Privileges in Teradata Secure Zones | Teradata Vantage - 17.10 - Privileges in Teradata Secure Zones - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
User Type Who creates them and the privileges that they have Privileges they can and cannot grant, and users that they can create
zone creators A Vantage user who has the following rights with the WITH GRANT privilege may explicitly grant the following privileges to zone creators:
  • CREATE ZONE
  • DROP ZONE
  • DROP USER privilege on the user who becomes the zone root
  • CREATE USER privilege on the database that becomes the zone root
Zone creators cannot grant any privileges to zone users.

Zone creators can create zone guests from users or roles that were previously created outside the zone.

primary zone DBA The zone creator either:
  • Creates a zone with a user as the root, which by default makes that user the primary DBA and implicitly grants them all privileges.
  • Creates a zone with a database as the root, and then creates a user who is the primary DBA by using CREATE USER FROM database_name syntax to implicitly grant all privileges to that user.
The primary DBA can do the following:
  • Create zone users, databases, and TVM objects inside the zone using existing DDL syntax.
  • Grant privileges to zone guests. No privileges can be granted to a zone guest with the WITH GRANT OPTION privilege.
zone user (includes the primary DBA) A primary DBA or any previously created zone user creates other users in a zone under the hierarchy of zone root, using the existing CREATE USER syntax. Zone users can create zone users, databases, and TVM objects using existing DDL syntax.

Only zone users can grant privileges on database objects in a zone to zone guests. No privileges can be granted to a zone guest with the WITH GRANT OPTION privilege.

zone guest The zone creator creates zone guests using the GRANT ZONE syntax.

A zone guest cannot access zone objects unless a zone user explicitly grants them privileges to create objects or grants them privileges to access existing objects in the zone where they are guests.

Zone guests with the required privileges can do the following:
  • Create zone users, databases, and TVM objects inside the zone using existing DDL syntax.
  • Create views, triggers, macros and so on, on the zoned objects in their perm space.