Masquerading
Masquerading is a way for a client to operate as another user, with all the privileges of that user. Masquerading is a powerful feature. Use masquerading with caution, as you would when using the root command in UNIX or the su command in Linux®.
The masquerading feature allows application servers to do authentication separately from the system. It also allows a server to use one connection to the Netezza Performance Server system for a number of users while still recording those users with the Netezza Performance Server system.
In this use case, system security is set up so that users do not access an Netezza Performance Server database directly, but do it through an application. The application allows certain users access to the database. Each database user has an associated security profile, determining what information can be accessed.
The Netezza Performance Server system does not do the user authentication, but leaves that to the application. In masquerading, a client uses the application to access the database as another user (called a target user), thus accessing the database with the security profile of the target user.
Masquerading is done with the EXECUTE AS command. To use this command, you need EXECUTE AS privileges on the target user. If you issue the command without the required privilege, an error message is displayed.
EXECUTE AS target-user-name
As explained in User login control, opening a connection to the database establishes a session, and the session user is recorded. Masquerading changes the current user in the session context. Subsequent permission checks use that value, while the session user function still shows the original user.
nzsql -u JOHN -pw ABCD -db BIZ
BIZ.SCM(JOHN)=>
BIZ.SCM(JOHN)=> EXECUTE AS HANK;
EXECUTE AS
BIZ(JOHN)=> SELECT session_user, current_user;
SESSION_USER | CURRENT_USER
--------------+--------------
JOHN | HANK
(1 row)
To reverse the EXECUTE AS command, use the REVERT command, which changes the current user back:
BIZ(JOHN)=> REVERT;
REVERT
BIZ(JOHN)=> SELECT session_user, current_user;
SESSION_USER | CURRENT_USER
--------------+--------------
JOHN | JOHN
(1 row)