Archives of the TeradataForum
Message Posted: Sat, 03 Oct 2009 @ 21:05:06 GMT
Subj: | | Re: Process ID's versus unique User ID's |
|
From: | | Anomy Anom |
<-- Anonymously Posted: Saturday, October 03, 2009 15:15 -->
Since V2R6.2, Teradata has supported IP address restrictions by username. That's one way to ensure that the application username can't be used
from someone's desktop - even if they know the password. See the Security Administration manual for details.
And even before that you could have isolated the network connections from the middle tier to the database and set up dedicated gateways on the
Teradata side, then restricted logons for certain users to specific LogicalHostIDs. Or you could perhaps build your own authentication method for
the shared IDs and not rely on passwords.
But it's difficult to get three-tier applications to log on to the database with the individual end user credentials. In TD12.0, you can often
use Query Banding in conjunction with "pre-statement" SQL options to at least track individual usage.
TD13.0 introduces "Trusted Sessions", where the middle tier logs on as a shared "application" user that has permissions to act as a proxy and
actually set the effective user credentials via Query Banding. That sounds promising.
|