Query Bands and Trusted Sessions - Advanced SQL Engine - Teradata Database

The following reserved query bands are used by trusted sessions.

Trusted sessions provide you with the ability to authorize middle tier applications to assert user identities and roles for use in checking the privileges for, and logging queries of, individual users without establishing a logon session for each end user of the application. See Teradata Vantage™ - Advanced SQL Engine Security Administration, B035-1100 for an overview of the security issues presented by trusted sessions.

Trusted sessions identify permanent and application users for privilege checking and query auditing when end users make requests against Teradata Database through a middle tier application such as a web-based product ordering system. Trusted sessions can be used by any type of middle tier application that authenticates its end users and submits SQL requests to Teradata Database on their behalf.

A trusted session enables a middle tier application to assume the identity of a different user from the one who is logged on for privilege validation. Such a “different user” is referred to as a proxy user.

Proxy users do not log onto Teradata Database directly, but instead use an established database session, typically derived from a session connection pool. For a definition of connection pooling, see Query Bands, Trusted Sessions, and Connection Pooling. Once a proxy user has been switched onto an active session, all subsequent requests that user makes operate using the privileges granted to the proxy user through a trusted user and both privilege checking and query logging are done using the name of the proxy user. See “GRANT CONNECT THROUGH” in Teradata Vantage™ - SQL Data Control Language, B035-1149.

The following table describes the options for using trusted sessions.