16.10 - Setting Up Trusted Sessions and Proxy Users - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K
  1. Grant the CTCONTROL privilege to one or more administrators, which allows them to grant trusted user status to middle-tier applications, and to define proxy users and their database privileges.

    See About the CTCONTROL Privilege.

  2. Create a database user for the trusted user application, that is, the identity with which the application logs on to Teradata Database.
  3. Use a GRANT CONNECT THROUGH statement to define:
    • An existing database user identity for the trusted user
    • One or more proxy users who can log on to the database through the trusted user
    • One or more database role names, which define privileges available to the proxy users
    • A profile, which defines session attributes for application proxy users, including their temp and spool space and query band parameters.
      You can submit a separate GRANT CONNECT THROUGH statement with the WITH TRUST_ONLY clause to prevent end-users from submitting SET QUERY_BAND statements that set or update a proxy user.

      See Working with Middle-Tier Application Users.

  4. Set up the trusted user application to use query banding, which collects user information and sends it to the database. Since the application authenticates the end users, logons to the database from the application must include a SET QUERY_BAND statement to send proxy user information to the database.

    Developers or application programmers must embed code in the middle-tier application program to derive the required information from the user logon, insert it into a SET QUERY_BAND statement, and then forward the statement to the database.

    The application must tag a user request as trusted or not trusted, to enforce the WITH TRUST_ONLY clause of the GRANT CONNECT THROUGH statement.

    For detailed information on using SET QUERY_BAND in a middle-tier application to facilitate trusted sessions, see SQL Data Definition Language - Syntax and Examples and the Teradata Orange Book, Using Query Banding in the Teradata Database .