Access Logging for Directory-Based Users | Teradata Vantage - Using Access Logging for Directory-Based Users - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢
Access logging of directory users generally conforms to the rules for use of access logging of database users, with the following exceptions:
  • A SELECT USER request normally returns the current user for a session. When a directory-based user is logged on, a SELECT USER request returns either:
    • The name of the permanent user to which the directory user is mapped
    • The authcid (logon username) of the directory user, if not mapped to a permanent user
  • A SELECT ROLE request returns the current role for the session. If the directory user is mapped only to EXTUSER, the initial current role for a directory-based logon is a dummy role called EXTERNAL. Any time the directory-assigned roles are enabled, a SELECT ROLE request returns EXTERNAL as its result.

During access logging, the system identifies directory users by their authcid, which it stores in DBC.SessionTbl.AuditTrailId when it establishes the session.

The format of stored authcid is the same for all directory types.

If the authcid exceeds 128 bytes in length (as converted), it truncates at 128 bytes. Therefore, all authcids should be unique for the first 128 bytes.