Vantage Setup & Permissions

AnalyticOps requires that both users and service users have the necessary permissions to work with Teradata Vantage. These permissions vary based on the specific features you will be using and so we list the permisssions by feature.

Additionally, there are a number of components which must be installed in the database and DDLs which must be applied to use some of these features.

Components

There are many components available in-vantage which can be installed and used independently.

  • SQLE

    • PMML/ONNX/H2OPredict

    • IVSM

    • STO

  • MLE

Refer to the installation guide of each for the instructions on how to install the latest version of the above components which are optionally installed (i.e. STO, IVSM, x*Predict).

AnalyticOps DDLs

AnalyticOps deploys and stores some model artefacts in Vantage for BYOM (IVSM, PMML/ONNX/H2OPredict) and STOs. That is because they are executed In-Vantage. We store models artefacts related to these in two model artefacts tables named aoa_ivsm_models and aoa_sto_models respectively.

In future, we will have more requirements and tables for storing various types of metadata in Vantage. Therefore, we recommend to start with a single AOA database and create the DDLs there. Later, as the organization advances, it may make sense to have multiple databases where models associated with one business or department line are stored in different databases due to different governance and security requirements. However, start simple and create a single database. As the database is storing model artefacts (binary objects), it is recommended to provision at least a few GB to start with.

BYOM

CREATE TABLE { aoa-db }.aoa_ivsm_models
     (
      model_version VARCHAR(255) CHARACTER SET LATIN CASESPECIFIC,
      model_id VARCHAR(255) CHARACTER SET LATIN CASESPECIFIC,
      model_type VARCHAR(255) CHARACTER SET LATIN CASESPECIFIC,
      project_id VARCHAR(255) CHARACTER SET LATIN CASESPECIFIC,
      deployed_at TIMESTAMP(6) DEFAULT CURRENT_TIMESTAMP(6),
      model BLOB(2097088000))
UNIQUE PRIMARY INDEX ( model_version );

STOs

CREATE TABLE { aoa-db }.aoa_sto_models
     (
        partition_id VARCHAR(255) CHARACTER SET LATIN CASESPECIFIC,
        model_version VARCHAR(255) CHARACTER SET LATIN CASESPECIFIC,
        num_rows BIGINT,
        partition_metadata JSON CHARACTER SET UNICODE,
        model_artefact CLOB
     )
UNIQUE PRIMARY INDEX (partition_id, model_version);

MLE

By default, the MLE requires you to save the model artefacts as a table for every single model version. We could ideally store these in a single artefact table also but it is not supported by the MLE. So the pattern we use is to store a table with the first part of the uuid as the table name for uniqueness.

Grants

Data scientists should have permission to work within a sandbox environment, ideally a data lab but their own database will work. This database will need perm space and they need minimal resources for this but it allows them to work quickly and validate. They should have CREATE, DELETE, INSERT, SELECT permissions within that database. Without such permissions, data scientists working with Vantage will be severely hindered in their abilities to work. As this is a departure from historic data warehouse access, it requires a discussion up front between the business units and the data management organization.

We have tried to collate all the permissions and access which a data scientist or AnalyticOps user (including service users) to execute basic scenarios to the more complex scenarios. The specific permissions change depending on the in-vantage option chosen and so we have broken them down by component. You only need to apply the permissions relevant to the given components being used.

AOA DB

Users need INSERT and SELECT access to the { aoa-db } tables

GRANT SELECT, INSERT ON { aoa-db } TO { username | rolename };

VAL

GRANT EXECUTE PROCEDURE ON { val-db }.td_analyze TO { username | rolename };
GRANT EXECUTE FUNCTION ON { val-db }.tda_dt_calc TO { username | rolename };
GRANT EXECUTE FUNCTION ON { val-db }.tda_kmeans TO { username | rolename };
GRANT SELECT ON stats_dbname TO { username | rolename };

IVSM

GRANT EXECUTE FUNCTION on { ivsm-db } to { username | rolename };

PMML/ONNX/H2OPredict

GRANT EXECUTE FUNCTION on { mldb } to { username | rolename };

STO

GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.SCRIPT to { username | rolename};
GRANT CREATE EXTERNAL PROCEDURE ON <database> TO { username | rolename };
GRANT EXECUTE ON SYSUIF.DEFAULT_AUTH to { username | rolename };

-- required to install/cleanup the python files generated / used
GRANT EXECUTE PROCEDURE ON SYSUIF.INSTALL_FILE TO { username | rolename};
GRANT EXECUTE PROCEDURE ON SYSUIF.REPLACE_FILE TO { username | rolename};
GRANT EXECUTE PROCEDURE ON SYSUIF.REMOVE_FILE TO { username | rolename};

GRANT DROP PROCEDURE ON <database> TO { username | rolename };
GRANT SELECT ON <database> TO { username | rolename };

-- required if using teradataml and the user will be working through a <database> other than the <username> database
GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.SCRIPT TO <database> WITH GRANT OPTION;
GRANT EXECUTE ON SYSUIF.DEFAULT_AUTH TO <database> WITH GRANT OPTION;

MLE

GRANT EXECUTE FUNCTION ON SYSLIB TO { username };
GRANT CONNECT THROUGH proxyuser TO PERMANENT { username } WITHOUT ROLE;
GRANT SELECT ON TD_SERVER_DB.coprocessor TO { username };
GRANT INSERT ON TD_SERVER_DB.coprocessor TO { username };
GRANT EXECUTE FUNCTION ON TD_SERVER_DB.coprocessor TO { username };
GRANT CREATE SERVER ON TD_SERVER_DB TO { username };
GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGEXECUTEFOREIGNQUERY TO { username };
GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGINITIATOREXPORT TO { username };
GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGINITIATORIMPORT TO { username };
GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGREMOTEEXPORT TO { username };
GRANT EXECUTE FUNCTION ON TD_SYSFNLIB.QGREMOTEIMPORT TO { username };
GRANT CTCONTROL ON user TO proxy_user;

Viewpoint Access

We strongly recommend that Data Scientists have access to viewpoint in order to understand any bottlenecks and in general, to understand the performance characteristics of the in-vantage components they are using (including standard queries). This will help them to both use Vantage better and remove the “black-box” feeling that they often have when working with Vantage.