Query Bands, Trusted Sessions, and Roles - Analytics Database - Teradata Vantage

SQL Data Definition Language Detailed Topics

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-07-11
dita:mapPath
vuk1628111288877.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
B035-1184
lifecycle
latest
Product Category
Teradata Vantage™

The following rules apply to the enforcement of CONNECT THROUGH privilege-defined roles in a trusted session.

  • If a CONNECT THROUGH privilege specifies roles, then the following rules apply.
    • You cannot specify a PROXYROLE if you do not also specify a PROXYUSER.
    • You must use PROXYROLE to set the role in a trusted session because you cannot specify a SET ROLE request in a trusted session.
    • If PROXYROLE is not specified in the privilege definition, then all roles specified for the privilege are active.
    • PROXYROLE can be set to any role in the privilege. If you make this specification, then only that role is active.
    • PROXYROLE cannot be set to NONE or NULL.
  • If a CONNECT THROUGH privilege specifies WITHOUT ROLE, then the following rules apply.
    • If PROXYROLE is not specified in the privilege definition, then the active role is the default role for the permanent proxy user.
    • PROXYROLE can be set to any role that has been granted to the permanent proxy user.
    • PROXYROLE can be set to NONE or NULL.
  • If a CONNECT THROUGH privilege defines proxy roles, then the privileges for a trusted session that uses that privilege are those granted to.
    • Active proxy roles
    • PUBLIC
  • If a CONNECT THROUGH privilege specifies WITHOUT ROLE for a permanent user, then the privileges for a trusted session that uses that privilege are those granted to.
    • The permanent user
    • Active roles
    • PUBLIC

Vantage enforces two exceptions to these rules. In these exceptional cases, Vantage does not enforce the privileges established for the proxy user, but instead enforces the privileges stated in the following table.

FOR this database object type … THE following rules for privilege enforcement apply …
macro The immediately owning database or user must have all the appropriate privileges for executing the macro.
SQL procedure The following check is made only if the procedure is created using SQL SECURITY INVOKER. Otherwise, the proxy user privileges are not used.

Vantage checks the privileges of the immediate owner of the procedure for all statements specified in, and all objects referenced in, the procedure body during its execution.