Home Page for the TeradataForum
 

Archives of the TeradataForum

Message Posted: Sat, 03 Apr 2010 @ 22:53:58 GMT


     
  <Prev Next>   <<First <Prev
Next>
Last>>
 


Subj:   Re: Revoke logon on all as default
 
From:   Fenwick, Ruth

You may have logons granted explicitly to particular host ids (network or channel). These grants supersede a REVOKE LOGON on ALL. Seems a little counter intuitive, but I if you look at the security manual, it actually tells you it will do this. If you've ever revoked logon from a particular id, and then granted it back to them, again, they'll be able to log on through a REVOKE LOGON ON ALL.

Run the query below.....that will list all ids that can still logon through a REVOKE LOGON ON ALL

     SEL * FROM dbc.logonrules
     where logonstatus = 'g' ;

To generate the revoke logons from explicit grants:

     SEL 'revoke logon on ' || trim(logicalhostid) || ' from ' || TRIM(username) || ';'
       FROM dbc.logonrules
       WHERE  logonstatus = 'g'
       GROUP BY 1;

To generate the grants required later (run before you revoke):

     SEL 'grant logon on ' || trim(logicalhostid) || ' to ' || TRIM(username) || ';'
       FROM dbc.logonrules
       WHERE  logonstatus = 'g'
       GROUP BY 1;

Ruth Fenwick
Teradata Technical Lead, Enterprise Data Management, Enterprise Information Management
Royal Bank of Canada



     
  <Prev Next>   <<First <Prev
Next>
Last>>
 
 
 
 
 
 
 
 
 
  
  Top Home Privacy Feedback  
 
 
Copyright for the TeradataForum (TDATA-L), Manta BlueSky    
Copyright 2016 - All Rights Reserved    
Last Modified: 15 Jun 2023