Database designers can create one or more exclusive database hierarchies, called zones, within a single Teradata system. Access to the data in each zone and the zone administration is handled separately from the Teradata system and from other zones.
Teradata Secure Zones are useful in situations where the access to data must be tightly controlled and restricted. You can also use Teradata Secure Zones to support regulatory compliance requirements for the separation of data access from database administration duties.
For example, consider the following use of Teradata Secure Zones. Suppose you have a multinational company or conglomerate enterprise with many subsidiaries. You can create a separate zone for each of the subsidiaries. If your company has divisions in different countries, you can create separate zones for each country to restrict data access to the personnel that are citizens of that country. Your corporate personnel can manage and access data across multiple zones while the subsidiary personnel in each zone have no access to data or objects in the other zones. A system-level zone administrator can manage the subsidiary zones and object administration can be done by either corporate DBAs or zone DBAs, as required.
- Users in one subsidiary have no access or visibility to objects in other subsidiaries.
- Corporate-level users may have access to objects in any or all subsidiaries.
Another typical scenario is the case of cloud companies that host multiple data customers as tenants. Companies that offer cloud-based database services can host multiple tenants within a single Teradata system, using zones to isolate the tenants from each other as if they were running on physically segregated systems. Zone DBAs can administer the objects in their own zone as required. Teradata Data Warehouse may manage tenant zones if the shared system is Teradata-owned.
The tenant zones can be managed by a system-level zone administrator, where Teradata acts as the system administrator.
- Users in a tenant zone have no access or visibility to objects within other zones.
- Users in a tenant zone cannot grant rights on any objects in the zone to any other users, databases, or roles of other zones within the system.
Zones are stored in the DBC.Dbase table. Therefore, they fall under the system limit for the maximum number of combined databases, users, and zones (see System Limits).
For more information, see Teradata Vantage™ - Advanced SQL Engine Security Administration, B035-1100.