17.10 - CREATE AUTHORIZATION and REPLACE AUTHORIZATION Syntax Elements - Advanced SQL Engine - Teradata Database

database_name

user_name

Optional name of a database or user other than the current or default in which the authorization being defined or replaced is to be contained.

authorization_name

A name for the authorization so you can specify the authorization in an external routine definition or function mapping.

The name of an authorization object must conform to object naming rules. For information about naming database objects, see Teradata Vantage™ - SQL Fundamentals, B035-1141.

The following rules apply to authorization names:

• Authorizations belong to the database or user in which they are created and are not valid in other databases or users. For information about using authorization objects with the Script Table Operator, see Teradata Vantage™ - SQL Operators and User-Defined Functions, B035-1210.
• An authorization object name must be unique within its containing database or user.
• An authorization object name cannot begin with a digit.
• An authorization object name cannot be an SQL keyword.

DEFINER

Specify DEFINER to share an authorization object with multiple users of the database in which it resides. You can create the authorization in any database.

DEFAULT

An optional keyword modifier for the DEFINER keyword that associates this authorization with all external routines that do not specify the authorization name in the EXTERNAL SECURITY DEFINER clause of the following statements.

• CREATE FUNCTION and REPLACE FUNCTION (External Form).
• CREATE FUNCTION and REPLACE FUNCTION (Table Form).
• CREATE PROCEDURE and REPLACE PROCEDURE (External Form).

You can assign only one default DEFINER object per database. All others must have specific definer names.

INVOKER

Specify INVOKER to allow exclusive access by a user. You must create the authorization in the database of the current user.

TRUSTED

Required keyword.

user_name

A clause that specifies a string literal that is the name of the database user to whom this authorization is being assigned.

Public buckets (or public containers) in external object stores such as Amazon S3, Azure Blob storage, or Google Cloud Storage, do not require credentials for access. To create an authorization for these, use an empty string delimited by single quotes: ''

password

A clause that specifies a string literal that is the name of the operating system platform password assigned to user_name.

For AWS, AZURE, and GCP, password can have at most 4096 bytes.

The password is used to authenticate the user when the secure server process is created. Best practices suggest that any session that uses this statement should be set up to use the encrypted transport protocol. See Teradata Vantage™ - Advanced SQL Engine Security Administration, B035-1100.

Public buckets (or public containers) in external object stores such as Amazon S3, Azure Blob storage, or Google Cloud Storage, do not require credentials for access. To create an authorization for these, use an empty string delimited by single quotes: ''

While it is never desirable for a password to be typed in the clear, it only becomes an issue when you enter your password using an interface such as BTEQ. The issue becomes moot if you are prompted to enter your password by an application that requests the information in a secure manner such as a GUI or World Wide Web interface that displays ASTERISK characters to represent the password as it is typed. This is the recommended practice for all security conscious sites.

The following table shows the supported credentials for USER and PASSWORD: