External Security Manager Interface - Teradata Director Program

Teradata® Director Program Reference

Product
Teradata Director Program
Release Number
16.20
Published
September 2019
Language
English (United States)
Last Update
2019-10-11
dita:mapPath
xuf1527114222341.ditamap
dita:ditavalPath
ft:empty
dita:id
B035-2416
lifecycle
previous
Product Category
Teradata Tools and Utilities

TDP provides an external security manager interface to the System Authorization Facility (SAF) on z/OS client systems. External security managers such as RACF and ACF2 can use SAF for logon validation and authorization, thus controlling access to the Teradata Database without direct interaction with the RDBMS itself.

Using TDP and an external security manager, system security administrators can maintain a separate external database or repository of resource profiles and access rules for the Teradata Database, as well as for TSO, CICS, DB2, and so on. This approach, called security logon, significantly enhances the convenience and flexibility of system security administration.

Since SAF assumes all character data is in EBCDIC but a Teradata Database userid can be in non-EBCDIC character sets, unexpected rejections or security exposures are possible. A userid known to the external security manager in EBCDIC would not be recognized if specified in ASCII. A userid specified in ASCII might consist of the same bytes as an EBCDIC userid known to the external security manager and erroneously match. Such problems could be circumvented by using different classes for userids encoded in different character sets. On a request by request basis, the TDPLGUX exit can override the default class from the ENABLE SECLOGON command based on the character set.