16.10 - Rules for Specifying Users as Policy Members - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

You can specify the DN of a tdatUser object, or in some cases the DN of a directory principal object, as a member of a policy to apply the policy to the user.

The DN specification requirements depend on how the user is authenticated and authorized, regardless of policy type.

Authentication Mechanism Member Definition
TD2 The DN must be an existing Teradata user object in the directory with a cn that matches a Teradata Database user name.
KRB5 (AuthorizationSupported=no) The DN must be an existing Teradata user object in the directory with a cn that matches Kerberos domain user name.
LDAP (AuthorizationSupported=no) The DN must be an existing Teradata user object in the directory with a cn matches the LDAP log on name for the user.
KRB5 or LDAP with (AuthorizationSupported=yes) Must be either:
  • The DN of a Teradata user object
  • The DN of a directory principal

The choice of user object is subject to the following rules:

If the directory principal is mapped to a Teradata user object, use the DN of the Teradata user object for the member attribute.

If the directory principal is not mapped to a Teradata user object, use the DN of the directory principal for the member attribute.

PROXY The PROXY mechanism is only used by the Unity server for logging on to connected Teradata Database systems.

If users logging on through Unity are externally authenticated, PROXY must be configured. If PROXY is configured, Unity also uses the PROXY mechanism for TD2 sessions.

If PROXY is configured, create a PROXY mechanism policy and assign policy membership to the Unity user for each server, to ensure the security of Unity connections to the database,

  1. Define the Unity user as part of initial setup of each Unity server. See the Teradata Unity documentation.
  2. Re-specify the Unity user and password on each Unity server when configuring the certificate and private key for use with externally authenticated Teradata Database users. For information about Unity, see Teradata Unity Installation, Configuration, and Upgrade Guide for Customers (B035-2523) and Teradata Unity User Guide (B035-2520).
  3. Define each Unity user as a Teradata user object in the directory, as shown in the diagram in Using LDAP Directory Objects in Policies.
  4. Assign PROXY policy membership to the Unity user for each Unity server in the directory. For instructions on the syntax used to assign membership to users, see the topics for each policy type beginning with Configuring a Security Mechanism Policy.
Do not assign a PROXY policy to any other user.