Query Bands, Trusted Sessions, and Roles - Advanced SQL Engine - Teradata Database

The following rules apply to the enforcement of CONNECT THROUGH privilege-defined roles in a trusted session.

• If a CONNECT THROUGH privilege specifies roles, then the following rules apply.
  • You cannot specify a PROXYROLE if you do not also specify a PROXYUSER.
  • You must use PROXYROLE to set the role in a trusted session because you cannot specify a SET ROLE request in a trusted session.
  • If PROXYROLE is not specified in the privilege definition, then all roles specified for the privilege are active.
  • PROXYROLE can be set to any role in the privilege. If you make this specification, then only that role is active.
  • PROXYROLE cannot be set to NONE or NULL.
• If a CONNECT THROUGH privilege specifies WITHOUT ROLE, then the following rules apply.
  • If PROXYROLE is not specified in the privilege definition, then the active role is the default role for the permanent proxy user.
  • PROXYROLE can be set to any role that has been granted to the permanent proxy user.
  • PROXYROLE can be set to NONE or NULL.
• If a CONNECT THROUGH privilege defines proxy roles, then the privileges for a trusted session that uses that privilege are those granted to.
  • Active proxy roles
  • PUBLIC
• If a CONNECT THROUGH privilege specifies WITHOUT ROLE for a permanent user, then the privileges for a trusted session that uses that privilege are those granted to.
  • The permanent user
  • Active roles
  • PUBLIC

Teradata Database enforces two exceptions to these rules. In these exceptional cases, Teradata Database does not enforce the privileges established for the proxy user, but instead enforces the privileges stated in the following table.