External Security Clause - Advanced SQL Engine - Teradata Database

SQL Data Definition Language Detailed Topics

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update
Product Category
Teradata Vantage™

This clause is mandatory for all functions that perform operating system I/O. Not specifying this clause for a function that performs I/O can produce unpredictable results and even cause the database, if not the entire system, to reset. See CREATE AUTHORIZATION and REPLACE AUTHORIZATION.

The authorization_name is an optional Teradata extension to the ANSI SQL:2011 standard.
  • The external security authorization associated with the function must be contained within the same database as the function.
  • When a function definition specifies EXTERNAL SECURITY DEFINER, then that function executes under the OS user associated with the specified external authorization using the context of that user.
    UDF Mode OS User
    Protected tdatuser, which must be a member of the tdatudf OS group.
    Secure OS user assigned to an authorization name using the CREATE AUTHORIZATION statement.

    The specified OS user must belong to the tdatudf OS group.

    Contact your Teradata technical support representative if you need to change this for any reason.

The following rules apply:
  • If you do not specify an authorization name, you must create a default DEFINER authorization name before a user attempts to execute the function.
  • If you have specified an authorization name, an authorization object with that name must be created before you can execute the function.

    The system returns a warning message to the requestor when no authorization name exists at the time the UDF is being created.