16.10 - About Privileges for User Types - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

You can assign privileges to database users according to the user type.

User Type Method for granting privileges
Permanent user
  • Grant privileges directly to the user.
  • Create roles and grant privileges to them. Then grant membership in one or more roles to each user (recommended).
Directory-based user
  • Map each directory user to one or more database users that already have database privileges.
  • You can optionally create external roles and grant privileges to them. Then map each directory user to one or more of the external roles.
The system registers objects created by a directory user in the data dictionary, with the mapped permanent user as the owner and creator.
Auto provisioned user
  • Set the AutoProvision DBSControl flag to true.
  • In the directory create an external role or profile for auto provisioned users.
  • Create matching roles and profiles in the database.
  • Grant privileges to the external roles, if created.
  • Map the directory users to the external role or profile.
The privileges given to the auto provisioned account are determined by the external role to which the directory user is assigned. If an auto provisioned directory user is assigned to an external role and is also granted a role in the database, the user is allowed to have the privileges of both roles. However, the user is externally authenticated, so only external roles are active for the session. A granted role must be explicitly enabled. If the directory principal is not assigned to a role, the user inherits privileges from EXTERNAL_AP (a system user).
Proxy user
  • For proxy users that are either permanent database users or users unknown to the database, you can specify one or more roles in the GRANT CONNECT THROUGH statement that defines the proxy.
  • For proxy users that are also permanent database users:
    • You can specify WITHOUT ROLE to use the privileges granted to the permanent user
    • You can assign row level security constraints to the permanent user or the user profile. Proxy user sessions use the profile constraints, if assigned. If no constraints are assigned in the profile, the session uses the user constraints. The user can also use the SET SESSION CONSTRAINT command to access any assigned security constraints.