Data Management : Application Security : Authenticating and managing user identity in ABL
Authenticating and managing user identity in ABL
OpenEdge supports two basic types of user identity in ABL:
Authenticated user identity — An identity that is authenticated against a trusted domain registry and sealed in a client-principal object, either by OpenEdge or by an ABL application. The user ID for an authenticated identity can have any valid character-string value, depending on the authentication system and OpenEdge domain, except that the account user name cannot contain the '@' character, which is used to separate the account user name from the OpenEdge domain name in a fully qualified user ID. However, an authenticated user ID can include blank (""), which means a blank account user name and a blank OpenEdge domain name, if the authentication system supports it (as in the database user list). Once authenticated, this identity can be validated in the sealed client-principal using an SSO operation to set the identity for any ABL session or database connection that allows it.
Default user identity — Supported for backward compatibility, an identity that OpenEdge assigns to a database connection that is established without using the User ID (-U) and Password (-P) connection parameters. If an authentication-enabled domain exists in the database, OpenEdge assigns blank ("") as the default user ID; otherwise, OpenEdge assigns the user ID of the local operating system process making the database connection. You cannot invoke an SSO operation on a client-principal object created and sealed by OpenEdge for the default user identity. In other words, the default identity can only apply to the database connection on which it is established, and cannot be assigned using any subsequent identity management operation.
Note: You can configure how the database handles blank user IDs for both authentication to a database connection and authorization for table and field access. The Security menu of the Data Administration tool provides an option to disallow blank user ID access to tables and fields that ABL code accesses at both compile-time and run-time. This menu also provides a set of additional database options, including an option to disallow connection to the database using the blank user ID. These restrictions on use of the blank user ID apply to both the OpenEdge default or an authenticated blank user ID. For more information, see the sections on security in OpenEdge Deployment: Managing ABL Applications and the Data Administration tool online help.
For more information on OpenEdge user identity types and how OpenEdge determines the user ID for the default user identity, see OpenEdge Getting Started: Identity Management.
The following sections describe how to establish and manage ABL user identity for various identity applications.
Authenticated user identity — An identity that is authenticated against a trusted domain registry and sealed in a client-principal object, either by OpenEdge or by an ABL application. The user ID for an authenticated identity can have any valid character-string value, depending on the authentication system and OpenEdge domain, except that the account user name cannot contain the '@' character, which is used to separate the account user name from the OpenEdge domain name in a fully qualified user ID. However, an authenticated user ID can include blank (""), which means a blank account user name and a blank OpenEdge domain name, if the authentication system supports it (as in the database user list). Once authenticated, this identity can be validated in the sealed client-principal using an SSO operation to set the identity for any ABL session or database connection that allows it.
