Authorization definitions permit users to issue operating system I/O calls from within an external routine. The ANSI SQL:2011 specification collectively refers to user-written non-SQL modules as external routines.
Vantage requires any external routine that performs operating system I/O to run in protected mode as a separate process than runs under an explicitly specified user ID. See "Protected and Unprotected Execution Modes in CREATE FUNCTION and REPLACE FUNCTION (External Form)" in General Usage Guidelines: CREATE FUNCTION and REPLACE FUNCTION (External Form). Authorization objects provide a flexible, yet robust, scheme for providing the authorizations required by these external routines without exposing the system to these potential problems.
An external routine running in protected mode runs as the OS user tdatuser, while an external routine running in secure mode can run as any OS user you want to associate with an external authorization. While tdatuser has no special privileges, an OS user associated with an external authorization can have any privileges on OS files you want to assign to it. All that is required is that the OS user with special privileges be specified in the EXTERNAL SECURITY clause of the SQL definition for the external routine associated with it.