Backup Archive and Recovery

Archive Users and Permissions

Summary Of Changes
Change Date

Description of Change

Pages

6/16/06

Original Release

All

6/20/06
11/4/09

Correct ARC_CATALOG to $ARC_CATALOG

Removed Catalog, Added Monitor Privileges to ARCUSER1

4,5
4,5

Author
Tom Zenner,
Randall Bell
Randall Bell
John Meler

Table of Contents
Summary ............................................................................................................. 4
Create Role and Assign AccessRights ............................................................. 4
DBC and CATALOG AccessRights ............................................................................... 4
AccessRights for DUMP, RESTORE and COPY .......................................................... 4
Create ArcUsers .................................................................................................. 5
Grant Users Permission ..................................................................................... 5
Set Default Role .................................................................................................. 5

Summary
The recommendations and requirements put forth in this document are based upon best
practices. Its recognized that each site has their own process and procedures
Access privileges or access rights are needed for users created to perform archive and recovery
operations against database objects on the Teradata system. There are three major types of
archive and recover operations. The below table lists the access rights that must be explicitly
granted to the user on the database object.
Operation
ARCHIVE
RESTORE

COPY

Description
Extracts data from Teradata to
media
Imports data to Teradata from
media. Table must already
exist.
Imports data to Teradata from
media. Creates a new table if
it doesnt exist

AccessRight
ARCHIVE/DUMP
RESTORE

RESTORE, CREATE TABLE,

CREATE VIEW, CREATE
TRIGGER, CREATE
PRODEDURE

These access rights must be explicitly granted unless the user performing the archive/recovery
operation is the owner of the object.
Its a DBA responsibility to ensure the required Teradata access rights are granted and
maintained.

Create Role and Assign AccessRights

Best practice is the use of a role to assign access rights. This will minimize entries to the
DBC.AccessRights table and is easier to maintain.
CREATE ROLE ARCUSER_ROLE;

DBC AccessRights
The below grant statements should be run:
GRANT DUMP, SELECT ON DBC TO ARCUSER_ROLE;

AccessRights for DUMP, RESTORE and COPY

The following BTEQ script will generate the grant commands for all databases on the system
(excluding ALL, DBC, Default and PUBLIC). Databases & Users created after this is run would
need the same access rights granted to ARCUSER_ROLE.
/** Excluding ALL, DBC, DEFAULT and PUBLIC **/
.width 254
.export file=grant_ARCUSER_ROLE.txt

SEL 'GRANT RESTORE,DUMP,CREATE TABLE,CREATE VIEW,CREATE

MACRO,CREATE TRIGGER,CREATE PROCEDURE ' ||
'ON ' ||
TRIM(DATABASENAME) ||
' TO ARCUSER_ROLE;'(TITLE'')
FROM DBC.DBASE
WHERE DATABASEID NOT IN
('00000000'XB,'00000100'XB,'00000200'XB,'00000300'XB,'00008304'XB)
ORDER BY 1;
.export reset
Run BTEQ again to execute the grant statements that were created above.
.run file = grant_ARCUSER_ROLE.txt

Create ArcUsers
Teradata requires unique userids when running multiple concurrent restore/copy jobs. The
following are requirements:

Create at least one user per tape drive

NetVault & NetBackup require identical arcuser passwords
ARC requires a small amount spool. If spool space is not defined it will be inherited from
its owner. (MaxSpool equal to DBC is recommended)

As User DBC perform the steps below. The database ARCUSERS is recommended as just a
housekeeping container database created below DBC.
Create Database ARCUSERS as perm=0;
Create User arcuser1 from ARCUSERS as perm=0, password=arcuser;
Create User arcuser[n] from ARCUSERS as perm=0, password=arcuser;

Grant Users Permission

Grant the archive/recovery permissions assigned to the role to the ArcUsers.
GRANT ARCUSER_ROLE TO arcuser1, arcuser2;
GRANT MONITOR TO ARCUSER_ROLE;

Set Default Role

MODIFY USER arcuser1 AS DEFAULT ROLE = ARCUSER_ROLE;
MODIFY USER arcuser2 AS DEFAULT ROLE = ARCUSER_ROLE;