This is the basic syntax, where client-principal-handle is the handle to an unsealed or sealed client-principal object and database-connection optionally identifies an established database connection:

When you provide user credentials as input to the function in an unsealed client-principal (in the INITIAL state), OpenEdge or an ABL callback authenticates the user identity for a specified existing OpenEdge database connection or for the first database connection established in the current session (if no database connection is specified). If OpenEdge or an ABL callback successfully authenticates the identity, the AVM seals the client-principal object in the LOGIN state and sets the connection to the specified identity. Sealing the object with this function also generates an auditable event to start a user login session. If no database connection is specified, it then uses the sealed client-principal in an SSO operation on each additional connected OpenEdge database to validate and (if valid) set the connection identity.

When you provide a sealed client principal (in the LOGIN state) as input to the function, OpenEdge then uses it in an SSO operation on the specified database connection, or if not specified, on every database connection in the current session to validate and (if valid) set the connection identity of the given database.

When the SET-DB-CLIENT function executes for each database connection, OpenEdge authenticates and seals the identity specified in the unsealed client-principal, or performs an SSO operation on the sealed client-principal, using either the local database domain registry for the given connection (by default) or the current session domain registry when a given database has its option set to use the application domain registry.