Books
in black and white
Main menu
Share a book About us Home
Books
Biology Business Chemistry Computers Culture Economics Fiction Games Guide History Management Mathematical Medicine Mental Fitnes Physics Psychology Scince Sport Technics
Ads

Teradata RDBMS Database Administration - NCR

NCR Teradata RDBMS Database Administration - NCR , 2004. - 616 p.
Download (direct link): teradatadatabaseadmin2004.pdf
Previous << 1 .. 66 67 68 69 70 71 < 72 > 73 74 75 76 77 78 .. 218 >> Next


CREATE USER and Logon Security

The Teradata RDBMS default is to associate a username with a password. You need to specify a password, even if temporary, in every CREATE USER statement, otherwise the parser rejects the statement as incomplete.

However, if your site intends to enable null passwords or, if on Windows 2000, the Single Sign On (SSO) feature, follow this procedure:

Step Action
1 Create the user with a temporary password.
2 Immediately follow the CREATE USER statement with a GRANT LOGON ... WITH NULL PASSWORD statement.

Caution: You need special privileges to use the GRANT LOGON statement. NCR

suggests that you create a special user to serve as your security administrator (for example, SecAdmin) and grant the EXECUTE privilege to that user on the special security macro DBC.AccLogRule. (For full instructions, see Teradata RDBMS Security Administration.)

Using the WITH NULL PASSWORD Phrase

The following security considerations affect how you create a new user and when you can employ the WITH NULL PASSWORD facility:

IF your site ... THEN .
uses password protection Create the user with a password. Logon processing prompts a new user to change the initial password to a permanent one. You can define a password not to expire. You can define a user lockout for an unlimited time. You can set these and other password attributes at the group user level (see "Implementing Profiles" on page 5-17) or the system level (see "Customizing Your Password Controls" on page 6-21).
allows null passwords A null password applies only to logging onto Teradata RDBMS; other security measures still apply. For cautions and instructions on using null passwords, see Teradata RDBMS Security Administration. Note: Under any circumstance, a null password limits the ability of Teradata RDBMS to authenticate the identity of a user.

5 - 10

Teradata RDBMS Database Administration Chapter 5: Setting Up Users, Profiles, Accounts and Accounting

Implementing Roles and Profiles

IF your site

THEN

determines that using null

passwords does not jeopardize data security

Follow this procedure:

Step Action
1 Log on as the user with EXECUTE privilege on DBC.AccLogRule macro.
2 Create each new user with a temporary password.
3 Follow the CREATE USER statement with a GRANT LOGON ... WITH NULL PASSWORD statement for that username. For example: CREATE USER JANE AS PERM=1000000, PASSWORD=Jane ; GRANT LOGON ON ALL TO JANE WITH NULL PASSWORD;
4 For channel-connected mainframes, write a TDP security exit to register that the logon string for this username is valid without a password. (For more details, see "Programming Logon and Security Exits in the Teradata Director Program (TDP)" on page 6-25).

is Windows 2000 and supports SSO

Follow each CREATE USER statement with:

GRANT LOGON ON ALL TO username WITH NULL PASSWORD;

If every logon name is not unique across all domains, perform the procedure given below.

5 - 10 Teradata RDBMS Database Administration

Chapter 5: Setting Up Users, Profiles, Accounts and Accounting

Implementing Roles and Profiles

IF your site

THEN

is Windows 2000 and supports SSO (continued)

If every logon name is not unique across all domains, you need to:

Step

Action

Append a domain name to the user name. To do this, define each username in the form:

"username@domainname"

For example, to create user Bob for domain esdev3, enter:

CREATE USER "Bob@esdev3" AS PERM=10000000, PASSWORD=Bob ;GRANT LOGON ON ALL TO "Bob@esdev3" WITH NULL PASSWORD;

Query the Append Domain Name value of the Gateway Control GDO with the -d option of gtwcontrol. This value determines what form of username will be accepted, as follows:

IF Append Domain Name is set to . THEN .
no username is the only form accepted.
yes 'username@domainname' is the only form accepted.

To change the current value, toggle it by entering the -F option to the gtwcontrol command:

gtwcontrol -F

Make sure both the DBS Control GDO and the Gateway Control GDO are set to the same value.

For step-by-step instructions on the complete procedure, see "Implementing Single Sign On (SSO) (Windows 2000 Only)" on page 6-25

1

2

3

Granting CREATE and Access Privileges to a New User

Certain privileges are granted implicitly (automatically) when CREATE USER

is processed successfully:

The privileges of a newly created user are granted on his or her own space, enabling the creation of tables, views, and other data objects

Creator privileges are granted to the creating user of a newly created user, database, or object

Owner privileges are granted to the immediate owner of the space from which the new user was created

5 - 10 Teradata RDBMS Database Administration Chapter 5: Setting Up Users, Profiles, Accounts and Accounting

Implementing Roles and Profiles

A new user has the implicit right to create data tables, indexes, permanent journal tables, views, macros, and triggers in his or her default database, as long as the new user has the appropriate privileges on any underlying tables and target tables created by another user or residing in another database.
Previous << 1 .. 66 67 68 69 70 71 < 72 > 73 74 75 76 77 78 .. 218 >> Next