Identity Token Support allows for the following permission models with regard to token generation:
- Any to Any
- Authorized job submitter userid can generate JWT for any authorized JWT userid.
- One to one
- Authorized job submitter userid can only generate JWT for same userid.
- One to Many
- Authorized job submitter userid can only generate JWT for same userid and optionally can generate JWT for explicitly configured other authorized userids.
To further describe these models, consider an environment with two users both of whom have necessary authorizations to submit jobs, logon to Teradata Vantage, and invoke token generation. The following describes example authorizations for these users with the different permission models:
- Any to Any
- User1 can submit a job and get a JWT for User1 or User2
- User2 can submit a job and get a JWT for User2 or User1.
- One to one
- User1 can submit a job and only get a JWT for User1
- User2 can submit a job and only get a JWT for User2
- One to Many (where we explicitly configured ability for User1 to additionally get JWT for User2)
- User1 can submit a job and get a JWT for User1 or User2
- User2 can submit a job and only get a JWT for User2