Authorization definitions permit users to issue operating system I/O calls from within an external routine. The ANSI SQL:2011 specification collectively refers to user-written non-SQL modules as external routines.
Teradata Database requires any external routine that performs operating system I/O to run in protected mode as a separate process than runs under an explicitly specified user ID. See Protected and Unprotected Execution Modes. Authorization objects provide a flexible, yet robust, scheme for providing the authorizations required by these external routines without exposing the system to these potential problems.
The principal difference between an external routine running in protected mode (or in secure mode is that when an external routine runs in protected mode, it always runs as the OS user tdatuser, while an external routine that runs in secure mode can run as any OS user you want to associate with an external authorization. While tdatuser has no special privileges, an OS user associated with an external authorization can have any privileges on OS files you want to assign to it. All that is required is that the OS user with special privileges be specified in the EXTERNAL SECURITY clause of the SQL definition for the external routine associated with it.