16.20 - Query Bands, Trusted Sessions, and Roles - Teradata Database - Teradata Vantage NewSQL Engine

Teradata Vantage™ SQL Data Definition Language Detailed Topics

Product
Teradata Database
Teradata Vantage NewSQL Engine
Release Number
16.20
Release Date
March 2019
Content Type
Programming Reference
Publication ID
B035-1184-162K
Language
English (United States)

The following rules apply to the enforcement of CONNECT THROUGH privilege-defined roles in a trusted session.

  • If a CONNECT THROUGH privilege specifies roles, then the following rules apply.
    • You cannot specify a PROXYROLE if you do not also specify a PROXYUSER.
    • You must use PROXYROLE to set the role in a trusted session because you cannot specify a SET ROLE request in a trusted session.
    • If PROXYROLE is not specified in the privilege definition, then all roles specified for the privilege are active.
    • PROXYROLE can be set to any role in the privilege. If you make this specification, then only that role is active.
    • PROXYROLE cannot be set to NONE or NULL.
  • If a CONNECT THROUGH privilege specifies WITHOUT ROLE, then the following rules apply.
    • If PROXYROLE is not specified in the privilege definition, then the active role is the default role for the permanent proxy user.
    • PROXYROLE can be set to any role that has been granted to the permanent proxy user.
    • PROXYROLE can be set to NONE or NULL.
  • If a CONNECT THROUGH privilege defines proxy roles, then the privileges for a trusted session that uses that privilege are those granted to.
    • Active proxy roles
    • PUBLIC
  • If a CONNECT THROUGH privilege specifies WITHOUT ROLE for a permanent user, then the privileges for a trusted session that uses that privilege are those granted to.
    • The permanent user
    • Active roles
    • PUBLIC

Teradata Database enforces two exceptions to these rules. In these exceptional cases, Teradata Database does not enforce the privileges established for the proxy user, but instead enforces the privileges stated in the following table.

FOR this database object type … THE following rules for privilege enforcement apply …
macro The immediately owning database or user must have all the appropriate privileges for executing the macro.
SQL procedure The following check is made only if the procedure is created using SQL SECURITY INVOKER. Otherwise, the proxy user privileges are not used.

Teradata Database checks the privileges of the immediate owner of the procedure for all statements specified in, and all objects referenced in, the procedure body during its execution.