4.1 TPT and Logon security, Encryption and Roles

4.1 TPT and Logon security, Encryption and Roles:

The following security-related attributes may be required for logons to Teradata Database depending on the user authentication method employed.

UserName	The Teradata Database username.
UserPassword	The Teradata Database password associated with the username
TdpId	Identifies the connection to the Teradata Database.  If you don't specify a TdpId, the system will use the default Tdpid, as defined in the Teradata Client clispb.dat
LogonMech	A security mechanism used to externally authenticate the user. Optional, depending on security setup. TD 2 is the default mechanism and the system will automatically defer to it unless the default has been set to another mechanism or TD 2 has been disabled. External authentication system includes Kerberos or Active Directory. External authentication is only available for jobs launched from network-attached clients. It requires special setup. Do use external authenticationto log on a Teradata PT job script until you understand the associated setup and logon requirements
LogonMechData	Username, password, and other data required by an external authentication mechanisms to complete the logon.

Values for the security attributes can be assigned in any the following statements, which are  listed in the order they are processed, from lowest to highest priority.

• DEFINE OPERATOR

• in an APPLY statement, or SELECT clause of an APPLY statement

Tip: Specifying the UserName and UserPassword values as job variables avoids problems that may occur if such logon information is kept in plain view in job scripts.

The following operators access non-Teradata data sources. However, since they logon through an access module, they do not require logon information.

• DataConnector

• FastLoad INMOD Adapter

• FastExport OUTMOD Adapter

• MultiLoad INMOD Adapter

For these operators, logon information must be entered as part of the access module or

INMOD/OUTMOD routine through which the operator accesses the outside data source.

The ODBC operator functions differently from other such operators, and allows the option of specifying the following in the job script:

• UserName

• UserPassword

4.1.1. Using Encryption and Side effects:

All Teradata PT operators that interface with the Teradata Database have the option to encrypt

job data during transmission across the network. The data is then decrypted and checked for

integrity when it is received by the Teradata Database.

Its imp to note that Encryption is only available for network-attached clients.

Following operators support encryption:

• DDL

• Export

• Load

• SQL Inserter

• SQL Selector

• Stream

• Update

The Attribute DataEncryption is set on to enable encryption. The default setting is ‘Off.’

There involves a side effect that Encryption may result in a noticeable decrease in load/unload performance due to the time required to encrypt, decrypt, and verify the data.

4.1.2 Using Roles with TPT

Each operator that communicates with the Teradata Database logs on separately, and Teradata PT scripts do not support use of the SET ROLE statement (except for the DDL operator). Since the default role cannot be reset for a Teradata PT session, make sure that Teradata PT user default role includes all the necessary privileges.