16.10 - Using tdspolicy to Find Policy Assignments for a User - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

You can run the tdspolicy tool from the command prompt on a Teradata Database node to investigate the security policy assignments that are currently in effect for a specific combination of user, profile, and log on IP address.

For externally authenticated or authorized users, you can base the specification of tdspolicy command line variables on the information provided by tdsbind testing.

For example:

tdspolicy -u  user  -i  ip_address  [-s  service] [-p  profile]

where:

Option Description
-u user Required.

You can specify a Teradata Database user name if:

  • The user is authenticated by Teradata Database (TD2 mechanism)
  • The user is authenticated by Kerberos (KRB5 mechanism) or LDAP and AuthorizationSupported=no
  • The user is authenticated by Kerberos (KRB5 mechanism) or LDAP, AuthorizationSupported=yes, and the user is mapped to a tdatUser entry.

    If a directory user is mapped to multiple tdatUser objects, and more than one object has security policy assignments, the most restrictive policy applies. For details, see the configuration instruction for each policy type.

You can specify the DN of a directory principal for a directory user if the user is authenticated using KRB5 or LDAP, AuthorizationSupported=yes, and the user is not mapped to a tdatUser entry.

-i ip_address Required.

The IP address from which the user logs on.

-s service Required to return information on a local security policy. Specify the DN of the service that contains the local policy.
If the -u user authenticates in a specific service, -s must specify the DN of that service.

If this option is not present to request local policy information for a specific service, tdspolicy returns information for the global policy, if a global policy exists.

For information on global policy, see Configuring Policy-Related Properties for a Global Security Policy.

-p profile Optional. Identifies an existing profile that is assigned to the user.
  • For permanent database users, the profile specified in the user definition.
  • For directory principals, a profile to which the principal is mapped in the directory.

The tdspolicy command returns information indicating whether any policy applies to the specified profile.

If a directory principal is mapped to a Teradata user and a profile in the directory, the mapped profile takes precedence over the profile assigned to the mapped permanent user.