CREATE AUTHORIZATION and REPLACE AUTHORIZATION Syntax Elements - Advanced SQL Engine

CREATE AUTHORIZATION and REPLACE AUTHORIZATION Syntax Elements - Advanced SQL Engine - Teradata Database

SQL Data Definition Language Syntax and Examples

Product

Advanced SQL Engine

Teradata Database

Release Number

17.00

Published

September 2020

Language

English (United States)

Last Update

2021-01-23

dita:mapPath

wgr1555383704548.ditamap

dita:ditavalPath

lze1555437562152.ditaval

dita:id

B035-1144

lifecycle

Product Category

Teradata Vantage™

database_name

user_name

Optional name of a database or user other than the current or default in which the authorization being defined or replaced is to be contained.

authorization_name

A name for the authorization so you can specify the authorization in an external routine definition or function mapping.

The name of an authorization object must conform to object naming rules. For information about naming database objects, see Teradata Vantage™ - SQL Fundamentals, B035-1141.

The following rules apply to authorization names:

Authorizations belong to the database or user in which they are created and are not valid in other databases or users. For information about using authorization objects with the Script Table Operator, see Teradata Vantage™ - SQL Operators and User-Defined Functions, B035-1210.
An authorization object name must be unique within its containing database or user.
An authorization object name cannot begin with a digit.
An authorization object name cannot be an SQL keyword.

DEFINER

A keyword that associates an external routine with a database user to the database that contains the external routine.

For DEFINER, the database_name or user_name must be the containing database or user for the external routine.

The following rules apply to specifying DEFINER:

A database or user can be associated with only one default DEFINER authorization object name.
A database or user can be associated with many non-default DEFINER authorization object names.

DEFAULT

An optional keyword modifier for the DEFINER keyword that associates this authorization with all external routines that do not specify the authorization name in the EXTERNAL SECURITY DEFINER clause of the following statements.

CREATE/REPLACE FUNCTION, see CREATE FUNCTION and REPLACE FUNCTION (External Form).
CREATE/REPLACE FUNCTION (Table Form), see CREATE FUNCTION and REPLACE FUNCTION (Table Form).
CREATE PROCEDURE (External Form), see CREATE PROCEDURE and REPLACE PROCEDURE (External Form).

You can assign only one default DEFINER object per database. All others must have specific definer names.

INVOKER

A keyword that associates a database user to the database user who invokes the external routine.

For INVOKER, the database_name or user_name must be the logon database or user for the user or profile.

You can assign only one INVOKER authorization name per database or user.

TRUSTED

Keyword that indicates the associated authorization object was created as TRUSTED.

You must use the TRUSTED security type for the authorization you specify in the EXTERNAL SECURITY clause when creating foreign tables or function mappings. See CREATE FOREIGN TABLE or CREATE FUNCTION MAPPING and REPLACE FUNCTION MAPPING.

user_name

A clause that specifies a string literal that is the name of the database user to whom this authorization is being assigned.

Public buckets (or public containers) in external object stores such as Amazon S3, Azure Blob storage, or Google Cloud Storage, do not require credentials for access. To create an authorization for these, use an empty string delimited by single quotes: ''

password

A clause that specifies a string literal that is the name of the operating system platform password assigned to user_name.

The password is used to authenticate the user when the secure server process is created. Best practices suggest that any session that uses this statement should be set up to use the encrypted transport protocol. See Teradata Vantage™ - Advanced SQL Engine Security Administration, B035-1100.

While it is never desirable for a password to be typed in the clear, it only becomes an issue when you enter your password using an interface such as BTEQ. The issue becomes moot if you are prompted to enter your password by an application that requests the information in a secure manner such as a GUI or World Wide Web interface that displays ASTERISK characters to represent the password as it is typed. This is the recommended practice for all security conscious sites.