Privileges in Teradata Secure Zones | Teradata Vantage - 17.20 - Privileges in Teradata Secure Zones - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
User Type Who creates them and the privileges that they have Privileges they can and cannot grant, and users that they can create
zone creators A Vantage user who has the following rights with the WITH GRANT privilege may explicitly grant the following privileges to zone creators:
  • CREATE ZONE
  • DROP ZONE
  • DROP USER privilege on the user who becomes the zone root
  • CREATE USER privilege on the database that becomes the zone root
Zone creators cannot grant any privileges to zone users.

Zone creators can create zone guests from users or roles that were previously created outside the zone.

primary zone DBA The zone creator either:
  • Creates a zone with a user as the root, which by default makes that user the primary DBA and implicitly grants them all privileges.
  • Creates a zone with a database as the root, and then creates a user who is the primary DBA by using CREATE USER FROM database_name syntax to implicitly grant all privileges to that user.
The primary DBA can do the following:
  • Create zone users, databases, and TVM objects inside the zone using existing DDL syntax.
  • Grant privileges to zone guests. No privileges can be granted to a zone guest with the WITH GRANT OPTION privilege.
zone user (includes the primary DBA) A primary DBA or any previously created zone user creates other users in a zone under the hierarchy of zone root, using the existing CREATE USER syntax. Zone users can create zone users, databases, and TVM objects using existing DDL syntax.

Only zone users can grant privileges on database objects in a zone to zone guests. No privileges can be granted to a zone guest with the WITH GRANT OPTION privilege.

zone guest The zone creator creates zone guests using the GRANT ZONE syntax.

A zone guest cannot access zone objects unless a zone user explicitly grants them privileges to create objects or grants them privileges to access existing objects in the zone where they are guests.

Zone guests with the required privileges can do the following:
  • Create zone users, databases, and TVM objects inside the zone using existing DDL syntax.
  • Create views, triggers, macros and so on, on the zoned objects in their perm space.