Archives of the TeradataForum

Message Posted: Thu, 10 Nov 2016 @ 09:05:35 GMT

	<Prev	Next>		<<First	<Prev	Next>	Last>>

Hi Kavitha,

I've seen it used at customer sites for tools like Business Objects, Cognos etc. - essentially a situation where you have a middle-tier server that is what logs on to Teradata. This allows the 'real end user' to be identified in Teradata: dbql logs, accessrights etc.

Here are some examples from some testing that I use:

The 'grant connect through' is as follows:

     GRANT CONNECT THROUGH server_td_user TO real_end_user  WITH ROLE role_for_real_end_user;

The 'set query band' is:

     SET QUERY_BAND = 'proxyuser= real_end_user;' FOR SESSION;

In this situation my middle-tier software logs on to Teradata with a userid of 'server_td_user'.

To make this a more real example, assume that A user called 'FRED' uses Business Objects to run reports against Teradata.

He connects to his Business Objects server with his Windows/Business Objects user name (FRED).

The Business Objects server logs on to Teradata with a userid of BOBJ_SERVER.

Prior to running a query for this user the Business Objects software runs the following sql request

     SET QUERY_BAND = 'proxyuser= fred;' FOR SESSION;

This proxyuser value ('FRED@) will now be recorded in the main dbqlogtbl (column ProxyUser) for all of these queries.

To get this to work, on Teradata you need to:

     GRANT CONNECT THROUGH bobj_server TO fred;   <<< the 'WITH ROLE' is optional

Does that help?

Cheers,

Dave

Ward Analytics Ltd - Information in motion (www.ward-analytics.com)

	<Prev	Next>		<<First	<Prev	Next>	Last>>