Depending on the application and OpenEdge startup command, when logging in, the user might be prompted for their user ID and password, or the might specify a user ID and password using the User ID (-U) and Password (-P) startup parameters.
If you establish valid user IDs in the _User table accounts, the OpenEdge RDBMS prompts for a user ID and password at connection time. Typically, the application does this by running the login procedure. The standard startup procedure, PROSTART, automatically runs a login procedure for each connected database. If the application uses another startup procedure, the developer should run a login procedure from that procedure.
The login procedure uses the SET-DB-CLIENT function to check the user ID and password entered by the user. The procedure initializes a client-principal object with these user credentials and passes this object to the function. The user has three attempts to enter the correct user ID and password for each database. If the user fails to do so after three attempts, SET-DB-CLIENT exits the user from the database. If the user ID and password combination is valid for the database, then SET-DB-CLIENT establishes that user ID for the connection.
If the application does not run the login procedure at connection time, or if the user bypasses the login procedure (by pressing END-ERROR when prompted for the user ID and password), the database connection's user ID retains the default assigned at connection time. You can prevent users from connecting to the database with the blank user ID and accessing data by establishing compile-time and run-time security.
Caution: If a user connects to a database with the default blank user identity, the user potentially has full access to the database. You can prevent users with a blank user ID from gaining unauthorized access to an OpenEdge database in two ways: 1) setting a database option to Disallow Blank UserId Connections, in which case the User ID (-U) parameter and a non-blank user ID are required to connect to the database, or 2) setting the security option to Disallow Blank Userid Access. The first option prevents blank users from connecting to the database in certain, but not all, scenarios; the second option prevents blank users from accessing any data in the database by explicitly revoking blank user ID access to all data in the database, and provides the most comprehensive protection from unauthorized access by a blank user. Also, remember to assign non-blank user IDs to the security administrator role before restricted access for blank users.
For more information about compile- and run-time security, see OpenEdge Getting Started: Identity Management, OpenEdge Development: Programming Interfaces, and OpenEdge Deployment: Managing ABL Applications.
