Register a Teradata Connection

Requirement

• Teradata VantageCloud or Teradata VantageCore

Permissions

The user registering the connection must have the permissions below.

• APPLICATION_ADMIN Immuta permission

• The Teradata user registering the connection must have access to the user DBADMIN

• The Teradata user running the setup script must have the permission CREATE DATABASE

Create the database user

1. ​Create a new user in Teradata to serve as the Immuta system account. Immuta will use this system account continuously to crawl the connection.

2. ​Grant this account the following Teradata privileges:

   1. SELECT on the DBC database

   2. CREATE ROLE

   3. DROP ROLE

   4. SELECT WITH GRANT OPTION on all Teradata views and databases that Immuta should manage permissions to

   5. CREATE VIEW WITH GRANT OPTION

   6. DROP VIEW WITH GRANT OPTION

Configure Teradata

If your base tables are in a different database than your views, then you must grant your view database the ability to select from your base table database.

Register a Teradata connection

1. In Immuta, click Data and select Connections in the navigation menu.

2. Click the + Add Connection button.

3. Select the Teradata tile.

4. Enter the host connection information:

   1. Display Name: This is the name of your new connection. This name will be used in the API (connectionKey), in data source names from the host, and on the connections page. Avoid the use of periods (.) or restricted words in your connection name.

   2. Hostname: Your Teradata host (e.g., your-host.env.teradata.com ).

   3. Port: Port configured for Teradata.

   4. SSL Mode: Use the dropdown to select your SSL mode.

   5. SSL Protocol: Based on your SSL mode selection, also select the protocol.

5. Select the authentication method from the dropdown:

   1. Username and Password or LDAP: Enter the username and password of the Teradata user you created above.

   2. OAuth: Enter the authentication details of the Teradata user you created above.

      1. Fill out the Client ID, which is the subject of the generated token. It is also known as sub (subject).

      2. Fill out the Client Secret.

      3. Fill out the Authority URL of your identity provider.

      4. Enter the Scope to limit the operations and roles allowed in Teradata by the access token. See the OAuth 2.0 documentation for details about scopes.

6. Run the below script in your Teradata environment to create the Immuta databases and complete setup.

1. Click Save connection.

Grant the immuta_views database access

After you register the connection and the immuta_views database is created, you must grant that database the ability to select from the databases that have your tables and views:

Map users

Requirement: USER_ADMIN Immuta permission

Map Teradata usernames to each Immuta user account to ensure Immuta properly enforces policies.

The instructions below illustrate how to do this for individual users, but you can also configure user mapping in your IAM connection on the app settings page.

1. Click People and select Users in the navigation menu.

2. Click the user's name to navigate to their page and scroll to the External User Mapping section.

3. Click Edit in the Teradata User row.

4. Select the User Type from the dropdown:

   1. Teradata Username: Enter the user's Teradata username.

   2. Unset (fallback to Immuta username): When selecting this option, the Teradata username is assumed to be the same as the Immuta username.

   3. None (user does not exist in Teradata): Select this option if this is an Immuta-only user. This option will improve performance for Immuta users who do not have a mapping to Teradata users and will be automatically selected by Immuta if an Immuta user is not found in Teradata. To ensure your Teradata users have policies correctly applied, manually map their usernames using the first option above.

5. Click Save.