16.10 - Example: Restrictive Filtering - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K
<ipfilter name="filter1" type="restrictive">
      <allow ip="141.206.0.0/255.255.0.0"/>
      <deny ip="141.206.35.0/255.255.255.0"/>
      <appliesto tagref="xyzzy"/>
      <appliesto tagref="shazam"/>
</ipfilter>

where:

Term Description
ipfilter name="filter1" The unique name of an IP filter.
type="restrictive" The filter type.

This term identifies whether the filter is a restrictive or permissive type, and indicates the order in which testing takes place when the filter evaluates an incoming IP address.

<allow ip="141.206.0.0/255.255.0.0"/> The allow element appears first in a restrictive filter.

The allow element is divided into two segments, separated by a / :

  • The filter: <allow ip="141.206.0.0/

    Allows users to access the database from any IP address within the 141.206 subnet, unless the address explicitly appears in the deny element that follows. The filter denies access to all IPs not included in the allow element.

  • The mask: 255.255.0.0"/>

    Determines the extent to which the filter tests an incoming IP address against access allowed in the allow element. A mask of 255.255.0.0 tests the first two decimal segments of each IP address seeking access, to determine whether or not it falls within the allowed range.

You can use the allow element in a restrictive filter to specify a higher level in the network tree than what you use for the deny element.
<deny ip="141.206.35.0/255.255.255.0"/> The deny element appears second in a restrictive filter.

The deny element is divided into two segments, separated by a / :

  • The filter: <deny ip="141.206.35.0/

    Explicitly denies all addresses in the 141.206.35 subnet, even though it is within the range of IPs allowed by the allow element. The filter denies access to other IP addresses if they appear in a subsequent deny element.

  • The mask: 255.255.255.0"/>

    Determines the extent to which the filter tests an incoming IP address against access denied in the deny element. A mask of 255.255.255.0 tests the first three decimal segments of each IP address seeking access, to determine whether or not it falls within the denied range.

You can use the deny element in a restrictive filter to specify a lower level in the network tree than you use for the allow element, to define exceptions to the IPs explicitly allowed in the allow element.

You can use multiple deny elements, if necessary.

<appliesto tagref="xyzzy"/> Identifies a user affected by this set of filter rules.

The appliesto tagref values must correspond to tag attributes assigned to individual users listed in user elements of the XML IP restriction document.

<appliesto tagref="shazam"/> Identifies a second user affected by this set of filter rules.