About Privileges for User Types - Advanced SQL Engine

About Privileges for User Types - Advanced SQL Engine - Teradata Database

Security Administration

Product

Advanced SQL Engine

Teradata Database

Release Number

17.05

17.00

Published

September 2020

Language

English (United States)

Last Update

2021-01-23

dita:mapPath

ied1556235912841.ditamap

dita:ditavalPath

lze1555437562152.ditaval

dita:id

B035-1100

lifecycle

Product Category

Teradata Vantage™

You can assign privileges to database users according to the user type.

See also About Database User Types.

User Type	Method for granting privileges
Permanent user	Grant privileges directly to the user. Create roles and grant privileges to them. Then grant membership in one or more roles to each user (recommended).
Directory-based user	Map each directory user to one or more database users that already have database privileges. You can optionally create external roles and grant privileges to them. Then map each directory user to one or more of the external roles. The system registers objects created by a directory user in the data dictionary, with the mapped permanent user as the owner and creator.
Auto provisioned user	Set the AutoProvision DBSControl flag to true. In the directory create an external role or profile for auto provisioned users. Create matching roles and profiles in the database. Grant privileges to the external roles, if created. Map the directory users to the external role or profile. The privileges given to the auto provisioned account are determined by the external role to which the directory user is assigned. If an auto provisioned directory user is assigned to an external role and is also granted a role in the database, the user is allowed to have the privileges of both roles. However, the user is externally authenticated, so only external roles are active for the session. A granted role must be explicitly enabled. If the directory principal is not assigned to a role, the user inherits privileges from EXTERNAL_AP (a system user).
Proxy user	For proxy users that are either permanent database users or users unknown to the database, you can specify one or more roles in the GRANT CONNECT THROUGH statement that defines the proxy. For proxy users that are also permanent database users: You can specify WITHOUT ROLE to use the privileges granted to the permanent user You can assign row level security constraints to the permanent user or the user profile. Proxy user sessions use the profile constraints, if assigned. If no constraints are assigned in the profile, the session uses the user constraints. The user can also use the SET SESSION CONSTRAINT command to access any assigned security constraints.