16.10 - Using Access Logging for Directory-Based Users - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

Access logging of directory users generally conforms to the rules for use of access logging of database users, with the following exceptions:

  • A SELECT USER request normally returns the current user for a session. When a directory-based user is logged on, a SELECT USER request returns either:
    • The name of the permanent user to which the directory user is mapped
    • The authcid (logon username) of the directory user, if not mapped to a permanent user
  • A SELECT ROLE request returns the current role for the session. If the directory user is mapped only to EXTUSER, the initial current role for a directory-based logon is a dummy role called EXTERNAL. Any time the directory-assigned roles are enabled, a SELECT ROLE request returns EXTERNAL as its result.

During access logging, the system identifies directory users by their authcid, which it stores in DBC.SessionTbl.AuditTrailId when it establishes the session.

The format of stored authcid is the same for all directory types.

If the authcid exceeds 128 bytes in length (as converted), it truncates at 128 bytes. Therefore, all authcids should be unique for the first 128 bytes.