ABL supports a default user identity that is set when connecting to a database without providing a user ID and password. This default identity is applied in all situations where a database is connected, but the ABL startup parameters for specifying a user ID and password (-U and -P) are not used. OpenEdge tools written in ABL that prompt for a user ID and password (such as the character mode Data Dictionary or the Data Administration utility), apply the default user identity if the user cancels out of the prompt.
The user ID assigned for the default user identity depends on the domain configuration in the database. If at least one domain is enabled for run-time access that supports OpenEdge-performed user authentication, the default user identity is the blank user ID (blank user and domain name). If there is no such domain enabled, OpenEdge attempts to use the user's operating system (OS) user ID, but defaults to the blank user ID if an OS user ID cannot be resolved.
Note: OpenEdge assigns any default OS user ID the OpenEdge domain "WINDOWSID" or "UNIXID", depending on the operating system.
If the default user ID is a valid OS user ID, the database can be configured to uniquely authorize access for it like any other authenticated user identity. However, if the default user ID is the blank user ID, OpenEdge cannot distinguish this default, unauthenticated user identity from an authenticated blank user ID. As a result, it is possible for a blank user identity to access the database without authentication.
Note: The blank user ID can be defined only in the database _User table accounts.
Caution: While often helpful to developers in a development environment, if you can, avoid relying on the blank user identity for any purpose in a deployment environment.
To prevent an unauthorized user from gaining access to an OpenEdge database using the blank default identity, OpenEdge supports database and security options that limit access using the blank user ID. You can prevent a blank user ID from connecting to a database to begin with. You can also prevent a blank user ID that connects to a database from gaining access to any tables and fields in that database.
Note: These settings block connection and data access to an authenticated blank user identity as well as to the default blank user identity.
Because, a database connection can have an authenticated blank user identity, the auditing identity can also be recorded as the blank user ID, which, again, cannot be distinguished from an unauthenticated, default blank user ID. So, if your database requires auditing, Progress Software strongly recommends that you prevent all access to the blank user ID.
Note: OpenEdge prevents any SSO operation from establishing an existing default user identity in any ABL session or any other database connection.
