Understand Teradata Access Rights

Roland Wenzlofsky

November 8, 2019

minutes reading time


Types of Teradata Access Rights

Teradata distinguishes between these four types of access rights:

  1. Implicit: The Teradata privileges of a user or database owning an object (“ownership privilege”)
  2. Explicit: The Privileges explicitly granted with the GRANT statement
  3. Inherited: The privileges inherited by being a role member
  4. Automatic: The privileges automatically granted by Teradata

Owners and Creators

Teradata differentiates between creators and owners of database objects.

The creator is the user who executes the DDL statement to create an object. Thus, only one user can be the creator of an object.

The owners of a database object are all databases and users located above the object in the database hierarchy.

A new object’s database is called the immediate owner.

Here is an example. If user DBA creates “Object “then DBA is the creator, and “System Admin “and “Database 1 “are owners.

Understand Teradata Access Rights 1

Teradata Access Rights – Implicit Privileges

Implicit privileges are granted to object owners. They do not need a row in the DBC.Accessrights table (still, Teradata adds rows by default, but we can delete them). We can’t revoke ownership privileges!

An object’s owner can grant explicit privileges to other users, databases, and roles (WITH and WITHOUT GRANT option).

In our example above, the databases “System Admin” and “Database 1” have implicit privileges on “Object “.

Teradata Access Rights – Explicit Privileges

Explicit privileges are managed with the GRANT and REVOKE statements.

The GRANT statement assigns explicit privileges to databases, users, tables, indexes, views, stored procedures, UDFs, macros, and roles:

GRANT <privileges> ON <object> TO <user> [WITH GRANT OPTION];

To grant explicit privileges, the granting user needs to have the same privileges on this object and grant authority (“WITH GRANT OPTION “)

We can revoke explicit grants if the following requirements are fulfilled:

  • We have the permissions to grant the permissions or
  • We are the owner of the object.

Automatic Privileges

Certain privileges are automatically granted when a user creates an object, such as users, databases, tables, views, etc. Automatic privileges are automatically granted by Teradata (“Creator Privilege”). If a table is created, the assigned privileges are DELETE, INSERT, UPDATE, SELECT, etc.

Additionally, suppose a user creates a new database or user. In that case, the creator will get automatic permissions on the new object, and the newly created object will get some automatic privileges (delete, insert, update, select, etc.).

Inherited Privileges

Inherited privileges are not directly assigned to a user but are indirectly available via a role. Roles combine privileges and can then be assigned to a user. This means that single rights do not have to be assigned to all users again and again, but only once to the role assigned to each user; such an approach simplifies administration and is the preferred way to assign permissions.

  • Hi Roland,
    Good basic information clearly presented. Well done.

    However, I think that your description of ‘inherited’ Access Rights is missing something. I understand why you’ve described Access Rights from Roles as being inherited (I’d never thought of them that way but I see your point), but the term ‘inherited Access Right’ is often used to describe something else.

    An ‘inherited’ Access Right is one that is granted to a user/database specifically during the “CREATE USER/DATABASE” command. Assume the following hierarchy and commands.

    A user name DEV_USERS exists.
    The following command is executed: “GRANT SELECT ON db1 TO ALL DEV_USERS;”
    The following command is now executed: “CREATE USER Fred FROM DEV_USERS;”

    As a result of this (specifically the ‘ALL DEV_USERS’), when ‘fred’ is created, this userid will also be granted the SELECT Access Right on database ‘db1’. this user has inherited the Access Right from an owner.

    Cheers,
    Dave

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    You might also like

    >