17.05 - Permanent Proxy Users - Teradata Database

Teradata Vantage™ - SQL Data Control Language

prodname
Advanced SQL Engine
Teradata Database
vrm_release
17.00
17.05
created_date
June 2020
category
Programming Reference
featnum
B035-1149-170K

A permanent proxy user is an existing permanent user who is defined to Teradata Database. A GRANT CONNECT THROUGH request validates that a permanent proxy user who is specified in that request exists in Teradata Database. The anticipated use of permanent proxy users is for intranet-type middle tier applications that, for example, might display employee pay stubs or information about available vacation time.

Teradata Database assigns the name of the permanent proxy user as the creator of any objects created while the proxy connection is in effect.

You cannot have duplicate application and permanent proxy user names for the same trusted user. For example, consider the following GRANT CONNECT THROUGH requests submitted in the order indicated:

GRANT CONNECT THROUGH crm TO PERMANENT mary WITHOUT ROLE;
GRANT CONNECT THROUGH crm TO mary WITH ROLE hr_role;

The second request returns a duplicate proxy user name error because the permanent proxy user named mary already exists as granted through trusted user crm.

The roles that can be set for a permanent proxy user in a proxy connection are different depending on the WITH ROLES clause in the GRANT CONNECT THROUGH request, as listed in the following table:

IF you specify a … THEN …
WITH ROLE clause in your GRANT CONNECT THROUGH request
  • all role names you specify are active in the proxy connection by default.

    The roles in the WITH ROLE clause do not need to be granted directly to the user. The GRANT CONNECT THROUGH request grants this privilege by default.

  • the specified roles are the only roles that can be set for the proxy connection.
  • setting the current role to NONE or NULL in the proxy connection is not permitted.
  • the privileges for the proxy connection are those for its active roles and PUBLIC.
WITHOUT ROLE clause in your GRANT CONNECT THROUGH request
  • the default role for the proxy connection is the default role defined for the permanent user.
  • the roles that can be set for the proxy connection are restricted to those granted to the user.

    In this case, the role in the proxy connection can also be set to NONE or NULL.

  • the privileges for the proxy connection are those granted to the permanent user, its active roles, and PUBLIC.