17.20 - Using IP Access Restrictions - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
  • If any IP filter rejects a user, the user logon fails, even if all other filters allow the user.
  • There is no limit to the number of IP restrictions concurrently in effect, but the database limits the size of the GDO that contains the limits to 128 KB, for both XML and directory implementations. If you plan IP restrictions carefully, the 128KB limit should be sufficient for most systems.
    • The GDO can contain dozens of filters and over 10,000 user names of 10 characters.
    • Companies with very large user bases can save GDO space by employing the directory-based implementation of IP restrictions and mapping multiple directory users to a smaller number of Teradata Vantage users that have the same access restrictions.
  • Only a single set of restrictions, either XML or directory based, can exist at a time.
  • To change the IP restrictions, revise the existing XML document or directory set up and then re-import the file into the GDO using the appropriate utility. The new restrictions overwrites the old GDO. See Editing or Disabling IP Restrictions.
  • You must perform a database restart to activate the initial IP restrictions. Subsequent changes to the restrictions do not require a restart. For more information, see the tpareset utility in Teradata Vantage™ - Database Utilities, B035-1102.
  • Use of some applications, for example, network address translation (NAT) devices or other middleware, prevents the Teradata Vantage gateway from seeing or restricting the user IP address.
  • If you add or alter an IP restriction that denies access to the IP address through which the user is already logged on, the pre-existing user session remains connected. The gateway denies the user access from that IP at the next logon, including a reconnect of the pre-existing session caused by a system restart.
  • You can create IP restrictions for either IPv4 or IPv6 formatted IP addresses.