Proxy User Connections | SET QUERY_BAND | Teradata Vantage - Using SET QUERY_BAND Requests to Make Proxy User Connections - Advanced SQL Engine - Teradata Database

SQL Data Definition Language Detailed Topics

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
June 2020
Language
English (United States)
Last Update
2021-01-24
dita:mapPath
jpx1556733107962.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1184
lifecycle
previous
Product Category
Teradata Vantage™

To make a proxy user connection, a middle tier application that is connected as a trusted user issues a SET QUERY_BAND request that specifies the proxy user name and an optional proxy role for that user. The reserved query band names PROXYUSER and PROXYROLE are used to specify a trusted session user name and proxy role name in the SET QUERY_BAND request, respectively.

When making proxy user connections, a SET QUERY_BAND request performs the following actions:

  1. If the query band specifies PROXYUSER, Teradata Database validates the current user has privileges to connect as the specified proxy user.
  2. If the query band specifies PROXYROLE, Teradata Database validates the role can be set for the specified proxy user.
  3. If the validation passes, Teradata Database sets the session to the specified proxy user name and proxy role name.

Once the proxy connection is made, Teradata Database uses the proxy user and the proxy role to determine the privileges for all subsequent requests in the session.

Note the following.
  • The trusted session lasts for the life of the query band.
  • The session query band remains set for the session and ends only when one of the following occurs.
    • The session ends.
    • You set the query band to NONE.
  • The session query band is stored in DBC.SessionTbl, and Teradata Database recovers it after a system reset.
  • The transaction query band is discarded when either of the following occurs.
    • The transactions ends (whether by commit, rollback, or abort)
    • The transaction query band is set to NONE and is not restored after a system reset.
A SET QUERY_BAND request returns an error whenever any of the following violations occur.
  • The proxy user does not have CONNECT THROUGH privileges with the trusted user.
  • The proxy user has not been granted privileges for the specified proxy role.
  • The request attempts to set a PROXYUSER for a transaction when a session trusted session already exists.
  • The request attempts to set a PROXYUSER for a session when a transaction proxy connection already exists.
  • The request attempts to set a PROXYROLE when it is not in a trusted session.
  • The request attempts to set a PROXYROLE to NONE or NULL when roles are defined for the trusted user in the GRANT CONNECT THROUGH privilege.