true simplifies the names of schemas, tables or columns returned. It also enforces a naming scheme such that only alphanumeric characters and the underscore are valid for the displayed column names.
Any non-alphanumeric characters are converted to underscores.
LZMA from 7Zip LZMA SDK
LZMA SDK is placed in the public domain.
Anyone is free to copy, modify, publish, use, compile, sell, or distribute the original LZMA SDK code, either in source code form or as a compiled binary, for any purpose, commercial or non-commercial, and by any means.
LZMA2 from XZ SDK
Version 1.9 and older are in the public domain.
Xamarin.Forms
Xamarin SDK
The MIT License (MIT)
Copyright (c) .NET Foundation Contributors
All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
NSIS 3.10
Copyright (C) 1999-2025 Contributors THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
1. DEFINITIONS
"Contribution" means:
a) in the case of the initial Contributor, the initial code and documentation distributed under this Agreement, and b) in the case of each subsequent Contributor:
i) changes to the Program, and
ii) additions to the Program;
where such changes and/or additions to the Program originate from and are distributed by that particular Contributor. A Contribution 'originates' from a Contributor if it was added to the Program by such Contributor itself or anyone acting on such Contributor's behalf. Contributions do not include additions to the Program which: (i) are separate modules of software distributed in conjunction with the Program under their own license agreement, and (ii) are not derivative works of the Program.
"Contributor" means any person or entity that distributes the Program.
"Licensed Patents " mean patent claims licensable by a Contributor which are necessarily infringed by the use or sale of its Contribution alone or when combined with the Program.
"Program" means the Contributions distributed in accordance with this Agreement.
"Recipient" means anyone who receives the Program under this Agreement, including all Contributors.
2. GRANT OF RIGHTS
a) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, distribute and sublicense the Contribution of such Contributor, if any, and such derivative works, in source code and object code form.
b) Subject to the terms of this Agreement, each Contributor hereby grants Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed Patents to make, use, sell, offer to sell, import and otherwise transfer the Contribution of such Contributor, if any, in source code and object code form. This patent license shall apply to the combination of the Contribution and the Program if, at the time the Contribution is added by the Contributor, such addition of the Contribution causes such combination to be covered by the Licensed Patents. The patent license shall not apply to any other combinations which include the Contribution. No hardware per se is licensed hereunder.
c) Recipient understands that although each Contributor grants the licenses to its Contributions set forth herein, no assurances are provided by any Contributor that the Program does not infringe the patent or other intellectual property rights of any other entity. Each Contributor disclaims any liability to Recipient for claims brought by any other entity based on infringement of intellectual property rights or otherwise. As a condition to exercising the rights and licenses granted hereunder, each Recipient hereby assumes sole responsibility to secure any other intellectual property rights needed, if any. For example, if a third party patent license is required to allow Recipient to distribute the Program, it is Recipient's responsibility to acquire that license before distributing the Program.
d) Each Contributor represents that to its knowledge it has sufficient copyright rights in its Contribution, if any, to grant the copyright license set forth in this Agreement.
3. REQUIREMENTS
A Contributor may choose to distribute the Program in object code form under its own license agreement, provided that:
a) it complies with the terms and conditions of this Agreement; and
b) its license agreement:
i) effectively disclaims on behalf of all Contributors all warranties and conditions, express and implied, including warranties or conditions of title and non-infringement, and implied warranties or conditions of merchantability and fitness for a particular purpose;
ii) effectively excludes on behalf of all Contributors all liability for damages, including direct, indirect, special, incidental and consequential damages, such as lost profits;
iii) states that any provisions which differ from this Agreement are offered by that Contributor alone and not by any other party; and
iv) states that source code for the Program is available from such Contributor, and informs licensees how to obtain it in a reasonable manner on or through a medium customarily used for software exchange.
When the Program is made available in source code form:
a) it must be made available under this Agreement; and
b) a copy of this Agreement must be included with each copy of the Program.
Contributors may not remove or alter any copyright notices contained within the Program.
Each Contributor must identify itself as the originator of its Contribution, if any, in a manner that reasonably allows subsequent Recipients to identify the originator of the Contribution.
4. COMMERCIAL DISTRIBUTION
Commercial distributors of software may accept certain responsibilities with respect to end users, business partners and the like. While this license is intended to facilitate the commercial use of the Program, the Contributor who includes the Program in a commercial product offering should do so in a manner which does not create potential liability for other Contributors. Therefore, if a Contributor includes the Program in a commercial product offering, such Contributor ("Commercial Contributor") hereby agrees to defend and indemnify every other Contributor ("Indemnified Contributor") against any losses, damages and costs (collectively "Losses") arising from claims, lawsuits and other legal actions brought by a third party against the Indemnified Contributor to the extent caused by the acts or omissions of such Commercial Contributor in connection with its distribution of the Program in a commercial product offering. The obligations in this section do not apply to any claims or Losses relating to any actual or alleged intellectual property infringement. In order to qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in writing of such claim, and b) allow the Commercial Contributor to control, and cooperate with the Commercial Contributor in, the defense and any related settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense.
For example, a Contributor might include the Program in a commercial product offering, Product X. That Contributor is then a Commercial Contributor. If that Commercial Contributor then makes performance claims, or offers warranties related to Product X, those performance claims and warranties are such Commercial Contributor's responsibility alone. Under this section, the Commercial Contributor would have to defend claims against the other Contributors related to those performance claims and warranties, and if a court requires any other Contributor to pay any damages as a result, the Commercial Contributor must pay those damages.
5. NO WARRANTY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program and assumes all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and unavailability or interruption of operations.
6. DISCLAIMER OF LIABILITY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7. GENERAL
If any provision of this Agreement is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this Agreement, and without further action by the parties hereto, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
If Recipient institutes patent litigation against a Contributor with respect to a patent applicable to software (including a cross-claim or counterclaim in a lawsuit), then any patent licenses granted by that Contributor to such Recipient under this Agreement shall terminate as of the date such litigation is filed. In addition, if Recipient institutes patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Program itself (excluding combinations of the Program with other software or hardware) infringes such Recipient's patent(s), then such Recipient's rights granted under Section 2(b) shall terminate as of the date such litigation is filed.
All Recipient's rights under this Agreement shall terminate if it fails to comply with any of the material terms or conditions of this Agreement and does not cure such failure in a reasonable period of time after becoming aware of such noncompliance. If all Recipient's rights under this Agreement terminate, Recipient agrees to cease use and distribution of the Program as soon as reasonably practicable. However, Recipient's obligations under this Agreement and any licenses granted by Recipient relating to the Program shall continue and survive.
Everyone is permitted to copy and distribute copies of this Agreement, but in order to avoid inconsistency the Agreement is copyrighted and may only be modified in the following manner. The Agreement Steward reserves the right to publish new versions (including revisions) of this Agreement from time to time. No one other than the Agreement Steward has the right to modify this Agreement. IBM is the initial Agreement Steward. IBM may assign the responsibility to serve as the Agreement Steward to a suitable separate entity. Each new version of the Agreement will be given a distinguishing version number. The Program (including Contributions) may always be distributed subject to the version of the Agreement under which it was received. In addition, after a new version of the Agreement is published, Contributor may elect to distribute the Program (including its Contributions) under the new version. Except as expressly stated in Sections 2(a) and 2(b) above, Recipient receives no rights or licenses to the intellectual property of any Contributor under this Agreement, whether expressly, by implication, estoppel or otherwise. All rights in the Program not expressly granted under this Agreement are reserved.
This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of action arose. Each party waives its rights to a jury trial in any resulting litigation.