Access Logging for Directory-Based Users | Teradata Vantage - 17.10 - Using Access Logging for Directory-Based Users - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
Access logging of directory users generally conforms to the rules for use of access logging of database users, with the following exceptions:
  • A SELECT USER request normally returns the current user for a session. When a directory-based user is logged on, a SELECT USER request returns either:
    • The name of the permanent user to which the directory user is mapped
    • The authcid (logon username) of the directory user, if not mapped to a permanent user
  • A SELECT ROLE request returns the current role for the session. If the directory user is mapped only to EXTUSER, the initial current role for a directory-based logon is a dummy role called EXTERNAL. Any time the directory-assigned roles are enabled, a SELECT ROLE request returns EXTERNAL as its result.

During access logging, the system identifies directory users by their authcid, which it stores in DBC.SessionTbl.AuditTrailId when it establishes the session.

The format of stored authcid is the same for all directory types.

If the authcid exceeds 128 bytes in length (as converted), it truncates at 128 bytes. Therefore, all authcids should be unique for the first 128 bytes.