Creating an IP XML Restriction Document | Teradata Vantage - 17.10 - Creating an IP XML Restriction Document - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

After you design the needed IP filters, you can use them to create an XML restriction document.

The examples in the following procedure use the filters created in Designing IP XML Restrictions.
  1. Open a text editor, such as vi or Notepad.
  2. Create the framework for the XML document, specifying the required information and element tags, using this syntax:
    <?xml version="xml_version" encoding="encoding"?>
    <tdat name="tdat">
      <system name="system_name">
        <users>
           user [...]
        </users>
        <ipfilters>
          primary_filter_definition
          secondary_filter_definition
        </ipfilters>
      </system>
    </tdat>
    user
    <user name="user_name" tag="user_tag"/>
    primary_filter_definition
    <ipfilter name="primary_filter_name" type="restrictive">
      <allow ip="primary_filter_ip_range"/>
      <deny ip="primary_filter_deny_range"/>
      <appliesto tagref="user_tag"/> [...]
    </ipfilter>
    secondary_filter_definition
    <ipfilter name="secondary_filter_name" type="permissive">
      <deny ip="secondary_filter_deny_range"/>
      <allow ip="secondary_filter_ip_range"/>
      <appliesto tagref="user_tag"/> [...]
    </ipfilter>
    xml_version
    Indicates the version of XML you are using to generate the document. This specification is for reference only. Example: 1.0
    encoding
    Defines the character set you are using in the XML document. Example: UTF-8
    tdat
    Specifies the name of XML document root element. Example: tdat. See tdat.
    system_name
    Specifies the name of the system to which the IP restrictions apply. The name must correspond to the tdpid that affected users specify when they log on to the database. Example: gizmo. See users.
    user
    User to which the restrictions in the XML document apply. Examples in a later step. See users.
    primary_filter_definition
    Filter definition that defines the restrictions in the XML restrictions. Example in a later step.
    secondary_filter_definition
    Filter definition that defines the restrictions in the XML restrictions. Example in a later step.
    user_name
    Vantage username. Examples in a later step.
    user_tag
    An XML document tag that links the corresponding Vantage username to an IP filter, when the tag value appears in the appliesto tagref attribute of the filter.
    Each appliesto tagref value must correspond to a tag attribute for an individual Vantageuser listed in a user element in the document.
    Examples in later steps.
    primary_filter_name
    Specifies the name of the primary filter listed in the restriction document, a restrictive filter. Example: filter1.
    primary_filter_ip_range
    Specifies the IP range allowed by primary_filter_name.
    Example: 141.206.0.0/255.255.0.0
    • 141.206.0.0/ allows access to the database for any IP addresses within the 141.206 subnet unless they explicitly appear in primary_filter_deny_range.

      Because the filter is restrictive, it automatically denies access to all IPs outside those specified in the allow element.

    • 255.255.0.0 defines the allow element mask.

      The zeros in the third and fourth segments cause the filter to test only the first 16 bits of the incoming IP address against the allowed IP.

    primary_filter_deny_range
    Specifies the range of the primary deny filter.
    Example: 141.206.35.0/255.255.255.0
    • 141.206.35.0/ denies access to IPs in the 141.206.35 subnet, even though the subnet is within the 141.206 range specified in primary_filter_ip_range.
    • 255.255.255.0 defines the deny element mask.

      This mask causes the filter to test the first 24 bits of an incoming IP address against the denied IP. The zero indicates the filter does not use the last 8 bits of an incoming IP address in deny-testing.

    secondary_filter_name
    Specifies the name of the secondary filter listed in the restriction document, a permissive filter. Example: filter2
    secondary_filter_deny_range
    Specifies the range of the secondary deny filter.
    Example: 141.206.35.0/255.255.255.0
    • 141.206.35.0/ denies access to the database for any IP addresses within the 141.206.35 subnet unless they explicitly appear in secondary_filter_ip_range.

      Because the filter is permissive, it allows access to all other IPs outside those specified the deny elements.

    • 255.255.255.0 defines the deny element mask.

      The 255 in each decimal-separated segment of the mask indicates the filter tests the corresponding segment of the IP address for access denial.

      This mask causes the filter to test the first 24 bits of the incoming IP address against the denied IP.

    secondary_filter_ip_range
    Specifies the IP exceptions allowed by secondary_filter_name.
    Example: 141.206.35.175/255.255.255.255
    • 141.206.35.175/ allows access to the database for IP address 141.206.35.175 even though it is otherwise disallowed by the more general parameters of the deny element.
    • 255.255.255.255 defines the allow element mask.

      The 255 in each decimal-separated segment of the mask indicates that the filter tests the corresponding segment of the IP address for allowed access.

      This mask causes the filter to test all 32 bits of the incoming IP address against the allowed IP.

  3. Add each user that is affected by the restrictions. For example:
    <users>
      <user name="drct01" tag="xyzzy"/>
      <user name="perm01" tag="noside"/>
      <user name="extuser" tag="shazam"/>
    </users>
  4. Add the IP filters that define the IP restrictions for all users. For example:
    <ipfilters>
      <ipfilter name="filter1" type="restrictive">
        <allow ip="141.206.0.0/255.255.0.0"/>
        <deny ip="141.206.35.0/255.255.255.0"/>
        <appliesto tagref="xyzzy"/>
        <appliesto tagref="shazam"/>
      </ipfilter>
      <ipfilter name="filter2" type="permissive">
        <deny ip="141.206.35.0/255.255.255.0"/>
        <allow ip="141.206.35.175/255.255.255.255"/>
        <appliesto tagref="noside"/>
        <appliesto tagref="xyzzy"/>
      </ipfilter>
    </ipfilters>

    The primary filter, filter1, applies to users drct01 and extuser, because it specifies their user tags, xxzzy and shazam.

    The secondary filter, filter2, applies to users perm01 and drct01, because it specifies their user tags, noside and xxzzy.