You can run the tdspolicy tool from the command prompt on a Teradata Vantage node to investigate the security policy assignments that are currently in effect for a specific combination of user, profile, and logon IP address.
tdspolicy -u user -i ip_address [-s service] [-p profile]
- Specify a Vantage user name in these cases:
- The user is authenticated by Teradata (TD2 mechanism)
- The user is authenticated by Kerberos (KRB5 mechanism) or LDAP and AuthorizationSupported=no
- The user is authenticated by Kerberos (KRB5 mechanism) or LDAP, AuthorizationSupported=yes, and the user is mapped to a tdatUser entry.
If a directory user is mapped to multiple tdatUser objects, and more than one object has security policy assignments, the most restrictive policy applies. For details, see the configuration instruction for each policy type.
- Specify the DN of a directory principal for a directory user if the user is authenticated using KRB5 or LDAP, AuthorizationSupported=yes, and the user is not mapped to a tdatUser entry.
- The IP address from which the user logs on.
- [Required to return information on a local security policy.] Specify the DN of the service that contains the local policy.
- If the -u user authenticates in a specific service, -s must specify the DN of that service.
- If this option is not present to request local policy information for a specific service, tdspolicy returns information for the global policy, if a global policy exists.
- For information on global policy, see Configuring Policy-Related Properties for a Global Security Policy.
- [Optional] Identifies an existing profile that is assigned to the user.
- For permanent Vantage users, profile is the profile specified in the user definition. For directory principals, it is a profile to which the principal is mapped in the directory.
- The tdspolicy command returns information indicating whether any policy applies to the specified profile.
- If a directory principal is mapped to a Vantage user and a profile in the directory, the mapped profile takes precedence over the profile assigned to the mapped permanent user.
For externally authenticated or authorized users, you can use tdgssauth to obtain the tdspolicy command line arguments:
$ tdgssauth -m ldap -u diperm01 -i 22.214.171.124 TDGSS_BIN_FILE not set. TDGSSCONFIG GDO used in tdgss. Please enter a password: Status: authenticated, not authorized Database user: perm01 [permanent user] Profile: profile01 External roles: extrole01perm01, extrole02perm01, extrole03perm01 Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com Audit trail identifier: diperm01 Authenticating service: esroot1 Actual mechanism employed: ldap [OID 126.96.36.199.188.8.131.52.1012.1.20] Mechanism specific data: diperm01 Security context capabilities: replay detection out of sequence detection confidentiality integrity protection ready exportable security context Minimum quality of protection: high with confidentiality and integrity Options: none $