16.10 - AuthorizationSupported - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

This property determines whether the mechanism supports directory authorization of users.

Valid Settings

Setting Description
yes The database accepts external authorization of user privileges.

Yes is the default for LDAP and TDNEGO.

no The database authorizes user privileges internally.

No is the default for all mechanisms, except for LDAP and TDNEGO.

Supporting Mechanisms for AuthorizationSupported

Mechanisms that are not listed in the table do not support this property. The Property Editable column indicates if the setting for a property may be edited.
Mechanism Property Editable?
KRB5 * May Be Edited
SPNEGO *
LDAP
TDNEGO

* To set this property to yes for KRB5 or SPNEGO, you must copy the LdapServerName property from the TdgssLibraryConfigFile.xml into the TdgssUserConfigFile.xml, and then configure the property value.

Editing Guidelines

  • AuthorizationSupported must be set to yes if the directory authorizes user privileges, that is, if directory users are mapped to database objects.
  • You can edit this property in the TDGSS version of the TdgssUserConfigfile.xml on the database, and in the the Unity version of the configuration file on the Unity server (for Unity information, see Teradata Unity Installation, Configuration, and Upgrade Guide for Customers). If the database configuration is set to yes, the Unity configuration must be set to yes; if the database is set to no, Unity can be set to yes or no.
  • When the value of this property is set to yes, the Gateway looks for authorization information from the directory specified in the LdapServerName property specified for the mechanism.
  • When the value of this property is set to no, the Gateway ignores any authorization information in the directory. This setting allows you to authenticate directory users with LDAP, while authorizing user privileges in the database.
  • Do not modify the AuthorizationSupported property for the TDNEGO mechanism because it does not use this property. TDNEGO passes the entire logon string to the underlying mechanisms, which means TDNEGO always supports authorization. Note, the underlying mechanism may not support authorization.