16.10 - Creating CONSTRAINT Objects - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

You can create a constraint object using the CREATE CONSTRAINT statement, for example:

CREATE CONSTRAINT  name   data_type, [NULL|NOT NULL],
      VALUES value_name:integer_code ...[, value_name:integer_code],
         Insert SYSLIB.insert_udf_name  ,
         Update SYSLIB.update_udf_name  ,
         Delete SYSLIB.delete_udf_name  ,
         Select SYSLIB.select_udf_name  ;

where:

Syntax Element Description
name The constraint name must be unique and must correspond to a classification category, for example, Classification_Level for the Security Classification category.
data_type Defines how a label value from a defined name:value pair is encoded in corresponding constraint columns. Allowable types are:
  • Smallint: A numeric encoding representing a hierarchical level. Range 1-10,000 (not zero).
  • Byte(n): A hex encoding, in which each applicable compartment in a non-hierarchical category is a bit position in the hex code.

See Security Classification Types and Required CONSTRAINT Object Settings.

[NULL|NOT NULL] Specifies whether a constraint column value can be null. The default is NULL if the option is not specified.

For example, security policies that require a row value to have no classification before it can be deleted must specify the NULL option.

  • VALUES value_name:integer_code
  • ...[, value_name:integer_code]
A series of name:value pairs that define either:
  • Members of a hierarchy
  • Individual compartments in a non-hierarchical set
  • Insert SYSLIB.insert_udf_name ,
  • Update SYSLIB.update_udf_name ,
  • Delete SYSLIB.delete_udf_name ,
  • Select SYSLIB.select_udf_name ;
Specifies up to 4 security constraint UDFs, with no more than 1 of each type.

Each entry specifies an SQL operation and the name of the UDF that controls the operation.

If a UDF is not specified for an SQL operation, only users with the corresponding OVERRIDE privilege can execute the operation.

A UDF must exist in the system before you can specify it in a CONSTRAINT object.