17.10 - Security Considerations for Trusted Sessions - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update
  • The middle-tier application authenticates end users before it connects them to Teradata Vantage through a trusted session. Then Vantage controls access to database objects based on the proxy user role.
  • Use the WITH TRUST ONLY clause in the GRANT CONNECT THROUGH to require that SET QUERY_BAND statements be part of trusted requests.
  • The system enforces logon controls, such as logons restrictions by IP address, only for the middle-tier application logon user (trusted user), because it does not authenticate proxy users.
  • When a trusted session is established with a permanent proxy user, the permanent proxy user is the owner of and is granted default privileges on new objects.
  • When a trusted session is established with an application proxy user, no automatic privileges are granted on new objects.
  • The system enforces security policies based on the trusted user, not the end (proxy) user. For information on security policy, see Network Security Policy.
  • The system does not allow the SET ROLE statement in a trusted session. The operant role for a proxy user connection is determined by the roles you specify in the CONNECT THROUGH statement that defines the proxy user, along with any role limitations contained in the SET QUERY_BAND statement submitted by the application.
  • Construct the SET QUERY_BAND statement to uniquely identify each end user so that the system can accurately log user sessions.