Using tdspolicy to Find Policy Assignments for a User - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantageā„¢

You can run the tdspolicy tool from the command prompt on a Teradata Vantage node to investigate the security policy assignments that are currently in effect for a specific combination of user, profile, and logon IP address.

You can use tdgssauth to obtain the tdspolicy command line arguments.

For example:

tdspolicy -u user -i ip_address [-s service] [-p profile]
user
Specify a Vantage user name in these cases:
  • The user is authenticated by Teradata (TD2 mechanism)
  • The user is authenticated by Kerberos (KRB5 mechanism) or LDAP and AuthorizationSupported=no
  • The user is authenticated by Kerberos (KRB5 mechanism) or LDAP, AuthorizationSupported=yes, and the user is mapped to a tdatUser entry.

    If a directory user is mapped to multiple tdatUser objects, and more than one object has security policy assignments, the most restrictive policy applies. For details, see the configuration instruction for each policy type.

Specify the DN of a directory principal for a directory user if the user is authenticated using KRB5 or LDAP, AuthorizationSupported=yes, and the user is not mapped to a tdatUser entry.
ip_address
The IP address from which the user logs on.
service
[Required to return information on a local security policy.] Specify the DN of the service that contains the local policy.
If the -u user authenticates in a specific service, -s must specify the DN of that service.
If this option is not present to request local policy information for a specific service, tdspolicy returns information for the global policy, if a global policy exists.
For information on global policy, see Configuring Policy-Related Properties for a Global Security Policy.
profile
[Optional] Identifies an existing profile that is assigned to the user.
For permanent Vantage users, profile is the profile specified in the user definition. For directory principals, it is a profile to which the principal is mapped in the directory.
The tdspolicy command returns information indicating whether any policy applies to the specified profile.
If a directory principal is mapped to a Vantage user and a profile in the directory, the mapped profile takes precedence over the profile assigned to the mapped permanent user.

For externally authenticated or authorized users, you can use tdgssauth to obtain the tdspolicy command line arguments:

$ tdgssauth -m ldap -u diperm01 -i 192.0.2.205
TDGSS_BIN_FILE not set.
TDGSSCONFIG GDO used in tdgss.
Please enter a password: 
                        Status: authenticated, not authorized
                 Database user: perm01 [permanent user]
                       Profile: profile01
                External roles: extrole01perm01, extrole02perm01, extrole03perm01
            Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com
        Audit trail identifier: diperm01
        Authenticating service: esroot1
     Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20]
       Mechanism specific data: diperm01

 Security context capabilities: replay detection
                                out of sequence detection
                                confidentiality
                                integrity
                                protection ready
                                exportable security context

 Minimum quality of protection: high with confidentiality and integrity
                       Options: none

$