Security Considerations with the CREATE MACRO Privilege | VantageCloud Lake - Security Considerations with the CREATE MACRO Privilege - Teradata Vantage

Before you grant CREATE MACRO on a database or user, realize that the recipient of that privilege can create and perform macros that have all the privileges of that database or user. This is because for CREATE MACRO, the privileges are inherited from the immediate owner of the macro, not from its creator.

Therefore, the grantee can create macros that contain DCL and DDL statements that are not checked for the privileges of the creator. You are implicitly assigning privileges to the macro creator that the creator has no explicit, implicit, or automatic privilege to perform. This may not be a desirable result.

For example, consider the scenario presented in the following graphic:

The Compensation database is owned by user DBA.

User SysAdminDBA, the system administrator for Compensation, has privileges on Compensation, including CREATE MACRO WITH GRANT OPTION, and on all objects owned by Compensation.

SysAdminDBA creates user CompAnalyst6 for an entry level programmer who has been assigned to produce compensation reports for routine audits performed by state and federal regulatory agencies. To make sure that CompAnalyst6 does not have access to critical private employee base salary and bonus information, CompAnalyst6 has been granted a restricted set of privileges on objects in the Compensation database.

To make creating reports easier for CompAnalyst6, SysAdminDBA also grants CompAnalyst6 the CREATE MACRO privilege on Compensation, as follows:

GRANT CREATE MACRO
ON compensation
TO companalyst6;

Because the privileges for running macros in compensation derive from Compensation, CompAnalyst6 can create and perform macros that report only on the private data CompAnalyst6 was meant to be restricted from viewing.

CompAnalyst6 can also modify data and drop tables in the compensation database.