17.20 - Characteristics of Directory Users Mapped to Database Roles and Profiles - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572

You can map directory users to roles and profiles other than those they inherit from the database users to which they are mapped.

If auto provisioning is configured on the system, users assigned to a role or profile are automatically provisioned with an individual database account.

Consider the following conditions and limitations when mapping directory users to roles and profiles:
  • You cannot map directory users to standard database roles. Instead, you must create external roles, using the CREATE EXTERNAL ROLE statement, and then map the directory users to directory role objects named for the external roles.
  • Mappings to directory profile and role objects take precedence over those inherited from a mapped database user.
  • Directory users must use the SET ROLE statement (within a session) to enable the roles inherited from the permanent users to which they are mapped if they are also mapped to other roles.
  • Although there is no limit to the number of external roles you can map to a directory group object, the database recognizes a maximum of 50 roles. If the number of external roles mapped to a group exceeds 50, database logons by members of the group fail.

For information on creating external roles, see Using Roles for Directory Users.

For information profiles, see the topics beginning with Working with Database Profiles.