An application proxy user name can be anything that represents the client connection with the middle tier application, such as a client name or an ATM identifier. The granularity of application proxy users is largely at your discretion. For example, the term ATM identifier could refer to granularities as different as an identifier for an individual ATM in an ATM network or an identifier for an individual user of any of the ATMs in the network.
The roles that can be active in a proxy connection are those defined in the CONNECT THROUGH privilege at the time the proxy connection is made.
You cannot have duplicate application and permanent proxy user names for the same trusted user. For example, consider the following GRANT CONNECT THROUGH requests submitted in the order indicated:
GRANT CONNECT THROUGH msi TO sbd WITH ROLE finance_role;
GRANT CONNECT THROUGH msi TO PERMANENT sbd WITH ROLE hr_role;
The second request returns a duplicate proxy user name error because the application proxy user named sbd already exists as granted through trusted user msi.
You must specify at least one role in the WITH ROLE clause for each application proxy user.
The following rules apply to the roles assigned to application proxy users:
- Only roles that are defined in the CONNECT THROUGH privilege at the time a proxy connection is made can be active in that connection.
All role names specified in the WITH ROLE clause are active in the proxy connection by default.
- You cannot set the current role in the proxy connection to NONE or NULL.
- The privileges for the proxy connection are those for its active roles and PUBLIC.