To make a proxy user connection, a middle tier application that is connected as a trusted user issues a SET QUERY_BAND request that specifies the proxy user name and an optional proxy role for that user. The reserved query band names PROXYUSER and PROXYROLE are used to specify a trusted session user name and proxy role name in the SET QUERY_BAND request, respectively.
When making proxy user connections, a SET QUERY_BAND request performs the following actions:
- If the query band specifies PROXYUSER, Teradata Database validates that the current user has privileges to connect as the specified proxy user.
- If the query band specifies PROXYROLE, Teradata Database validates that the role can be set for the specified proxy user.
- If the validation passes, Teradata Database sets the session to the specified proxy user name and proxy role name.
Once the proxy connection is made, Teradata Database uses the proxy user and the proxy role to determine the privileges for all subsequent requests in the session.
Note the following.
- The trusted session lasts for the life of the query band.
- The session query band remains set for the session and ends only when one of the following occurs.
- The session ends.
- You set the query band to NONE.
- The session query band is stored in DBC.SessionTbl, and Teradata Database recovers it after a system reset.
- The transaction query band is discarded when either of the following occurs.
- The transactions ends (whether by commit, rollback, or abort)
- The transaction query band is set to NONE and is not restored after a system reset.
A SET QUERY_BAND request returns an error whenever any of the following violations occur.
- The proxy user does not have CONNECT THROUGH privileges with the trusted user.
- The proxy user has not been granted privileges for the specified proxy role.
- The request attempts to set a PROXYUSER for a transaction when a session trusted session already exists.
- The request attempts to set a PROXYUSER for a session when a transaction proxy connection already exists.
- The request attempts to set a PROXYROLE when it is not in a trusted session.
- The request attempts to set a PROXYROLE to NONE or NULL when roles are defined for the trusted user in the GRANT CONNECT THROUGH privilege.