To make a proxy user connection, a middle tier application that is connected as a trusted user issues a SET QUERY_BAND request that specifies the proxy user name and an optional proxy role for that user. The reserved query band names PROXYUSER and PROXYROLE are used to specify a trusted session user name and proxy role name in the SET QUERY_BAND request, respectively.
When making proxy user connections, a SET QUERY_BAND request performs the following actions:
- If the query band specifies PROXYUSER, Vantage validates the current user has privileges to connect as the specified proxy user.
- If the query band specifies PROXYROLE, Vantage validates the role can be set for the specified proxy user.
- If the validation passes, Vantage sets the session to the specified proxy user name and proxy role name.
Once the proxy connection is made, Vantage uses the proxy user and the proxy role to determine the privileges for all subsequent requests in the session.
- The trusted session lasts for the life of the query band.
- The session query band remains set for the session and ends only when one of the following occurs.
- The session ends.
- You set the query band to NONE.
- The session query band is stored in DBC.SessionTbl, and the database recovers it after a system reset.
- The transaction query band is discarded when either of the following occurs.
- The transactions ends (whether by commit, rollback, or abort)
- The transaction query band is set to NONE and is not restored after a system reset.
- The proxy user does not have CONNECT THROUGH privileges with the trusted user.
- The proxy user has not been granted privileges for the specified proxy role.
- The request attempts to set a PROXYUSER for a transaction when a session trusted session already exists.
- The request attempts to set a PROXYUSER for a session when a transaction proxy connection already exists.
- The request attempts to set a PROXYROLE when it is not in a trusted session.
- The request attempts to set a PROXYROLE to NONE or NULL when roles are defined for the trusted user in the GRANT CONNECT THROUGH privilege.