16.10 - Security Considerations for Trusted Sessions - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)
  • The middle-tier application authenticates end users before it connects them to Teradata Database through a trusted session. Then Teradata Database controls access to database objects based on the proxy user role.
  • Use the WITH TRUST ONLY clause in the GRANT CONNECT THROUGH to require that SET QUERY_BAND statements be part of trusted requests.
  • The system enforces logon controls, such as logons restrictions by IP address, only for the middle-tier application logon user (trusted user), because it does not authenticate proxy users.
  • When a trusted session is established with a permanent proxy user, the permanent proxy user is the owner of and is granted default privileges on new objects.
  • When a trusted session is established with an application proxy user, no automatic privileges are granted on new objects.
  • The system enforces security policies based on the trusted user, not the end (proxy) user. For information on security policy, see Network Security Policy.
  • The system does not allow the SET ROLE statement in a trusted session. The operant role for a proxy user connection is determined by the roles you specify in the CONNECT THROUGH statement that defines the proxy user, along with any role limitations contained in the SET QUERY_BAND statement submitted by the application.
  • Construct the SET QUERY_BAND statement to uniquely identify each end user so that the system can accurately log user sessions.