Unless the WITH TRUST_ONLY option is specified, do not use trusted sessions with applications that permit end users to submit or modify SQL requests sent to Teradata Database.
The GRANT CONNECT THROUGH statement is a special version of the SQL form of the GRANT statement. It allows you to grant the CONNECT THROUGH privilege to the specified permanent user or application user through the specified trusted user.
These users are defined in the following table.
|Application user||The name of an application user to which the GRANT CONNECT proxy logon privilege is to be granted.
Application user names are not defined in Teradata Database, but they must follow Teradata object naming conventions.
You can specify up to 25 names in a single grant request. The specified names are then added to the grant privileges for the specified trusted user.
There is no limit to the number of application user names that can be granted logon privileges to a single trusted user.
|Permanent user||A user who is defined to Teradata Database.
In a GRANT CONNECT THROUGH request, this is the name of a user to whom the proxy logon privilege is to be granted.
There is no limit to the number of permanent users who can be granted logon privileges to a trusted user.
|Trusted user||A permanent user, previously defined to Teradata Database, who receives the CONNECT THROUGH privilege by means of a GRANT CONNECT THROUGH request.
This grants the trusted user the ability to assert the identity of the proxy user specified in the GRANT CONNECT THROUGH request.
Application users and permanent users are collectively referred to as proxy users.
A proxy user is any user who connects to Teradata Database using the session of a trusted user.
A proxy connection is a Teradata Database session in which the privileges and profile attributes that are used are those of a proxy user.
Performance management APIs such as MonitorSession and AbortSession identify sessions by their trusted user name.
For enforcement of Teradata Active System Management rules, for a permanent proxy user, rule qualification based on user name, account, and profile is based on the proxy user’s name, account, and profile.
For an application proxy user, rule qualification by user name is based on the trusted user's name. If the application proxy user has a profile, qualification by profile is based on the proxy user’s profile and qualification by account name on the profile account name. If the application proxy user does not have a profile, qualification based on account and profile is based on the trusted user account and profile.
|Proxy User Type||Rights and Session Attributes|
- USER returns the name of the trusted user for the session.
- CURRENT_USER returns the proxy user name if the user is in a proxy connection; otherwise, CURRENT_USER returns the session user name.
- ROLE returns the current role name for the trusted user.
- CURRENT_ROLE returns the proxy user current role if the user is in a proxy connection; otherwise, it returns the trusted user role name.
See Teradata Vantage™ - SQL Functions, Expressions, and Predicates, B035-1145 for details.
If logon restrictions have been set, such as restricting logons by IP address, the system enforces them only for the trusted user logon.
Such restrictions are not enforced when a proxy username is asserted for the session.