17.10 - Security Considerations for Trusted Sessions - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Published
July 2021
Language
English (United States)
Last Update
2022-02-15
dita:mapPath
ppz1593203596223.ditamap
dita:ditavalPath
wrg1590696035526.ditaval
dita:id
zuy1472246340572
  • The middle-tier application authenticates end users before it connects them to Teradata Vantage through a trusted session. Then Vantage controls access to database objects based on the proxy user role.
  • Use the WITH TRUST ONLY clause in the GRANT CONNECT THROUGH to require that SET QUERY_BAND statements be part of trusted requests.
  • The system enforces logon controls, such as logons restrictions by IP address, only for the middle-tier application logon user (trusted user), because it does not authenticate proxy users.
  • When a trusted session is established with a permanent proxy user, the permanent proxy user is the owner of and is granted default privileges on new objects.
  • When a trusted session is established with an application proxy user, no automatic privileges are granted on new objects.
  • The system enforces security policies based on the trusted user, not the end (proxy) user. For information on security policy, see Network Security Policy.
  • The system does not allow the SET ROLE statement in a trusted session. The operant role for a proxy user connection is determined by the roles you specify in the CONNECT THROUGH statement that defines the proxy user, along with any role limitations contained in the SET QUERY_BAND statement submitted by the application.
  • Construct the SET QUERY_BAND statement to uniquely identify each end user so that the system can accurately log user sessions.