Logging On Using External Authentication | GRANT LOGON | Teradata Vantage - Logging On Using External Authentication - Analytics Database - Teradata Vantage

SQL Data Control Language

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-07-11
dita:mapPath
sgu1628111251052.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
dvv1472243528022
lifecycle
latest
Product Category
Teradata Vantageā„¢

External authentication permits a user to log on to a computer one time and access a database without providing a user name, password, or account name. To enable this, you must explicitly map any directory users who are not already mapped to Vantage users in the directory. If you do not create an explicit mapping between an unmapped user and Vantage, that directory user cannot log on to Vantage.

You can explicitly map a directory user to the following objects:
  • EXTUSER.

    Mapping to EXTUSER is the most commonly used method.

    You cannot assign row-level security privileges to EXTUSER.

    If the AuthorizationSupported property is set to yes in the TdgssUserConfigFile.xml file, and a user attempts to log on to the database, the user is authenticated by the directory. If auto provisioning is turned on, then the user is not logged on as EXTUSER. Instead, the database creates an account for the user in DBC.Dbase and logs the user on using that account. Auto provisioned users are not permanent users and must always authenticate against the directory.

    For more information about EXTUSER and auto provisioning, see Teradata Vantageā„¢ - Analytics Database Security Administration, B035-1100.

  • A Profile.
  • A Role.
  • A Teradata user.

Another way to do this is to grant the user logon privileges with a null password.

The following procedure creates a user who can log on to the system through a gateway that does not have the Append Domain Name option set using the Gtwcontrol utility. This user is already defined as user rhh.

  1. Create user rhh using the following CREATE USER request:
    CREATE USER rhh AS
    PERM = 10000000,
    PASSWORD = rhh;
  2. Grant user rhh the following logon privileges using a GRANT LOGON request:
    GRANT LOGON ON ALL
     TO rhh
     WITH NULL PASSWORD;

The following procedure creates a Vantage user who can log on to a Teradata system through a gateway that has Append Domain Name set. This user is already defined as user rhh and her account is in the esw2kdev domain.

  1. Create user rhh using the following CREATE USER request:
    CREATE USER "rhh@esw2kdev" AS
     PERM = 10000000,
     PASSWORD = rhh;
  2. Grant user rhh the following logon privileges using a GRANT LOGON request:
    GRANT LOGON ON ALL
     TO "rhh@esw2kdev"
     WITH NULL PASSWORD;