16.10 - About Auto Provisioned Directory Users - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

Auto provisioning allows directory principals to get a Teradata Database logon automatically, without a DBA creating a database account. To use auto provisioning, the database system must be enabled to allow auto provisioning and the directory principal must be a member of a Teradata external role or profile. The directory principal must not be mapped to a database user object.

At the initial logon, a database user identity is created for the auto provisioned user. The database user account is given a NULL password. Attributes, such as SPOOL space, are allocated according to the profile to which the directory principal is mapped or set to zero if the directory principal is not a member of a profile.

The privileges given to the auto provisioned account are determined by the external role to which the directory user is assigned. If an auto provisioned directory user is assigned to an external role and is also granted a role in the database, the user is allowed to have the privileges of both roles; however, the user is externally authenticated, so only external roles are active for the session. A granted role must be explicitly enabled. If the directory principal is not assigned to a role, the user inherits privileges from EXTERNAL_AP (a system user).

In subsequent logons, the user must authenticate to an authenticating mechanism, such as the directory or Kerberos. Auto provisioned users are given authorization by the directory.

By default, auto provisioning is disabled. When it is disabled, external directory users who are not mapped to permanent database users are logged on as EXTUSER.

There are several advantages in using auto provisioning instead of EXTUSER.

  • Auto provisioning removes privileges limitations that EXTUSER is subject to; for example, EXTUSER has no USER right, no WITH GRANT OPTION, and no per-DSA-user grant/revoke.
  • Auto provisioning allows assignment of SPOOL and TEMP space on a per user basis.
  • Auto provisioned users can be identified by tools such as Viewpoint and TASM.
  • Auto provisioned users can be individually logged.

Prerequisites for Auto Provisioning

A supported directory server must be running and configured for authorization.

The LDAP, Kerberos (KRB5), or SPNEGO authentication mechanisms in TDGSS must be configured to authorize users. This means TDGSS must be configured on Teradata Database nodes and Unity servers with MechanismEnabled = “yes” and AuthorizationSupported = “yes”.

External authentication must be enabled in the database and on the gateway.

The AutoProvision DBSControl parameter must be enabled. Run dbscontrol and enter m g 81 T.

Profiles and external roles must exist in the database. Matching profile and role objects must exist in the directory.

The directory principals to whom you want to provide auto provisioning must be assigned to roles or profiles in the directory.

Directory principals must not be mapped to a database user object.

Setting Up Auto Provisioning

If your directory, users, roles, profiles, and external authentication need to be set up, follow the steps in Directory Database User Implementation Process to configure everything, including auto provisioning.

If your directory, directory users, directory and database roles and profiles, and external authentication are already set up, perform the following steps to enable and use auto provisioning.

  1. Enable the AutoProvision parameter in DBSControl.
    dbscontrol m g 81 T
  2. To provide auto provisioning to selected directory principals assign them to database objects (roles or profiles) in the directory. On their first logon attempt a database account is created for these users.