16.10 - Option 2: Directory Authentication and Authorization - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

If directory users do not have matching user names in the database, or if the matching user name does not have all the requisite database privileges, you can authorize privileges in the directory by mapping directory users to database users, and to database external roles and profiles.

  • You can map directory users with very limited access needs to the system-generated pseudo-user, EXTUSER, which has database privileges similar to PUBLIC, by default. Directory users mapped to one or more Teradata Database roles or profiles--and not mapped to a database user--automatically gain EXTUSER privileges in addition to those privileges acquired from the roles/profiles.
  • If the directory user requires an individual database account, you can enable the DBSControl AutoProvision parameter and map the directory user to a role or profile. In this case, a database account is automatically provisioned for the user and they are logged on to the database as that user instead of EXTUSER.

For information on EXTUSER, see Characteristics of Directory Users Mapped to Permanent Database Users.

For information on auto provisioned users, see About Auto Provisioned Directory Users.