Dynamic domains enable users to negotiate “direct” access to a secured data source by way of a TDV Server pass-through login. The TDV system does not store the password of dynamic users; it retains only an ephemeral encrypted copy in memory available during the current user session. (The timeout setting is configurable.)

When a user requests a view or procedure that requires data from a source that has pass-through login enabled (through TDV data source driver configuration setting), the user login and the parsed request for data are passed directly to the secured data source. This pass-through allows existing data source security structures to handle the authentication and request authorization. The dynamic domain lets the developer defer security authorization and enforcement to the data source security, which is presumed to be more stringent and tightly controlled.

Pluggable Authentication Modules (PAM) use dynamic domain sessions for pass-through authentication and authorization. The dynamic domain must be enabled for PAM security so that the user’s dynamic session can be used for login pass-through and for use of ephemeral objects like Kerberos session tokens. Composite PAM wraps a Kerberos login module and uses any session token granted with positive authentication for use with data sources that are configured to use those Kerberos session tokens. See Pluggable Authentication Modules for more information.

With the dynamic domain, the TDV solution can be made more transparent. End users can use their existing login information for authentication with a data source to gain the same permissions they had in the past, without needing to log into TDV separately.

Note: Only one login is permitted for dynamic domain pass-through authentication. More than one pass-through-enabled data source can be used for federated queries if the data sources are set to authenticate using the same login.

Dynamic domains also accommodate a potentially large user base that does not require a TDV or an LDAP domain structure.