17.10 - Query Bands, Trusted Sessions, and Roles - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - SQL Data Definition Language Detailed Topics

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Programming Reference
Publication ID
B035-1184-171K
Language
English (United States)

The following rules apply to the enforcement of CONNECT THROUGH privilege-defined roles in a trusted session.

  • If a CONNECT THROUGH privilege specifies roles, then the following rules apply.
    • You cannot specify a PROXYROLE if you do not also specify a PROXYUSER.
    • You must use PROXYROLE to set the role in a trusted session because you cannot specify a SET ROLE request in a trusted session.
    • If PROXYROLE is not specified in the privilege definition, then all roles specified for the privilege are active.
    • PROXYROLE can be set to any role in the privilege. If you make this specification, then only that role is active.
    • PROXYROLE cannot be set to NONE or NULL.
  • If a CONNECT THROUGH privilege specifies WITHOUT ROLE, then the following rules apply.
    • If PROXYROLE is not specified in the privilege definition, then the active role is the default role for the permanent proxy user.
    • PROXYROLE can be set to any role that has been granted to the permanent proxy user.
    • PROXYROLE can be set to NONE or NULL.
  • If a CONNECT THROUGH privilege defines proxy roles, then the privileges for a trusted session that uses that privilege are those granted to.
    • Active proxy roles
    • PUBLIC
  • If a CONNECT THROUGH privilege specifies WITHOUT ROLE for a permanent user, then the privileges for a trusted session that uses that privilege are those granted to.
    • The permanent user
    • Active roles
    • PUBLIC

Vantage enforces two exceptions to these rules. In these exceptional cases, Vantage does not enforce the privileges established for the proxy user, but instead enforces the privileges stated in the following table.

FOR this database object type … THE following rules for privilege enforcement apply …
macro The immediately owning database or user must have all the appropriate privileges for executing the macro.
SQL procedure The following check is made only if the procedure is created using SQL SECURITY INVOKER. Otherwise, the proxy user privileges are not used.

Vantage checks the privileges of the immediate owner of the procedure for all statements specified in, and all objects referenced in, the procedure body during its execution.