17.10 - Creating and Dropping External Roles - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

You can specify EXTERNAL ROLE in the standard CREATE/DROP ROLE syntax to create external roles for directory users. The user that executes a CREATE/DROP EXTERNAL ROLE statement must have CREATE ROLE and DROP ROLE privileges. For example:

CREATE EXTERNAL ROLE  ext_role_name;

or

DROP EXTERNAL ROLE  ext_role_name;
If you drop a database role while including EXTERNAL in the syntax, or dropping an external role without including the EXTERNAL term, the system returns an error, for example:
DROP EXTERNAL ROLE dbrole;
Failure 5933: Role being dropped is not an external role

DROP ROLE extrole;
Failure 5934: Role being dropped is an external role

The system records external roles in the data dictionary, along with database roles, but when you map an external role to a directory user, the system does not insert a row in DBC.RoleGrants.

The method for granting privileges to an external role is similar to granting privileges to a database role. See Creating Roles.

A user can occupy a maximum of 50 roles. If the maximum is exceeded, an error is reported.