17.05 - Examples of Using GRANT CONNECT THROUGH - Teradata Database

Teradata Vantage™ - SQL Data Control Language

prodname
Advanced SQL Engine
Teradata Database
vrm_release
17.00
17.05
created_date
June 2020
category
Programming Reference
featnum
B035-1149-170K

Granting CONNECT THROUGH privilege to a Permanent User

The following GRANT CONNECT THROUGH request grants the CONNECT THROUGH privilege to permanent user sbd with the assigned proxy connection role admin through trusted user viewpoint.

GRANT CONNECT THROUGH viewpoint
TO PERMANENT sbd
WITH ROLE admin;

After this request has been successfully submitted, user sbd has proxy connect privileges through the trusted user viewpoint, and whenever sbd makes a proxy connection, the system assigns him to the admin role.

Specifying Roles for a Proxy Connection

All roles specified in the WITH ROLE clause of this example are active by default in the proxy connection.

If no ProxyRole is set for application user dg120 in the proxy connection, the active roles are salesrole1, salesrole2, and salesrole3.

The proxy connection can be set to one role that is in the WITH ROLE clause. For example, the ProxyRole for application user dg120 can be set to salesrole1, salesrole2, or salesrole3, but no other roles are permitted.

GRANT CONNECT THROUGH dcm
TO dg120, ks392, lm190
WITH ROLE salesrole1, salesrole2, salesrole3;

Specifying WITHOUT ROLE for a Proxy Connection

When you set a WITHOUT ROLE clause for a permanent proxy user, as the following request demonstrates, the system uses the privileges and roles granted to that permanent user, and the default proxy role is the default role defined for the proxy permanent user.

The roles that can be set for the proxy user are restricted to the roles granted to the proxy permanent user.

GRANT CONNECT THROUGH trm
TO PERMANENT accting
WITHOUT ROLE;

Specifying the WITH TRUST_ONLY Option

The WITH TRUST_ONLY option restricts a middle tier application from submitting SET QUERY_BAND requests that set, change, or remove a PROXYUSER or PROXYROLE for the case where a trusted request is required.

The following request restricts trusted user_name from submitting SET QUERY_BAND requests from a middle tier application unless the application sets the Trusted field in the Options parcel to Y, which indicates that the request is trusted.

See Teradata® Call-Level Interface Version 2 Reference for Mainframe-Attached Systems, B035-2417 or Teradata® Call-Level Interface Version 2 Reference for Workstation-Attached Systems, B035-2418 for details about the Options parcel.

This assumes that the middle tier application uses the CLIv2 API. Refer to the appropriate Teradata Tools and Utilities manual for your application to determine the mechanism for specifying this information for that API.

GRANT CONNECT THROUGH  user_name  WITH TRUST_ONLY;

Note that if the application does not set the Trusted field in the Options parcel to Y, Teradata Database aborts any SET QUERY_BAND request that user_name submits.

See