Archives of the TeradataForum
Message Posted: Sat, 03 Apr 2010 @ 22:53:58 GMT
| Subj: | | Re: Revoke logon on all as default |
| |
| From: | | Fenwick, Ruth |
You may have logons granted explicitly to particular host ids (network or channel). These grants supersede a REVOKE LOGON on ALL. Seems a
little counter intuitive, but I if you look at the security manual, it actually tells you it will do this. If you've ever revoked logon from a
particular id, and then granted it back to them, again, they'll be able to log on through a REVOKE LOGON ON ALL.
Run the query below.....that will list all ids that can still logon through a REVOKE LOGON ON ALL
SEL * FROM dbc.logonrules
where logonstatus = 'g' ;
To generate the revoke logons from explicit grants:
SEL 'revoke logon on ' || trim(logicalhostid) || ' from ' || TRIM(username) || ';'
FROM dbc.logonrules
WHERE logonstatus = 'g'
GROUP BY 1;
To generate the grants required later (run before you revoke):
SEL 'grant logon on ' || trim(logicalhostid) || ' to ' || TRIM(username) || ';'
FROM dbc.logonrules
WHERE logonstatus = 'g'
GROUP BY 1;
Ruth Fenwick
Teradata Technical Lead, Enterprise Data Management, Enterprise Information Management
Royal Bank of Canada
| 
