Teradata Access Rights

4
1329

teradata access rightsTeradata Access Rights

Teradata distinguishes between these four types of access rights

  1. ImplicitThe privileges of a user or database owning an object (“ownership privilege”)
  2. ExplicitThe Privileges explicitly granted with the GRANT statement
  3. InheritedThe privileges inherited by being a role member
  4. AutomaticThe privileges automatically granted by Teradata

 

Owners and Creators

Teradata distinguishes between creators and owners of database objects.

The creator is the user who executed the DDL statement to create an object. Thus, only one user can be the creator of an object.

The owners of a database object are all databases and users which are above the object in the database hierarchy.

When a database object is created, the database which holds the new object is called the immediate owner.

Here is an example. If DBA creates “Object” then DBAis the Creator and “System Admin” and “Database 1” are owners.

Implicit Privileges

Implicit privileges are given to object owners. They don’t require a row in DBC.Accessrights (but these rows are added by default). Ownership privileges can’t be revoked!

The owner of an object can grant explicit privileges to other users, databases, and roles (WITH and WITHOUT GRANT option).

In our example from above, “System Admin” and “Database 1” have implicit privileges on “Object”.

Explicit Privileges

Explicit privileges are managed with the GRANT and REVOKE statements.

The GRANT command is used to assign explicit privileges to databases, users, tables, indexes, views, stored procedures, UDFs, macros, and roles:

GRANT <privileges> ON <object> TO <user> [WITH GRANT OPTION];
 

To grant explicit privileges, the granting user needs the same privileges on this object and grant authority (“WITH GRANT OPTION”)

Explicit grants can be revoked it the revoking user needs:

  • The permissions to grant the permissions
  • To be Owner of the object

Automatic Privileges

Certain privileges are automatically granted, when a user creates an object, such as users, databases, tables, views, etc. Automatic privileges are automatically granted by Teradata (“Creator Privilege”). If a table is created the assigned privileges are delete, insert, update, select, etc.

Additionally, if a user creates a new database or user, not only the creator will get automatic permissions on the new object, but also the newly created object will get some automatic privileges (delete, insert, update, select, etc.).

For a complete list of automatic privileges, please check the documentation at:

Inherited Privileges

Not too much to say: These are inherited from the role.

Questions?
If you have any questions about all this, please ask in the comments! I’ll be paying close attention and answering as many as I can. Thank you for reading. Whatever this blog has become, I owe it all to you.
Our Reader Score
[Total: 2    Average: 5/5]
Teradata Access Rights written by Roland Wenzlofsky on March 8, 2017 average rating 5/5 - 2 user ratings

4 COMMENTS

  1. Hi Roland,
    Good basic information clearly presented. Well done.

    However I think that your description of ‘inherited’ Access Rights is missing something. I understand why you’ve described Access Rights from Roles as being inherited (I’d never thought of them that way but I see your point), but the term ‘inherited Access Right’ is often used to describe something else.

    An ‘inherited’ Access Right is one which is granted to a user/database specifically during the “CREATE USER/DATABASE” command. Assume the following hierarchy and commands.

    A user name DEV_USERS exists.
    The following command is executed: “GRANT SELECT ON db1 TO ALL DEV_USERS;”
    The following command is now executed: “CREATE USER fred FROM DEV_USERS;”

    As a result of this (specifically the ‘ALL DEV_USERS’), when ‘fred’ is created, this userid will also be granted the SELECT Access Right on database ‘db1’. this user has inherited the Access Right from an owner.

    Cheers,
    Dave

LEAVE A REPLY

Please enter your comment!
Please enter your name here