17.10 - Using IP Access Restrictions - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
  • If any IP filter rejects a user, the user logon fails, even if all other filters allow the user.
  • There is no limit to the number of IP restrictions concurrently in effect, but the database limits the size of the GDO that contains the limits to 128 KB, for both XML and directory implementations. If you plan IP restrictions carefully, the 128KB limit should be sufficient for most systems.
    • The GDO can contain dozens of filters and over 10,000 user names of 10 characters.
    • Companies with very large user bases can save GDO space by employing the directory-based implementation of IP restrictions and mapping multiple directory users to a smaller number of Teradata Vantage users that have the same access restrictions.
  • Only a single set of restrictions, either XML or directory based, can exist at a time.
  • To change the IP restrictions, revise the existing XML document or directory set up and then re-import the file into the GDO using the appropriate utility. The new restrictions overwrites the old GDO. See Editing or Disabling IP Restrictions.
  • You must perform a database restart to activate the initial IP restrictions. Subsequent changes to the restrictions do not require a restart. For more information, see the tpareset utility in Teradata Vantage™ - Database Utilities, B035-1102.
  • Unity does not require a restart to see new or changed IP restrictions.
  • Use of some applications, for example, network address translation (NAT) devices or other middle ware, prevents the Teradata Vantage gateway from seeing or restricting the user IP address. However, Unity passes IP addresses to the gateway for enforcement.
  • If you add or alter an IP restriction that denies access to the IP address through which the user is already logged on, the pre-existing user session remains connected. The gateway denies the user access from that IP at the next logon, including a reconnect of the pre-existing session caused by a system restart.
  • You can create IP restrictions for either IPv4 or IPv6 formatted IP addresses.