17.10 - Option 2: Directory Authentication and Authorization - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update
If directory users do not have matching user names in the database, or if the matching user name does not have all the requisite database privileges, you can authorize privileges in the directory by mapping directory users to database users, and to database external roles and profiles.
  • You can map directory users with very limited access needs to the system-generated pseudo-user, EXTUSER, which has database privileges similar to PUBLIC, by default. Directory users mapped to one or more Vantage roles or profiles--and not mapped to a database user--automatically gain EXTUSER privileges in addition to those privileges acquired from the roles/profiles.
  • If the directory user requires an individual database account, you can enable the DBSControl AutoProvision parameter and map the directory user to a role or profile. In this case, a database account is automatically provisioned for the user and they are logged on to the database as that user instead of EXTUSER.

For information on EXTUSER, see Characteristics of Directory Users Mapped to Permanent Database Users.

For information on auto provisioned users, see Auto Provisioned Directory Users.