Books
in black and white
Main menu
Share a book About us Home
Books
Biology Business Chemistry Computers Culture Economics Fiction Games Guide History Management Mathematical Medicine Mental Fitnes Physics Psychology Scince Sport Technics
Ads

Teradata RDBMS Database Administration - NCR

NCR Teradata RDBMS Database Administration - NCR , 2004. - 616 p.
Download (direct link): teradatadatabaseadmin2004.pdf
Previous << 1 .. 85 86 87 88 89 90 < 91 > 92 93 94 95 96 97 .. 218 >> Next

your installation is Windows 2000, and a user is set up for SSO the SSO specification takes precedence, regardless of the client from which the logon originates.

The system view defined for DBC.SysSecDefaults is DBC.SecurityDefaults. To see the current security defaults, select all columns of this view:

SELECT * FROM DBC.SecurityDefaults;

Teradata RDBMS Database Administration

6 - 17 Chapter 6: Controlling Access

Controlling Password Security

Updating the Global Security Defaults

You control global security defaults through the DBC.SysSecDefaults table. Typically, you use the DBC.SecurityDefaults view to accomplish this. You must have DBC privileges to update the DBC.SecurityDefaults view. You must have security administrator privileges to update the DBC.SysSecDefaults table directly. (If you have activated and set up a security administrator, you can log on as your special SecAdmin user; see Teradata RDBMS Security Administration for instructions.)

To define your preferences, submit an UPDATE... SET statement against the table or view. For example, to set the maximum number of allowable logon attempts to 4, and an indefinite lockout of any user who exceeds that limit, you can submit:

UPDATE DBC.SecurityDefaults SET MaxlogonAttempts = 4;

UPDATE DBC.SecurityDefaults SET LockedUserExpire = -1;

Warning: The value in each SysSecDefaults field applies to all users, or, if your site implements profiles, to all users of any profile with that attribute set to NULL or NONE. If you set MaxLogonAttempts and LockedUserExpire at the system level, user DBC could potentially be locked out; yet only DBC can submit MODIFY USER DBC to change the DBC password! (Then DBC an only log on through the TSTSQL console. Contact the TSC for instructions.)

IF you want ... THEN see .
instructions on how to create a Security Administrator user Teradata RDBMS Security Administration
information on how to set up and maintain a secure database environment Teradata RDBMS Database Design Teradata RDBMS Security Administration
descriptions of the system views associated with security and access control "Viewing Granted Privileges" on page 6-9 "Session-Related Views" on page 6-30 Teradata RDBMS Data Dictionary
information on using roles and profiles to administer groups of users "Creating Roles and Profiles" on page 2- Teradata RDBMS Database Design

6 - 22

Teradata RDBMS Database Administration 6 - 17 Chapter 6: Controlling Access

Controlling Password Security

Password Encryption

Teradata stores password information in encrypted form in the DBC.DBase system table; passwords are never decrypted. The PasswordString column of DBC.DBase displays encrypted passwords. Stored information includes the date and time a user defined a password.

You can modify passwords temporarily when the PasswordLastModDate plus a fixed number has been reached. This allows you to ensure that users change their passwords regularly. You need security administrator or DBC privileges to permanently modify the password of another user.

Host Logon Control

On an un-customized Teradata system, the default is that any defined user who is logged on to a host machine has permission to access Teradata RDBMS through any identified client connection, if that user provides a valid logon string and Teradata password.

An authorized user change this default as follows:

On a Windows 2000 configuration employing Single Sign On (SSO), use the appendomainname feature (see "Implementing Single Sign On (SSO) (Windows 2000 Only)" on page 6-25)

On any Teradata RDBMS configuration:

IF the following conditions exist . THEN use .
DIPACC script has been run to create the special security macros DBC.LogonRule and DBC.AccLogRule GRANT LOGON and REVOKE LOGON statements to associate individual users with specific client connections.
a special Security Administrator user has been created (for example, user SecAdmin) GRANT LOGON...WITH NULL PASSWORD to allow particular users to omit a password.
the SecAdmin user has been granted the EXECUTE privilege on DBC.LogonRule a security exit in the Teradata Director Program (TDP) for channel-connected systems. This is to register in the system that the logon string for this username is valid without a password (see "Programming Logon and Security Exits in the Teradata Director Program (TDP)," below). Note: A null password applies only to logging onto Teradata RDBMS; other security measures still apply. Under any circumstance, a null password limits the ability of Teradata RDBMS to authenticate the identity of

Teradata RDBMS Database Administration

6 - 17 Chapter 6: Controlling Access

Controlling Password Security

Using GRANT LOGON/REVOKE LOGON Statements

The following conditions must have been met in order to use the GRANT LOGON and REVOKE LOGON statements:

DIPACC has been run to create the special security macros DBC.LogonRule and DBC.AccLogRule
Previous << 1 .. 85 86 87 88 89 90 < 91 > 92 93 94 95 96 97 .. 218 >> Next