2.10 - Required Teradata Initiator Connector Privileges - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

prodname
Teradata QueryGrid
vrm_release
2.10
created_date
September 2019
category
Administration
Configuration
Installation
User Guide
featnum
B035-5991-099K

To maintain security for Teradata connectors used in QueryGrid.

  1. Set appropriate privileges to those who create and manage foreign servers.
  2. Set appropriate privileges to authorization objects, if used.

    An authorization object stores a mapping of the local user and password for the remote server.

  3. Set up foreign server objects that match the appropriate access to database and tables needed by Teradata Database users.
  4. Set appropriate privileges to foreign server objects to Teradata Database users.

Privileges for Administrators

CREATE SERVER and DROP SERVER are object-level privileges that restrict who can use the CREATE FOREIGN SERVER and DROP FOREIGN SERVER SQL statements with a Teradata initiator connector.

  • CREATE SERVER can only be granted on the TD_SERVER_DB database as a whole.
  • DROP SERVER can be granted on the TD_SERVER_DB database or on individual foreign server objects.
  • The CREATE SERVER and DROP SERVER privileges are included if you grant ALL privileges on the TD_SERVER_DB database.

In addition to the CREATE SERVER and DROP SERVER privileges, administrators need the EXECUTE FUNCTION and SELECT privileges on the import and export table operators or on the TD_SYSFNLIB database that contains the table operators in order to create, drop, and modify foreign server objects.

The creator of a foreign server object implicitly receives the following privileges on the object:
  • SHOW privilege WITH GRANT OPTION
  • DROP SERVER privilege WITH GRANT OPTION
  • SELECT privilege WITH GRANT OPTION
  • If the foreign server object is capable of exporting data (that is, the CREATE FOREIGN SERVER statement includes the DO EXPORT WITH clause), the creator automatically receives the INSERT privilege WITH GRANT OPTION

CREATE AUTHORIZATION and DROP AUTHORIZATION privileges are required to work with authorization objects referenced by foreign server objects. DROP AUTHORIZATION is automatically granted to the creator of an authorization object.

Privileges for Users of the Foreign Server Object

You must grant SELECT, INSERT, and SHOW privileges on the foreign server object to users who query the remote database using a Teradata initiator connector.

Granting the ALL privilege on a foreign server object implicitly grants other privileges that depend on the nature of the foreign server:
  • If the foreign server object can import data from the remote database (that is, the CREATE FOREIGN SERVER statement included a DO IMPORT WITH clause), granting the ALL privilege on the foreign server implicitly includes the SELECT, SHOW, and DROP privileges.
  • If the foreign server object can export data to the remote database (that is, the CREATE FOREIGN SERVER statement included a DO EXPORT WITH clause), granting the ALL privilege on the foreign server implicitly includes the INSERT, SHOW, and DROP privileges.