16.20 - Logging On Using External Authentication - Teradata Vantage NewSQL Engine

Teradata Vantageā„¢ SQL Data Control Language

prodname
Teradata Database
Teradata Vantage NewSQL Engine
vrm_release
16.20
created_date
March 2019
category
Programming Reference
featnum
B035-1149-162K

External authentication permits a user to log on to a computer one time and access a Teradata Database without providing a user name, password, or account name. To enable this, you must explicitly map any directory users who are not already mapped to Teradata Database users in the directory. If you do not create an explicit mapping between an unmapped user and Teradata Database, that directory user cannot log on to Teradata Database.

You can explicitly map a directory user to the following objects:
  • EXTUSER.

    Mapping to EXTUSER is the most commonly used method.

    You cannot assign row-level security privileges to EXTUSER.

    If the AuthorizationSupported property is set to yes in the TdgssUserConfigFile.xml file, and a user attempts to log on to the database, the user is authenticated by the directory. If auto provisioning is turned on, then the user is not logged on as EXTUSER. Instead, the database creates an account for the user in DBC.Dbase and logs the user on using that account. Auto provisioned users are not permanent users and must always authenticate against the directory.

    For more information about EXTUSER and auto provisioning, see Teradata Vantageā„¢ NewSQL Engine Security Administration, B035-1100.

  • A Profile.
  • A Role.
  • A Teradata user.

Another way to do this is to grant the user logon privileges with a null password.

The following procedure creates a user who can log on to the system through a gateway that does not have the Append Domain Name option set using the Gtwcontrol utility. This user is already defined as user rhh.

  1. Create user rhh using the following CREATE USER request:
    CREATE USER rhh AS
    PERM = 10000000,
    PASSWORD = rhh;
  2. Grant user rhh the following logon privileges using a GRANT LOGON request:
    GRANT LOGON ON ALL
     TO rhh
     WITH NULL PASSWORD;

The following procedure creates a Teradata Database user who can log on to a Teradata system through a gateway that has Append Domain Name set. This user is already defined as user rhh and her account is in the esw2kdev domain.

  1. Create user rhh using the following CREATE USER request:
    CREATE USER "rhh@esw2kdev" AS
     PERM = 10000000,
     PASSWORD = rhh;
  2. Grant user rhh the following logon privileges using a GRANT LOGON request:
    GRANT LOGON ON ALL
     TO "rhh@esw2kdev"
     WITH NULL PASSWORD;