The purpose of an authorization object is to specify the user context to use when running an external routine that performs operating system I/O operations. See CREATE FUNCTION and REPLACE FUNCTION (External Form), CREATE FUNCTION (Table Form), CREATE METHOD, CREATE PROCEDURE and REPLACE PROCEDURE (External Form), and Teradata Vantage™ SQL External Routine Programming , B035-1147 .
Authorization objects associate a user with an OS platform user ID. With an OS platform user ID, a user can log onto a Teradata Database node as a native operating system user and be able to run external routines that perform OS-level I/O operations.
- A user who needs to run external routines that contain an INVOKER security clause.
- A user who needs to be the definer of any external routine modules that contain the DEFINER external clause.
Without the appropriate authorization objects having been created, none of the external routines containing an EXTERNAL SECURITY clause can run.
When you submit a CREATE AUTHORIZATION statement, the system validates the values for the specified user variables. If the specified user object has not yet been created on all database nodes or if any of the other information you specified is not correct, the statement returns an error message to the requestor.
The system permits only three failed attempts to create an authorization object. After three failed attempts, Teradata Database returns an appropriate error message to the requestor.
You must first log off the system and then log back on. The DBA also has the option of activating access logging on CREATE AUTHORIZATION to enable the tracking of suspicious attempts to perform it. See “BEGIN LOGGING” in Teradata Vantage™ SQL Data Definition Language Syntax and Examples, B035-1144.