Access Logging for Directory-Based Users | Teradata Vantage - 17.20 - Using Access Logging for Directory-Based Users - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
Access logging of directory users generally conforms to the rules for use of access logging of database users, with the following exceptions:
  • A SELECT USER request normally returns the current user for a session. When a directory-based user is logged on, a SELECT USER request returns either:
    • The name of the permanent user to which the directory user is mapped
    • The authcid (logon username) of the directory user, if not mapped to a permanent user
  • A SELECT ROLE request returns the current role for the session. If the directory user is mapped only to EXTUSER, the initial current role for a directory-based logon is a dummy role called EXTERNAL. Any time the directory-assigned roles are enabled, a SELECT ROLE request returns EXTERNAL as its result.

During access logging, the system identifies directory users by their authcid, which it stores in DBC.SessionTbl.AuditTrailId when it establishes the session.

The format of stored authcid is the same for all directory types.

If the authcid exceeds 128 bytes in length (as converted), it truncates at 128 bytes. Therefore, all authcids should be unique for the first 128 bytes.