16.10 - Creating an IP XML Restriction Document - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

After you design the needed IP filters, you can use them to create an XML restriction document.

The examples in the following procedure use the filters created in Designing IP XML Restrictions.
  1. Open a text editor, such as vi or Notepad.
  2. Create the framework for the XML document, specifying the required information and element tags.
    <?xml version="1.0" encoding="UTF-8"?>
    <tdat name="tdat">
      <system name="gizmo">
        <users>
          ...
        </users>
        <ipfilters>
          ...
        </ipfilters>
      </system>
    </tdat>

    where:

    Term or Element Description
    <?xml version="1.0" Indicates the version of XML you are using to generate the document. This specification is for reference only.
    encoding="UTF-8"?> Defines the character set you are using in the XML document.
    <tdat name="tdat"> Specifies the name of XML document root element.

    See tdat.

    <system name="gizmo"> Specifies the name of the system to which the IP restrictions apply. The name must correspond to the tdpid that affected users specify when they log on to the database.

    See system.

    <users> ... </users> The beginning and end element tags for the list of users to which the restrictions in the XML document apply.

    See users.

    <ipfilters> ... </ipfilters> The beginning and end element tags for the list of filter definitions, which define the restrictions in the XML restrictions.

    See ipfilters.

    </system> </tdat> These element tags close out the XML IP restriction document.
  3. Add the list of users that are affected by the restrictions, by entering a user element tag and a valid Teradata Database username for each user.
    This list must contain all users affected by any filter in the document.
    <users>
      <user name="drct01" tag="xyzzy"/>
      <user name="perm01" tag="noside"/>
      <user name="extuser" tag="shazam"/>
    </users>

    where:

    Term Description
    <user name="drct01" A valid Teradata Database username.
    tag="xyzzy"/> An XML document tag that links the corresponding Teradata Database username to an IP filter, when the tag value appears in the appliesto tagref attribute of the filter.
  4. Add the IP filters that define the IP restrictions for all users.
    <ipfilters>
      <ipfilter name="filter1" type="restrictive">
        <allow ip="141.206.0.0/255.255.0.0"/>
        <deny ip="141.206.35.0/255.255.255.0"/>
        <appliesto tagref="xyzzy"/>
        <appliesto tagref="shazam"/>
      </ipfilter>
      <ipfilter name="filter2" type="permissive">
        <deny ip="141.206.35.0/255.255.255.0"/>
        <allow ip="141.206.35.175/255.255.255.255"/>
        <appliesto tagref="noside"/>
        <appliesto tagref="xyzzy"/>
      </ipfilter>
    </ipfilters>

    where:

    Term Description
    <ipfilter name="filter1" type="restrictive"> Specifies the name of the primary filter listed in the restriction document, a restrictive filter.
    <allow ip="141.206.0.0/ Specifies the IP range allowed by filter1.

    This filter allows access to the database for any IP addresses within the 141.206 subnet unless they explicitly appear in a deny element.

    Because the filter is restrictive, it automatically denies access to all IPs outside those specified in the allow element.

    255.255.0.0"/> Defines the allow element mask. The zeros in the third and fourth segments cause the filter to test only the first 16 bits of the incoming IP address against the allowed IP.

    The filter allows access for IPs that have values in the segments inhabited by zeros, as long as the first 16 bits specify the 141.206 subnet.

    <deny ip="141.206.35.0/ Specifies the range of the deny filter, which denies access to IPs in the 141.206.35 subnet, even though the subnet is within the 141.206 range specified in the allow element.
    255.255.255.0"/> Defines the deny element mask. This mask causes the filter to test the first 24 bits of an incoming IP address against the denied IP.

    The zero indicates the filter does not use the last 8 bits of an incoming IP address in deny-testing.

    <appliesto tagref="xyzzy"/> <appliesto tagref="shazam"/> Applies the restriction described in filter1 applies to users drct01 and perm01, because it specifies their tag attributes, xxzzy and shazam.
    Each appliesto tagref value must correspond to a tag attribute for an individual Teradata Database user listed in a user element in the document
    <ipfilter name="filter2" type="permissive"> Specifies the name of the secondary filter listed in the restriction document, a permissive filter.
    <deny ip="141.206.35.0/ The IP denied by filter2.

    The filter denies access to the database for any IP addresses within the 141.206.35 subnet unless they explicitly appear in an allow element.

    Because the filter is permissive, it allows access to all other IPs outside those specified the deny elements.

    255.255.255.0"/> The 255 in each decimal-separated segment of the mask indicates the filter tests the corresponding segment of the IP address for access denial.

    The zero indicates that no testing is done for the corresponding segment of the IP address.

    This mask causes the filter to test the first 24 bits of the incoming IP address against the denied IP.

    <allow ip="141.206.35.175/ The IP exceptions allowed by filter2.

    The filter allows access to the database for IP address 141.206.35.175 even though it is otherwise disallowed by the more general parameters of the deny element.

    255.255.255.255"/> The allow IP mask. The 255 in each decimal-separated segment of the mask indicates that the filter tests the corresponding segment of the IP address for allowed access.

    This mask causes the filter to test all 32 bits of the incoming IP address against the allowed IP.

    <appliesto tagref="noside"/> <appliesto tagref="xyzzy"/> The restrictions described in filter2 apply to the database users noside and xxzzy.
    Each appliesto tagref value must correspond to a tag attribute for an individual Teradata Database user listed in a user element in the document