Archives of the TeradataForum
Message Posted: Sat, 03 Oct 2009 @ 21:05:06 GMT
<-- Anonymously Posted: Saturday, October 03, 2009 15:15 -->
Since V2R6.2, Teradata has supported IP address restrictions by username. That's one way to ensure that the application username can't be used from someone's desktop - even if they know the password. See the Security Administration manual for details.
And even before that you could have isolated the network connections from the middle tier to the database and set up dedicated gateways on the Teradata side, then restricted logons for certain users to specific LogicalHostIDs. Or you could perhaps build your own authentication method for the shared IDs and not rely on passwords.
But it's difficult to get three-tier applications to log on to the database with the individual end user credentials. In TD12.0, you can often use Query Banding in conjunction with "pre-statement" SQL options to at least track individual usage.
TD13.0 introduces "Trusted Sessions", where the middle tier logs on as a shared "application" user that has permissions to act as a proxy and actually set the effective user credentials via Query Banding. That sounds promising.
|Copyright 2016 - All Rights Reserved|
|Last Modified: 15 Jun 2023|