Proxy User Connections | SET QUERY_BAND | Teradata Vantage - Using SET QUERY_BAND Requests to Make Proxy User Connections - Analytics Database - Teradata Vantage

SQL Data Definition Language Detailed Topics

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-07-11
dita:mapPath
vuk1628111288877.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
B035-1184
lifecycle
latest
Product Category
Teradata Vantage™

To make a proxy user connection, a middle tier application that is connected as a trusted user issues a SET QUERY_BAND request that specifies the proxy user name and an optional proxy role for that user. The reserved query band names PROXYUSER and PROXYROLE are used to specify a trusted session user name and proxy role name in the SET QUERY_BAND request, respectively.

When making proxy user connections, a SET QUERY_BAND request performs the following actions:

  1. If the query band specifies PROXYUSER, Vantage validates the current user has privileges to connect as the specified proxy user.
  2. If the query band specifies PROXYROLE, Vantage validates the role can be set for the specified proxy user.
  3. If the validation passes, Vantage sets the session to the specified proxy user name and proxy role name.

Once the proxy connection is made, Vantage uses the proxy user and the proxy role to determine the privileges for all subsequent requests in the session.

Note the following.
  • The trusted session lasts for the life of the query band.
  • The session query band remains set for the session and ends only when one of the following occurs.
    • The session ends.
    • You set the query band to NONE.
  • The session query band is stored in DBC.SessionTbl, and the database recovers it after a system reset.
  • The transaction query band is discarded when either of the following occurs.
    • The transactions ends (whether by commit, rollback, or abort)
    • The transaction query band is set to NONE and is not restored after a system reset.
A SET QUERY_BAND request returns an error whenever any of the following violations occur.
  • The proxy user does not have CONNECT THROUGH privileges with the trusted user.
  • The proxy user has not been granted privileges for the specified proxy role.
  • The request attempts to set a PROXYUSER for a transaction when a session trusted session already exists.
  • The request attempts to set a PROXYUSER for a session when a transaction proxy connection already exists.
  • The request attempts to set a PROXYROLE when it is not in a trusted session.
  • The request attempts to set a PROXYROLE to NONE or NULL when roles are defined for the trusted user in the GRANT CONNECT THROUGH privilege.