Use User ID (-U) together with the Password (-P) connection parameter to specify the user ID and user account password when connecting to an OpenEdge RDBMS, either at ABL application startup or when executing the ABL CONNECT statement.
1 For more information on the setting of the default user ID, see the default connection identity settings.
2 For more information on the setting of the default user ID, see the default connection identity settings.
userid
The user ID of the user. For an OpenEdge database defining only the default blank ("") domain, you can use a non-qualified user ID (user account name only). For a database defining multiple security domains, you can use a fully qualified user ID that includes both the user account name and the name of the user's security domain separated by the domain delimiter (@). Thus, the specified userid can be formatted as shown in the following table, where user-name is a non-qualified user ID and domain-name is the name of the user's domain.
This format...
Writes the...
Blank ("") user in the blank domain
@
Blank user in the blank domain
@domain-name
Blank user in the specified domain
user-name
Specified user in the blank domain
user-name@
Specified user in the blank domain
user-name@domain-name
Specified user in the specified domain
OpenEdge authenticates the user ID and password specified by the -U and -P parameters against the user account system defined by the authentication system configured for the user's security domain. OpenEdge identifies the authentication system to authenticate the user ID using the local database domain registry, regardless of any database options that you have set. If the user's domain is authentication-enabled and registered in the database domain registry, and a user account is found that matches the user ID and password, OpenEdge completes the database connection and sets it to the specified connection identity. Otherwise, the user is not allowed to connect to the database. If the database is multi-tenant, a successful connection also sets the user's tenancy (database tenant organization) as it is configured for the user's domain.
Note: To authenticate the user identity for a valid setting of this connection parameter, the code page of the authenticating user account system must match the setting of the startup parameter.
For backward compatibility, if you do not specify -U and -P for a database connection, OpenEdge connects the database using a default connection identity. OpenEdge resolves one of two possible user IDs as the default connection identity: the blank user ID or the operating system process user ID, depending on the conditions listed in the following table.
Does the database define at least one authentication-enabled domain?1
Are the -U and -P connection parameters specified?
Resulting user identity
NO
YES
Error: -U and -P not allowed unless enabled domains exist that support user authentication performed by OpenEdge.
NO
NO
Default connection identity: The operating system process user ID.2, 3
YES
NO
Default connection identity: The blank ("") user ID.4, 5
YES
YES
If the -Uuserid and -Ppassword match a user account that exists for the user's authentication system, use that identity.Otherwise, OpenEdge raises an error and access is denied.
1 A domain is authentication-enabled if: 1) it is configured with an authentication system that is enabled for OpenEdge-performed user authentication, 2) this authentication system has access to a source of valid user accounts, and 3) the domain is enabled for use in the database.
2 Any client-principal object that you return for a database connection using the ABL GET-DB-CLIENT function, and that represents a default connection identity, cannot be used to set the identity for any other database connection or ABL session. A client-principal can only be used to set the identity for additional OpenEdge resources if it represents an authenticated user identity. For more information, see the CONNECT statement entry in OpenEdge Development: ABL Reference.
3 OpenEdge sets the domain name for any default operating system user ID to "windowsid" or "unixid", depending on the operating system where the database is connected.
4 Any client-principal object that you return for a database connection using the ABL GET-DB-CLIENT function, and that represents a default connection identity, cannot be used to set the identity for any other database connection or ABL session. A client-principal can only be used to set the identity for additional OpenEdge resources if it represents an authenticated user identity. For more information, see the CONNECT statement entry in OpenEdge Development: ABL Reference.
5 The default blank user identity creates ambiguity in database authorization (table and field permissions) with any authenticated blank user account defined and enabled in the _User table accounts.
For more information on database connection identity, see the sections on connecting to a database in OpenEdge Getting Started: Identity Management.
The -U and -P parameters support a common user authentication model for connecting to a database from:
The command line used to startup an ABL application
Within a running ABL application using the CONNECT statement
The command line used to startup a database utility, such as PROUTIL (using the -userid and -password parameters)
The command line or other configuration used to startup an OpenEdge SQL (JDBC or ODBC) application
The authentication model for these connections is supported by a common security domain configuration within the OpenEdge database that you define using OpenEdge Database Administration. The requirement for all users connecting to a database, whether from an ABL application, an SQL application, or a database utility, is that their domain must be authentication-enabled (supports OpenEdge-performed user authentication). A domain enabled only for single sign-on (SSO) or for application-defined user authentication cannot authenticate a user who is connecting to a database from an ABL application, SQL application, or database utility.
In addition, if a domain is configured with an ABL authentication plugin, users cannot authenticate in this domain from an SQL application or from the startup command line of an ABL application. To connect a database with a user identity that authenticates using an ABL plugin, you must use the ABL CONNECT statement within the ABL session, or connect the database from the command line using a different identity, then use the ABL SET-DB-CLIENT function or SET-CLIENT( ) method on the SECURITY-POLICY system handle to authenticate and set the connection identity using the ABL plugin.
For more information on the CONNECT statement, see the statement entry in OpenEdge Development: ABL Reference. Note that, except for use of an ABL plugin or when otherwise noted, the features described for connecting a database using the CONNECT statement also apply to connecting a database on the startup command line for an ABL application.
For more information on using security domains and authentication systems in OpenEdge, see OpenEdge Getting Started: Identity Management. For more information on using ABL authentication plugins, see the sections on application security and authentication in OpenEdge Development: Programming Interfaces.
For more information on the features for authenticating the user of an OpenEdge SQL application connection to an OpenEdge database, see the chapters on using JDBC and ODBC clients in OpenEdge Data Management: SQL Development.
For more information on how to specify a user ID and password when connecting from a database utility, see the reference entry for the utility in OpenEdge Data Management: Database Administration.
Note: With certain DataServers, the -U and -P parameters also pass DataServer login information to the foreign (non-OpenEdge) database. For more information, see your DataServer documentation.
The command line used to startup an ABL application