Logging On Using External Authentication | GRANT LOGON | Teradata Vantage - Logging On Using External Authentication - Advanced SQL Engine

Logging On Using External Authentication | GRANT LOGON | Teradata Vantage - Logging On Using External Authentication - Advanced SQL Engine - Teradata Database

SQL Data Control Language

Product

Advanced SQL Engine

Teradata Database

Release Number

17.10

Published

July 2021

Language

English (United States)

Last Update

2021-07-27

dita:mapPath

sqd1591723147563.ditamap

dita:ditavalPath

sqd1591723147563.ditaval

dita:id

B035-1149

lifecycle

Product Category

Teradata® Vantage™ NewSQLEngine

External authentication permits a user to log on to a computer one time and access a database without providing a user name, password, or account name. To enable this, you must explicitly map any directory users who are not already mapped to Vantage users in the directory. If you do not create an explicit mapping between an unmapped user and Vantage, that directory user cannot log on to Vantage.

You can explicitly map a directory user to the following objects:

EXTUSER.
Mapping to EXTUSER is the most commonly used method.

You cannot assign row-level security privileges to EXTUSER.

If the AuthorizationSupported property is set to yes in the TdgssUserConfigFile.xml file, and a user attempts to log on to the database, the user is authenticated by the directory. If auto provisioning is turned on, then the user is not logged on as EXTUSER. Instead, the database creates an account for the user in DBC.Dbase and logs the user on using that account. Auto provisioned users are not permanent users and must always authenticate against the directory.
For more information about EXTUSER and auto provisioning, see Teradata Vantage™ - Advanced SQL Engine Security Administration, B035-1100.
A Profile.
A Role.
A Teradata user.

Another way to do this is to grant the user logon privileges with a null password.

The following procedure creates a user who can log on to the system through a gateway that does not have the Append Domain Name option set using the Gtwcontrol utility. This user is already defined as user rhh.

Create user rhh using the following CREATE USER request:
```
CREATE USER rhh AS
PERM = 10000000,
PASSWORD = rhh;
```
Grant user rhh the following logon privileges using a GRANT LOGON request:
```
GRANT LOGON ON ALL
 TO rhh
 WITH NULL PASSWORD;
```

The following procedure creates a Vantage user who can log on to a Teradata system through a gateway that has Append Domain Name set. This user is already defined as user rhh and her account is in the esw2kdev domain.

Create user rhh using the following CREATE USER request:

CREATE USER "rhh@esw2kdev" AS
 PERM = 10000000,
 PASSWORD = rhh;

Grant user rhh the following logon privileges using a GRANT LOGON request:
```
GRANT LOGON ON ALL
 TO "rhh@esw2kdev"
 WITH NULL PASSWORD;
```