Use the following procedure as a guideline for setting up and using the security logon function:
1 Submit the following Teradata SQL statement to the Teradata Database to grant logon access with a null password:
GRANT LOGON ON ALL AS DEFAULT
WITH NULL PASSWORD;
Note: This command must be submitted either by the Teradata Database system administrator, or by another user with EXECUTE access to DBC.LogonRule.
Note also that:
2 If the User Logon Exit interface (TDPLGUX) has been customized, review the interaction guidelines presented in subsection, “Using Security Logon with TDPLGUX,” to determine whether additional changes are required.
If TDPLGUX has not been customized, its enabled/disabled status has no effect on security logon operations.
3 Set up your external security manager to work with the TDP security logon function.
For RACF:
a Create user profiles in the FACILITY class with a universal access code of NONE to regulate logons. Note, in the following example, that the first qualifier of the resource name specifies the TDPid, and the second qualifier specifies the DBC user logon name:
RDEFINE FACILITY TDP9.TEST01 UACC(NONE)
RDEFINE FACILITY TDP0.BIG_DBC_USER_NAME - UACC(NONE)
RDEFINE FACILITY TDPX.PAYROLL977263 - UACC(NONE)
b Give each user the appropriate status authority to the FACILITY profile. READ is sufficient, as in the following examples:
PERMIT UACC(READ) USER(TSO0997) - PROFILE(TDP9.TEST01) CLASS(FACILITY)
PERMIT UACC(READ) USER(TSO0998) - PROFILE(TDP0.DBC_BIG_USER_NAME) -
CLASS(FACILITY)
PERMIT UACC(READ) USER(TSO0999) - PROFILE(TDPX.PAYROLL977263) - CLASS(FACILITY)
c If not already activated, activate the FACILITY class:
SETROPTS CLASSACT(FACILITY)
For ACF2
Set up resource rules of TYPE(FAC) to regulate logon requests and grant access to each user. Note, in the following example, that the key represents the TDPid and the extension represents the DBC user logon name:
SET RESOURCE(FAC)
COMPILE *
$KEY(TDP9) TYPE(FAC)
TEST01 UID(TSO997) ALLOW
STORE
COMPILE *
$KEY(TDPX) TYPE(FAC)
STORE
COMPILE *
$KEY(TDPX) TYPE(FAC)
PAYROLL977263 UID(TSO999) ALLOW
STORE
For all other external security managers:
Refer to the appropriate vendor documentation.
4 Always test new resource profiles or access rules before placing them in a production environment.
Because the FACILITY class is limited to 39 bytes, it will not suffice if RDBMS user names exceed 30 bytes. This will be the case only if character sets are being used that support more than one byte per character. If this is the case, it is necessary to create an entirely new class with a maximum length of 92 bytes (the maximum number of bytes for an RDBMS user id in any currently supported character set).
This is a complicated process—especially under RACF, where an IPL will be required—and should be performed only by an experienced systems programmer.
Refer to the appropriate vendor documentation for details, and when the security logon function is enabled, specify the name of your new alternate class as follows:
ENABLE SECLOGON MSGS CLASS DBCLOGON
This forces TDP to use a class name of DBCLOGON instead of FACILITY for RACROUTE authorization calls.
Note: Under RACF, class names can be between 4 and 8 characters in length. Under ACF2, class names are called resource names and are generally 3 characters in length. (ACF2 internally translates FACILITY to FAC, and vice versa.)
5 Enable the security logon function with the desired messages option:
ENABLE SECLOGON MSGS
or:
ENABLE SECLOGON NOMSGS
See Chapter 4: “Customer Exits and Teradata Userid Authentication,” for more information about the TDP commands that pertain to the security logon function: