16.10 - About Database User Types - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

A Teradata Database user:

  • Can log on to the Teradata Database, establish a session, and perform actions.
  • That has perm space can contain objects, similar to a database. Users own any objects contained in their perm space.

The method used to define a database user depends on how the user is managed.

Teradata Database

User Type

Description
Permanent database user Define permanent database users in the database using a CREATE USER statement and manage them from within the database.

See Creating Permanent Database Users.

Directory-based user Create users in the directory and map them to Teradata Database objects.

See Working with Directory Users.

Auto provisioned user If auto provisioning is configured for your system, unmapped users can automatically obtain a Teradata Database user identity on their first logon to the database. To auto provision a database account the user must have an identity in the directory and be mapped to a Teradata Database object, such as an external role or profile, but not mapped to a Teradata Database user.

During auto provisioning a database user object is automatically generated and granted LOGON WITH NULL PASSWORD privileges. Auto provisioned users must always authenticate externally.

Unlike the pseudo-user, EXTUSER, auto provisioned users have permanent, individual identities in the database. This allows them to create and own database objects, and use global temporary tables and volatile tables.

Because auto provisioned users have a Teradata Database identity, they can be individually subjected to access logging and workload management rules, and can use administrative tools, such as Teradata Viewpoint. See About Auto Provisioned Directory Users.

Application logon user An application logon user is a permanent database username under which a middle-tier application server logs on to the database.

Define application logon users similarly to other permanent users, using the CREATE USER statement. See Working with Middle-Tier Application Users.

Application end user Assume the identity and database privileges of the logon user for the application through which they log on.
Trusted user A trusted user is a middle-tier application that is specially configured to allow end users (proxy users) to log on as individuals.

Define trusted users by entering the permanent database username under which the trusted user application logs on to the database in a GRANT CONNECT THROUGH statement. See Working with Middle-Tier Application Users.

Proxy user A proxy user is an end user that logs on to the database through a trusted user application. The system identifies and authorizes the user as an individual.

Proxy users can be either permanent database users or other end users unknown to the database.

Define proxy users in the database using a GRANT CONNECT THROUGH statement, which also identifies the trusted user application through which the user can log on.

For information on creating proxy users, see Working with Middle-Tier Application Users.