17.10 - Function of CREATE AUTHORIZATION Requests - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - SQL Data Definition Language Detailed Topics

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Programming Reference
Publication ID
B035-1184-171K
Language
English (United States)

The purpose of an authorization object is to specify the user context to use when running an external routine that performs operating system I/O operations. See CREATE FUNCTION and REPLACE FUNCTION (External Form), CREATE FUNCTION (Table Form), CREATE METHOD, CREATE PROCEDURE and REPLACE PROCEDURE (External Form), and Teradata Vantage™ - SQL External Routine Programming, B035-1147.

Authorization objects associate a user with an OS platform user ID. With an OS platform user ID, a user can log onto a database node as a native operating system user and be able to run external routines that perform OS-level I/O operations.

You must create an authorization object for any external routine that has an EXTERNAL SECURITY clause as part of its definition. You must define authorization objects for the following users and situations:
  • A user who needs to run external routines that contain an INVOKER security clause.
  • A user who needs to be the definer of any external routine modules that contain the DEFINER external clause.

Without the appropriate authorization objects having been created, none of the external routines containing an EXTERNAL SECURITY clause can run.

When you submit a CREATE AUTHORIZATION statement, the system validates the values for the specified user variables. If the specified user object has not yet been created on all database nodes or if any of the other information you specified is not correct, the statement returns an error message to the requestor.

The system permits only three failed attempts to create an authorization object. After three failed attempts, the system returns an appropriate error message to the requestor.

You must first log off the system and then log back on. The DBA also has the option of activating access logging on CREATE AUTHORIZATION to enable the tracking of suspicious attempts to perform it. See BEGIN LOGGING in Teradata Vantage™ - SQL Data Definition Language Syntax and Examples, B035-1144.