Authentication record priority
Each authentication record has a priority. If a user is granted more than one authentication record, OpenText™ Analytics Database attempts to authenticate the user with the authentication record with the highest priority and rejects the user if authentication fails.
There are two ways to authenticate with a record other than that with the highest priority:
- 
Fallthrough authentication: If authentication fails, the database attempts to authenticate the client with the record with the next highest priority. 
- 
Authentication filtering: Clients can send the credentials required for a particular authentication method to authenticate with a record that uses that method. 
Determining authentication priority
The following factors contribute to an authentication record's priority, as reflected in the CLIENT_AUTH system table:
=> SELECT auth_name, auth_method, auth_priority, method_priority, address_priority FROM client_auth;
   auth_name   | auth_method | auth_priority | method_priority | address_priority
---------------+-------------+---------------+-----------------+------------------
 ldap_auth     | LDAP        |             5 |               5 |               96
 hash_auth     | HASH        |             5 |               2 |              126
 tls_auth      | TLS         |             0 |               5 |               96
 oauth_auth    | OAUTH       |             0 |               5 |               96
 gss_auth      | GSS         |             0 |               5 |               96
 trust_auth    | TRUST       |             0 |               0 |               96
 reject_auth   | REJECT      |             0 |              10 |               96
(7 rows)
Note
Greater values indicate higher priorities. For example:
- 
A priority of 10 is higher than a priority of 5. 
- 
A priority 0 is the lowest possible value. 
Priorities are divided into tiers and listed in order of importance; in the event of a tie at one priority tier, the database checks the next priority tier. For example, if a user had both ldap and hash authentication records with an auth_priority of 5, the database would attempt to use the ldap authentication record because it has a greater method_priority value:
- 
auth_priority: The priority explicitly set with ALTER AUTHENTICATION (default: 0).
- 
method_priority: The priority specific to the authentication method. These priorities are as follows:- 
trust: 0
- 
hash: 2
- 
ldap: 5
- 
tls: 5
- 
oauth: 5
- 
gss: 5
- 
reject: 10
 
- 
- 
address_priority: The priority for IP address specified inHOST [ TLS | NO TLS ] 'host-ip-address'. This priority is determined by the size of the netmask of the address; fewer zeros indicate greater specificity, and therefore higher priority.LOCALhas the lowest priority: 0.
Setting authentication priority
To set authentication priority:
=> ALTER AUTHENTICATION authentication_name PRIORITY value;