Thanks to all:
1. Yes Dave, I would love to see your example - no rush, just trying to find options.
2. A linked server connection seems to be more overhead as I only want to populate Teradata with AD information - the feed only has to go one way; but if a Teradata admin did try to add a user directly (to bypass AD) it would be nice if the change were detected
and deleted.
Teradata allows for LDAP and or Kerberos logins - but Teradata still needs a matching username in either case. So, if a user is provisioned in AD, it would be nice to push that into Teradata. I guess i could do a linked table in SQL, but that just adds complexity
to the solution.
If we do row level security, we also have entries in security tables for each user, and if we do Mandatory Access Control, the same username row level security is needed.
Also, Teradata has some features such as trusted sessions that allows users access via a BI Tool without having a username in Teradata. The username is granted a right to logon via a service account - but a user is not created in Teradata - this is easy
to script both to add and remove the appropriate rights.
We have our own custom solution that reads AD (via LDAP) and can then create users and make changes in Teradata, but if a customer has FIM, it would be nice to leverage it.
It seems to me the linked server option would require almost as much development as writing the ECMA - I would still have to create the rules that populate the table in MSSQL.
I appreciate all the ideas - I will have to explore them.