17.10 - Using tdspolicy to Find Policy Assignments for a User - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

You can run the tdspolicy tool from the command prompt on a Teradata Vantage node to investigate the security policy assignments that are currently in effect for a specific combination of user, profile, and logon IP address.

tdspolicy example:

tdspolicy -u user -i ip_address [-s service] [-p profile]
user
Specify a Vantage user name in these cases:
  • The user is authenticated by Teradata (TD2 mechanism)
  • The user is authenticated by Kerberos (KRB5 mechanism) or LDAP and AuthorizationSupported=no
  • The user is authenticated by Kerberos (KRB5 mechanism) or LDAP, AuthorizationSupported=yes, and the user is mapped to a tdatUser entry.

    If a directory user is mapped to multiple tdatUser objects, and more than one object has security policy assignments, the most restrictive policy applies. For details, see the configuration instruction for each policy type.

Specify the DN of a directory principal for a directory user if the user is authenticated using KRB5 or LDAP, AuthorizationSupported=yes, and the user is not mapped to a tdatUser entry.
ip_address
The IP address from which the user logs on.
service
[Required to return information on a local security policy.] Specify the DN of the service that contains the local policy.
If the -u user authenticates in a specific service, -s must specify the DN of that service.
If this option is not present to request local policy information for a specific service, tdspolicy returns information for the global policy, if a global policy exists.
For information on global policy, see Configuring Policy-Related Properties for a Global Security Policy.
profile
[Optional] Identifies an existing profile that is assigned to the user.
For permanent Vantage users, profile is the profile specified in the user definition. For directory principals, it is a profile to which the principal is mapped in the directory.
The tdspolicy command returns information indicating whether any policy applies to the specified profile.
If a directory principal is mapped to a Vantage user and a profile in the directory, the mapped profile takes precedence over the profile assigned to the mapped permanent user.

For externally authenticated or authorized users, you can use tdgssauth to obtain the tdspolicy command line arguments:

$ tdgssauth -m ldap -u diperm01 -i 141.206.3.15
TDGSS_BIN_FILE not set.
TDGSSCONFIG GDO used in tdgss.
Please enter a password: 
                        Status: authenticated, not authorized
                 Database user: perm01 [permanent user]
                       Profile: profile01
                External roles: extrole01perm01, extrole02perm01, extrole03perm01
            Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com
        Audit trail identifier: diperm01
        Authenticating service: esroot1
     Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20]
       Mechanism specific data: diperm01

 Security context capabilities: replay detection
                                out of sequence detection
                                confidentiality
                                integrity
                                protection ready
                                exportable security context

 Minimum quality of protection: high with confidentiality and integrity
                       Options: none

$