Rules for Specifying Users as Policy Members - Advanced SQL Engine - Teradata Database

Security Administration
Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantage™

You can specify the DN of a tdatUser object, or in some cases the DN of a directory principal object, as a member of a policy to apply the policy to the user.

The DN specification requirements depend on how the user is authenticated and authorized, regardless of policy type.

Authentication Mechanism Member Definition
TD2 The DN must be an existing Teradata user object in the directory with a cn that matches a Teradata Vantage user name.
KRB5 (AuthorizationSupported=no) The DN must be an existing Teradata user object in the directory with a cn that matches Kerberos domain user name.
LDAP (AuthorizationSupported=no) The DN must be an existing Teradata user object in the directory with a cn matches the LDAP log on name for the user.
KRB5 or LDAP with (AuthorizationSupported=yes) Must be either:
  • The DN of a Teradata user object
  • The DN of a directory principal

The choice of user object is subject to the following rules:

If the directory principal is mapped to a Teradata user object, use the DN of the Teradata user object for the member attribute.

If the directory principal is not mapped to a Teradata user object, use the DN of the directory principal for the member attribute.
PROXY The PROXY mechanism is only used by the Unity server for logging on to connected Vantage systems.

If users logging on through Unity are externally authenticated, PROXY must be configured. If PROXY is configured, Unity also uses the PROXY mechanism for TD2 sessions.

If PROXY is configured, create a PROXY mechanism policy and assign policy membership to the Unity user for each server, to ensure the security of Unity connections to the database,

  1. Define the Unity user as part of initial setup of each Unity server. See the Teradata Unity documentation.
  2. Re-specify the Unity user and password on each Unity server when configuring the certificate and private key for use with externally authenticated Vantage users. For information about Unity, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523 and Teradata® Unity™ User Guide, B035-2520.
  3. Define each Unity user as a Teradata user object in the directory, as shown in the diagram in Using LDAP Directory Objects in Policies.
  4. Assign PROXY policy membership to the Unity user for each Unity server in the directory. For instructions on the syntax used to assign membership to users, see the topics for each policy type beginning with Configuring a Security Mechanism Policy.
Do not assign a PROXY policy to any other user.
JWT The JWT mechanism is only used by Teradata AppCenter for logging on to connected Vantage systems.

The JSON Web Token (JWT) authentication mechanism enables single sign-on (SSO) to Teradata Vantage after the user successfully authenticates to Teradata UDA User Service. The UDA User Service authenticates users to various UDA applications and services, such as AppCenter and the Teradata® Query Service (REST services). JWT allows a user that has been authenticated to one of the applications or services to do a single sign-on to establish a session withTeradata Vantage.