17.05 - Teradata Server Software Enforcement of Trusted Sessions - Teradata Database

Teradata Vantage™ - SQL Data Control Language

prodname
Advanced SQL Engine
Teradata Database
vrm_release
17.00
17.05
created_date
June 2020
category
Programming Reference
featnum
B035-1149-170K

It is assumed that applications that use the trusted sessions feature will submit both trusted and nontrusted requests. It is the application, and not Teradata Database, that knows which requests can be trusted and which cannot. Teradata Database just verifies that the SET QUERY_BAND request with a PROXYUSER is a trusted request if the logon user has the WITH TRUST_ONLY option set.

Server software enforces trusted requests by means of GRANT CONNECT THROUGH requests that set trusted users to have the TRUST_ONLY privilege. If you specify the WITH TRUST_ONLY option for a trusted user, Teradata Database validates that a request to set a Proxy User is trusted; otherwise, it aborts the request and returns an error to the requestor.

Suppose a middle tier application submits the following SET QUERY_BAND request with a PROXYUSER.

SET QUERY_BAND = 'PROXYUSER=client787';

The following outcomes are possible, depending on whether the request is trusted and what CONNECT THROUGH privileges have been granted to the application user that submits it.

IF the trusted user has … AND the Trusted flag of the Options parcel … THEN the request is …
been granted the TRUST_ONLY privilege is set to Y trusted.

SET QUERY_BAND … PROXYUSER requests are permitted.

  is set to N not trusted.

SET QUERY_BAND … PROXYUSER requests are aborted.

not been granted the TRUST_ONLY privilege is set to Y neither trusted nor not trusted.

Teradata Database ignores the setting of the flag.

  is set to N neither trusted nor not trusted.

Teradata Database ignores the setting of the flag.

This is the default setting.