Query Bands, Trusted Sessions, and Row-Level Security

Query Bands, Trusted Sessions, and Row-Level Security - Teradata Vantage

Teradata® VantageCloud Lake

Deployment

VantageCloud

Edition

Lake

Product

Teradata Vantage

Published

January 2023

ft:locale

en-US

ft:lastEdition

2024-12-11

dita:mapPath

phg1621910019905.ditamap

dita:ditavalPath

pny1626732985837.ditaval

dita:id

phg1621910019905

Vantage enforces row-level security for proxy users. The following list outlines this support at a high level.

A proxy user who is also a permanent user with assigned constraints can perform DML requests on row-level security-protected tables.
Row-level security constraints can either be assigned to a permanent user who is also a proxy user directly or indirectly by means of a profile that is assigned to the permanent user.
If a proxy user is an application user, then its object-level security privileges are only defined by the roles associated with a session by a SET QUERY_BAND request.
Proxy user access to row-level security tables follows the same rules as those that apply to trusted session users who access tables that are not protected with row-level security constraints.
The row-level security constraints that are initially active for a session depend on the constraints that are either directly assigned to the user or that are assigned by means of a profile defined for the user, or both.
This may be the empty set if the neither the user nor the profile are assigned constraint values.
Vantage determines the row-level security constraint values that are initially active for a session based on the following factors.
- The initial connection of a session.
- Execution of an initial SET QUERY_BAND request in the session.
- Execution of a request that terminates an active transaction in the session.
- Execution of a subsequent SET QUERY_BAND request that specifies the UPDATE option in the session.
- Execution of a subsequent SET QUERY_BAND request that does not specify the UPDATE option in the session.

You can change the active constraint values for a session to any of those directly allocated to the connecting user or to those allocated through the user profile with a SET SESSION CONSTRAINT request.

The following factors determine the row-level security constraint values that are initially active for a session.

The initial connection of a session.
The constraint values are taken from the set that is allocated to the profile for the connecting user and from those directly allocated to the connecting user.

This may be the empty set if the user and profile have no allocated constraint values. You can submit a SET SESSION CONSTRAINT request to change the active constraint values for the session to any of those directly allocated to the connecting user or to those allocated through the profile for the connecting user.

The first SET QUERY_BAND request run in the session.

Execution of an initial SET QUERY_BAND request can also define the initially active row-level security constraints for the session.

The request causes the constraint values that are active for the session to be the empty set. The new constraint values that are assigned to the session depend on whether there is a proxy user assigned as the query band. If so, the assigned constraints depend on whether the proxy user is a permanent user or an application user.

Proxy User	Session Constraint Values
Not set	Session constraint values are those of connecting user. You can use SET SESSION CONSTRAINT to change session constraint values to any constraint values allocated directly or by means of profile to connecting user.
Permanent user	Session constraint values are those allocated directly or by means of profile to proxy. You can use SET SESSION CONSTRAINT to change session constraint values to any constraint values allocated directly or by means of profile to proxy user.
Application user	No session constraint values. Trying to use SET SESSION CONSTRAINT to change session constraint values is error.

When you run a request that terminates a transaction, the constraint values for the session depend on whether the session has an assigned proxy user and whether the query band is specified for the session or for only the current transaction.

Proxy User Assignment	Constraint Values
FOR SESSION	Remain those assigned to proxy user.
FOR TRANSACTION	Revert to those set at session connection. That is, those assigned to connecting user.

The result of executing a subsequent SET QUERY_BAND request on the constraint values that are active for a session depends on whether you specify the UPDATE option or not.

SET QUERY_BAND Has UPDATE Option	Session Constraint Values
Yes	Depend on whether session has proxy user assigned. See next table.
No	None. New session constraint values are those defined by rules in preceding table.

When you submit a SET QUERY_BAND request and also specify the UPDATE option, the constraint values that are active for the session depend on whether the session has a proxy user assigned or not.

The following table describes the possible outcomes when there is a proxy user and a new proxy user is defined.

User Type	Session Constraint Values
Application	None if SET QUERY_BAND has UPDATE option. Trying to use SET SESSION CONSTRAINT to change session constraint values is error.
Permanent	If SET QUERY_BAND has UPDATE option, session constraint values are those allocated directly or by means of profile to proxy. You can use SET SESSION CONSTRAINT to change session constraint values to any constraint values allocated directly or by means of profile to proxy user.

When you submit a SET QUERY_BAND request without also specifying the UPDATE option, the constraint values that are active for the session are reset to the empty set.
The new constraint values for the session are the same as those defined by the first SET QUERY_BAND request run in the session. These constraint values are itemized for the second bulleted item in this list.