System-Level Privileges for Row-Level Security - Advanced SQL Engine - Teradata Database

SQL Data Control Language
Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
June 2020
Language
English (United States)
Last Update
2021-01-24
dita:mapPath
lmb1556233084626.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1149
lifecycle
previous
Product Category
Teradata® Vantage™ NewSQLEngine

Administrators can grant system-level privileges to users or profiles for the purpose of establishing and maintaining row-level security.

These privileges enable users to:
  • Create row-level security constraints using SQL requests.
  • Define row-level security constraints on tables using SQL requests.
  • Assign row-level security constraint values (security credentials) to users and profiles using SQL requests.
The privileges are as follows:

See the section on the DBC.AccessRights table in Teradata Vantage™ - Data Dictionary, B035-1092 for a list of the two-character abbreviations for these privileges.

CONSTRAINT ASSIGNMENT Privilege

This system-wide privilege enables users to define row-level security constraints on tables and to assign row-level security constraint values to users and profiles using SQL DDL statements. Administrators can grant it to individual users or to profiles.

Teradata Database automatically grants this privilege to user DBC WITH GRANT OPTION, which enables user DBC to grant it to any other user or role.

The rules and restrictions for granting the CONSTRAINT ASSIGNMENT privilege are as follows:
  • You can only grant it to another user or role if you also have the WITH GRANT OPTION privilege.
  • You cannot specify a target database object.
  • You cannot grant it to PUBLIC.
You must have the CONSTRAINT ASSIGNMENT privilege to use these SQL DDL statements on tables that have row-level security constraints or users and profiles that have security credentials assigned to them. These statements can be used on users or profiles that do not have security credentials assigned to them.
  • ALTER TABLE
  • CREATE PROFILE
  • CREATE TABLE
  • CREATE USER
  • MODIFY PROFILE
  • MODIFY USER
  • SHOW CONSTRAINT

    The CONSTRAINT DEFINITION privilege also enables you to execute a SHOW CONSTRAINT request.

CONSTRAINT DEFINITION Privilege

This system-wide privilege enables users to create and modify row-level security constraints using SQL DDL statements. Administrators can grant it to individual users or to roles.

Teradata Database automatically grants this privilege to user DBC WITH GRANT OPTION, which enables user DBC to grant it to any other user or role.

The rules and restrictions for granting the CONSTRAINT DEFINITION privilege are as follows:
  • You can only grant it to another user or role if you also have the WITH GRANT OPTION privilege.
  • You cannot specify a target database object.
  • You cannot grant it to PUBLIC.
You must have the CONSTRAINT DEFINITION privilege to use the following SQL DDL statements to create, modify, or SHOW row-level security constraints:
  • ALTER CONSTRAINT
  • CREATE CONSTRAINT
  • DROP CONSTRAINT
  • SHOW CONSTRAINT

    The CONSTRAINT ASSIGNMENT privilege also enables you to execute a SHOW CONSTRAINT request.