Download (direct link):
• A Teradata RDBMS security administrator user has been created (for example, username SecAdmin)
• User SecAdmin has been granted the EXECUTE privilege on DBC.LogonRule
If these conditions exist, the security administrator can execute the GRANT LOGON or REVOKE LOGON statements any time after installation to add or remove user names on individual host connections as needed.
GRANT LOGON Gives users permission to log on to the Teradata RDBMS from specific client systems using a pre-validated logon request. To execute a GRANT LOGON or EXECUTE statement, you must hold execute privileges on the macro DBC.LogonRule
REVOKE LOGON Retracts permission to log on to the Teradata database from specific client systems. After installation, use the REVOKE LOGON statement to change the system default by first removing access privileges from all users from all hosts. Then, you can submit the GRANT LOGON statement to assign individual users to specific host IDs.
To change the system default:
1 Submit the REVOKE LOGON statement to remove access privileges from all users from all hosts.
2 Submit the GRANT LOGON statement to assign individual users to specific host IDs.
The GRANT LOGON and REVOKE LOGON statements store rows in the DBC. LogonRuleTbl.
6 - 24
Teradata RDBMS Database Administration 6 - 17Chapter 6: Controlling Access
Controlling Password Security
Programming Logon and Security Exits in the Teradata Director Program (TDP)
All messages from a channel-attached client that are sent to and received from the Teradata database pass through the Teradata Director Program (TDP).
At specific points, you can provide TDP exits and include user-written routines to perform some function or alteration of normal processing. For example, you can use TDP exits to extend security, in conjunction with the GRANT LOGON and REVOKE LOGON statements.
The following exit points are available to all TDPs running on MVS, VM, and OSllOO hosts:
• TDPUAX (this additional exit is for MVS systems only) These exits will be either all turned on, or all turned off.
Name Object Processed Description
TDPLGUX User logon requests Use the TDP User Logon Exit to process logon requests.
TDPUTCE Any request or response traversing the TDP Use the TDP User Transaction Collection Exit to process any request or response that traverses the TDP. (This exit is called TDPTMON - the User Monitor exit - in OS1100.)
TDPUSEC Logon violations Use the TDP User Security to process logon request denials.
TDPUAX (MVS only) MVS logon requests The TDP User Address Space exit is called by the TDP when an application initiates a logon or connect request to MVS.
Implementing Single Sign On (SSO) (Windows 2000 Only)
When available, the Single Sign On (SSO) feature allows users of the Teradata RDBMS on Windows 2000 systems to access Teradata RDBMS based on their authorized network usernames and passwords. This feature simplifies the procedure that requires users to enter an additional username and password when logging on to Teradata via client applications.
SSO must be enabled for the Teradata configuration in the DBS Control and the Gateway GDOs. The default is enabled (ON).
Caution: In order for existing TDPs that use implicit logon protocol to function normally, leave unchanged the default value of 0 (ON). ON ensures that both SSO and
Teradata RDBMS Database Administration
6 - 17Chapter 6: Controlling Access
Controlling Password Security
traditional logons are accepted; any other value rejects one form of logon. (For details, see "SET SSO" in Teradata RDBMS Database Window.)
To employ SSO, you need to implement security and set up Teradata users and the DBS Control and Gateway GDOs. Also, client users need to properly set up the Teradata interfaces and applications, such as ODBC or JDBC for Teradata, Teradata Manager, Teradata load utilities, and so forth, as instructed in the relevant document. The procedure for Teradata is as follows:
Log on to Teradata RDBMS as user DBC.
Make sure the DBC.AccLogRule macro exists. If it does not, create it as follows:
a In the Database Window, access the Supvr icon and start the DIP utility: start dip
b Go to the supervisor window indicated and log on as user DBC.
c Select the option for the DIPACC (Access Logging) script.
3 Start BTEQ and submit a GRANT statement that grants to your database administrative user (for example, dbadmin) the EXECUTE privilege on macro DBC.AccLogRule.
4 Log off as DBC and log on again as the user with GRANT LOGON privilege (for example, dbadmin).
5 Determine whether every Teradata RDBMS user name is unique.
IF you . THEN you .
can guarantee that every username will always be unique across all domains • Can issue a GRANT LOGON statement to each existing user who will be logging on with SSO. For example: GRANT LOGON ON ALL TO user1 WITH NULL PASSWORD; • Can create new users using the form username, followed by GRANT LOGON ON ... WITH NULL PASSWORD. For example: CREATE USER newuser2 AS PERM=500000, PASSWORD=Jim2 ;GRANT LOGON ON ALL TO newuser2 WITH NULL PASSWORD;