A security constraint UDF defines and enforces the rules that determine whether to allow execution of an INSERT, SELECT, UPDATE, or DELETE statement on a row of a table that is defined with a security constraint.
When the SQL statement is executed, Teradata Database runs the associated security UDF to verify if the requesting user has the access level required to perform the operation as compared to the security level assigned to the row.
If the requesting user does not have the required access level, the UDF denies the request and request processing moves on to the next applicable row. If a requesting user has the OVERRIDE privilege for an SQL operation, Teradata Database bypasses the UDF that restricts the operation. If the security constraint object does not specify a UDF for an SQL operation, the operation succeeds only if the user has the corresponding OVERRIDE privilege.
In normal usage, users do not directly call security constraint UDFs in an SQL statement. Instead Teradata Database automatically calls the required functions when an INSERT, SELECT, UPDATE, or DELETE statement is executed against a table in which a security constraint has been defined. Therefore, you do not need to grant EXECUTE FUNCTION privileges on security constraint UDFs to users who must access the protected tables. However, if you are a security administrator or you are developing a security constraint UDF and want to test the return value of the constraint function, you can explicitly call the constraint function in a SELECT statement. In this case, you must have EXECUTE FUNCTION privilege on the constraint function.