As any experienced Teradata DBA will tell you, some tables in the Teradata dictionary (DBC) need housekeeping. But some customer sites that I have worked with ignore table DBC.AccessRights.
If you have ever analyzed this table on a Teradata system, you will almost certainly spot two things quickly.
- A non-history table, it can contain lots of rows.
- It is very skewed.
Since this is a system table, altering the table definition is impossible. Therefore, diminishing the skew is not merely accomplished by modifying the Primary Index. Nonetheless, like all tables with skew, diminishing the number of rows usually leads to a decrease in skew.
Further analysis of this table’s content will usually show that many rows are ‘redundant.’ By that, I mean the situation where a user has a particular Access Right at the object level (say SELECT on a table). They also have the same Access Rights at the database level. Therefore, the object level Access Right serves no purpose because the user can SELECT from the table without it.
Housekeeping this table can have significant effects: one customer where a process was implemented reduced the row count by @40%, which also helped with parsing CPU consumption.
To effectively housekeep this table, some best practices have to be put into place:
- The normal batch process to identify and remove redundant Access Rights.
- Use Roles instead of direct grants of Access rights to users.
- Prevent DROP/CREATE staging tables using ETL processes (see my article “DELETE, don’t DROP“).
Note that the impact of skewing in the table should only be reduced to TD 15.00 due to the inclusion of a PPI. However, implementing the above steps will still be beneficial.
Sure you are allowed to comment on your own post.
I use the approach of cleaning the AccessRights table on a huge site where we have 1:1 views in a database pointing to all the existing tables in our data warehouse. This simplifies access as you don’t have to qualify the database for each table, but it causes huge skewing. We ended up with parsing times up to some seconds because of redundant rights!
Nevertheless, as you mentioned, we have to be careful when cleaning up the Access Rights table. I experienced missing permission with Stored Procedures depending on their user context (CALLER, OWNER, USER).
Although not specifically mentioned above, you can also get potential redundant Access Rights when a user has an Access Right granted directly to them and also in a Role that they are a member of. You have to be a bit careful about removing such Access Rights, but it is at least worth reporting on them.
(P.S. Am I allowed to comment on my own post?)