Security Considerations for Trusted Sessions - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
ft:locale
en-US
ft:lastEdition
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantageā„¢
  • The middle-tier application authenticates end users before it connects them to Teradata Vantage through a trusted session. Then Vantage controls access to database objects based on the proxy user role.
  • Use the WITH TRUST_ONLY clause in the GRANT CONNECT THROUGH to require that SET QUERY_BAND statements be part of trusted requests.
  • The system enforces logon controls, such as logon restrictions by IP address, only for the middle-tier application logon user (trusted user), because it does not authenticate proxy users.
  • When a trusted session is established with a permanent proxy user, the permanent proxy user is the owner of and is granted default privileges on new objects.
  • When a trusted session is established with an application proxy user, no automatic privileges are granted on new objects.
  • The system enforces security policies based on the trusted user, not the end (proxy) user. For information on security policy, see Network Security Policy.
  • The system does not allow the SET ROLE statement in a trusted session. The operant role for a proxy user connection is determined by the roles you specify in the CONNECT THROUGH statement that defines the proxy user, along with any role limitations contained in the SET QUERY_BAND statement submitted by the application.
  • Construct the SET QUERY_BAND statement to uniquely identify each end user so that the system can accurately log user sessions.